Overview

overview

10

Static

static

8843f39d99...a4.exe

windows7-x64

10

8843f39d99...a4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8843f39d991fb9ad4da612e523daa84dcea2a124b82466593aab26e65b8830a4.exe

  • Size

    342KB

  • MD5

    7eaecc4084e090a5f2f0325d1a88ee5f

  • SHA1

    963180155ca06a29918013c8783ad349da811e13

  • SHA256

    8843f39d991fb9ad4da612e523daa84dcea2a124b82466593aab26e65b8830a4

  • SHA512

    a7c82c560611ac19e48c9dd10ffbab64b6a5bd49bd2c2ef2b2b73a6e31418f79b5b4ff3e338111fc7e8d7f47a7e670059d1790b49e359e8924504b36c0b992c9

  • SSDEEP

    6144:v4lRkAehaKuqT+FdR4U5LUb8I77edkob1n/2ogNKtP8jv9CG3BeGldF1umkt3IJa:vkWAehJuqT4SPoInix1NgNMsp3BDlD4h

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 7 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 30 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8843f39d991fb9ad4da612e523daa84dcea2a124b82466593aab26e65b8830a4.exe
    "C:\Users\Admin\AppData\Local\Temp\8843f39d991fb9ad4da612e523daa84dcea2a124b82466593aab26e65b8830a4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\programdata\setup.exe
      "C:\programdata\setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1520
  • C:\ProgramData\Wins\NvSmart.exe
    "C:\ProgramData\Wins\NvSmart.exe" 100 1520
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:1788
  • C:\ProgramData\Wins\NvSmart.exe
    "C:\ProgramData\Wins\NvSmart.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 1768
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SxS\bug.log
    Filesize

    482B

    MD5

    325c6f695efe55b3be694cd615e34e46

    SHA1

    b596cff4c771d1bf27a8ac4ea6dadd7e1979783e

    SHA256

    56890bc21cc2c3354fc08bffbd49a418e7031725346258e60bd928eae806bc39

    SHA512

    c3a8621301450b19f50e9178960a3ed373cf92becddd59c5cd622c4cda4368e61201188ce6bab65013160f2fe68a42ad2023b688955349abd6f7d090e8ed0b4a

    Download Submit
  • C:\ProgramData\Wins\NvSmart.chm
    Filesize

    155KB

    MD5

    c7814f4a0c42065005e82bda45e4d849

    SHA1

    735e60ab5b0d52344851510c2b1e5f7136d65301

    SHA256

    7ba3e66a633e04feac7167e19621e43b7eb0499f38e818c6dedad21f5f6b39be

    SHA512

    ae327466612592b4439dedfa288a54e46102f46d9afd47ad6f236964c016eefc162beffc56394cfca7db92f043f4ff4d02bbdacf70daae9463ed85ce6207dd77

    Download Submit
  • C:\ProgramData\Wins\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • C:\ProgramData\Wins\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • C:\ProgramData\Wins\NvSmartMax.dll
    Filesize

    4KB

    MD5

    0674a0929aec3db11383523b40fa36d1

    SHA1

    9f50aa213232690e06aa49b7e7b1640127429117

    SHA256

    fb1c1de76504a35b5c9cf4a60c4a7497064917e0ac96b5389b5ef56c4a02bc17

    SHA512

    ce1a5007499232d6730bf97745bd5e931d6a26d658d3c47a4200a2e225c78e947dbca2487bae77adb65399c2985dce5cbc95f2672ca7e309b3a9f9ba4501d10b

    Download Submit
  • C:\ProgramData\setup.exe
    Filesize

    341KB

    MD5

    608abb0c39949775368837a6c068b113

    SHA1

    24de091315d67bf66d0a089524d5742c79b90400

    SHA256

    bba7c47c1c2af0a0d54d2c44c3386f54b59874b9c878dfa8fdacf72937770a96

    SHA512

    89e843d7f7cb700c35c5bcbcdce6d800e9c6b4ccee3997ec0b38c09b452e3d6edbd638b9e9f520b7fdab4dea7c18a85ad23a94eb257b777e69e504e1dd20cb8f

    Download Submit
  • C:\programdata\setup.exe
    Filesize

    341KB

    MD5

    608abb0c39949775368837a6c068b113

    SHA1

    24de091315d67bf66d0a089524d5742c79b90400

    SHA256

    bba7c47c1c2af0a0d54d2c44c3386f54b59874b9c878dfa8fdacf72937770a96

    SHA512

    89e843d7f7cb700c35c5bcbcdce6d800e9c6b4ccee3997ec0b38c09b452e3d6edbd638b9e9f520b7fdab4dea7c18a85ad23a94eb257b777e69e504e1dd20cb8f

    Download Submit
  • \ProgramData\Wins\NvSmartMax.dll
    Filesize

    4KB

    MD5

    0674a0929aec3db11383523b40fa36d1

    SHA1

    9f50aa213232690e06aa49b7e7b1640127429117

    SHA256

    fb1c1de76504a35b5c9cf4a60c4a7497064917e0ac96b5389b5ef56c4a02bc17

    SHA512

    ce1a5007499232d6730bf97745bd5e931d6a26d658d3c47a4200a2e225c78e947dbca2487bae77adb65399c2985dce5cbc95f2672ca7e309b3a9f9ba4501d10b

    Download Submit
  • \ProgramData\Wins\NvSmartMax.dll
    Filesize

    4KB

    MD5

    0674a0929aec3db11383523b40fa36d1

    SHA1

    9f50aa213232690e06aa49b7e7b1640127429117

    SHA256

    fb1c1de76504a35b5c9cf4a60c4a7497064917e0ac96b5389b5ef56c4a02bc17

    SHA512

    ce1a5007499232d6730bf97745bd5e931d6a26d658d3c47a4200a2e225c78e947dbca2487bae77adb65399c2985dce5cbc95f2672ca7e309b3a9f9ba4501d10b

    Download Submit
  • \ProgramData\setup.exe
    Filesize

    341KB

    MD5

    608abb0c39949775368837a6c068b113

    SHA1

    24de091315d67bf66d0a089524d5742c79b90400

    SHA256

    bba7c47c1c2af0a0d54d2c44c3386f54b59874b9c878dfa8fdacf72937770a96

    SHA512

    89e843d7f7cb700c35c5bcbcdce6d800e9c6b4ccee3997ec0b38c09b452e3d6edbd638b9e9f520b7fdab4dea7c18a85ad23a94eb257b777e69e504e1dd20cb8f

    Download Submit
  • memory/952-86-0x0000000000440000-0x0000000000478000-memory.dmp
    Filesize

    224KB

    Download
  • memory/952-84-0x0000000000440000-0x0000000000478000-memory.dmp
    Filesize

    224KB

    Download
  • memory/952-82-0x0000000000000000-mapping.dmp
    Download
  • memory/1520-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1520-60-0x0000000000320000-0x0000000000347000-memory.dmp
    Filesize

    156KB

    Download
  • memory/1520-76-0x0000000000430000-0x0000000000468000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1636-75-0x0000000001CD0000-0x0000000001D08000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1768-79-0x0000000000460000-0x0000000000498000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1768-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1768-71-0x00000000000A0000-0x00000000000C6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1768-85-0x0000000000460000-0x0000000000498000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1788-78-0x0000000000340000-0x0000000000378000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1788-65-0x0000000001CE0000-0x0000000001DE0000-memory.dmp
    Filesize

    1024KB

    Download