Overview

overview

10

Static

static

8843f39d99...a4.exe

windows7-x64

10

8843f39d99...a4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8843f39d991fb9ad4da612e523daa84dcea2a124b82466593aab26e65b8830a4.exe

  • Size

    342KB

  • MD5

    7eaecc4084e090a5f2f0325d1a88ee5f

  • SHA1

    963180155ca06a29918013c8783ad349da811e13

  • SHA256

    8843f39d991fb9ad4da612e523daa84dcea2a124b82466593aab26e65b8830a4

  • SHA512

    a7c82c560611ac19e48c9dd10ffbab64b6a5bd49bd2c2ef2b2b73a6e31418f79b5b4ff3e338111fc7e8d7f47a7e670059d1790b49e359e8924504b36c0b992c9

  • SSDEEP

    6144:v4lRkAehaKuqT+FdR4U5LUb8I77edkob1n/2ogNKtP8jv9CG3BeGldF1umkt3IJa:vkWAehJuqT4SPoInix1NgNMsp3BDlD4h

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 7 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8843f39d991fb9ad4da612e523daa84dcea2a124b82466593aab26e65b8830a4.exe
    "C:\Users\Admin\AppData\Local\Temp\8843f39d991fb9ad4da612e523daa84dcea2a124b82466593aab26e65b8830a4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\programdata\setup.exe
      "C:\programdata\setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4828
  • C:\ProgramData\Wins\NvSmart.exe
    "C:\ProgramData\Wins\NvSmart.exe" 100 4828
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:4636
  • C:\ProgramData\Wins\NvSmart.exe
    "C:\ProgramData\Wins\NvSmart.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2532
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SxS\bug.log
    Filesize

    500B

    MD5

    dd888538b2bf991876f01db9aa516a9a

    SHA1

    fe1eea0167db330632fed4b4787db7fbf024fef5

    SHA256

    290b9df7712cfc3f7801bcbd1fd3de0edd95966361239491e95851769ea989ac

    SHA512

    42bd46c705b5c4e656dbd3292af671b17b0a2d802f00e5df2f4c0a27c95ef3d636b52fd23408de05764fd60543d60e368c285b7dd2f96a7a5172f672ea7d3041

    Download Submit
  • C:\ProgramData\Wins\NvSmart.chm
    Filesize

    155KB

    MD5

    c7814f4a0c42065005e82bda45e4d849

    SHA1

    735e60ab5b0d52344851510c2b1e5f7136d65301

    SHA256

    7ba3e66a633e04feac7167e19621e43b7eb0499f38e818c6dedad21f5f6b39be

    SHA512

    ae327466612592b4439dedfa288a54e46102f46d9afd47ad6f236964c016eefc162beffc56394cfca7db92f043f4ff4d02bbdacf70daae9463ed85ce6207dd77

    Download Submit
  • C:\ProgramData\Wins\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • C:\ProgramData\Wins\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • C:\ProgramData\Wins\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • C:\ProgramData\Wins\NvSmartMax.dll
    Filesize

    4KB

    MD5

    0674a0929aec3db11383523b40fa36d1

    SHA1

    9f50aa213232690e06aa49b7e7b1640127429117

    SHA256

    fb1c1de76504a35b5c9cf4a60c4a7497064917e0ac96b5389b5ef56c4a02bc17

    SHA512

    ce1a5007499232d6730bf97745bd5e931d6a26d658d3c47a4200a2e225c78e947dbca2487bae77adb65399c2985dce5cbc95f2672ca7e309b3a9f9ba4501d10b

    Download Submit
  • C:\ProgramData\Wins\NvSmartMax.dll
    Filesize

    4KB

    MD5

    0674a0929aec3db11383523b40fa36d1

    SHA1

    9f50aa213232690e06aa49b7e7b1640127429117

    SHA256

    fb1c1de76504a35b5c9cf4a60c4a7497064917e0ac96b5389b5ef56c4a02bc17

    SHA512

    ce1a5007499232d6730bf97745bd5e931d6a26d658d3c47a4200a2e225c78e947dbca2487bae77adb65399c2985dce5cbc95f2672ca7e309b3a9f9ba4501d10b

    Download Submit
  • C:\ProgramData\Wins\NvSmartMax.dll
    Filesize

    4KB

    MD5

    0674a0929aec3db11383523b40fa36d1

    SHA1

    9f50aa213232690e06aa49b7e7b1640127429117

    SHA256

    fb1c1de76504a35b5c9cf4a60c4a7497064917e0ac96b5389b5ef56c4a02bc17

    SHA512

    ce1a5007499232d6730bf97745bd5e931d6a26d658d3c47a4200a2e225c78e947dbca2487bae77adb65399c2985dce5cbc95f2672ca7e309b3a9f9ba4501d10b

    Download Submit
  • C:\ProgramData\setup.exe
    Filesize

    341KB

    MD5

    608abb0c39949775368837a6c068b113

    SHA1

    24de091315d67bf66d0a089524d5742c79b90400

    SHA256

    bba7c47c1c2af0a0d54d2c44c3386f54b59874b9c878dfa8fdacf72937770a96

    SHA512

    89e843d7f7cb700c35c5bcbcdce6d800e9c6b4ccee3997ec0b38c09b452e3d6edbd638b9e9f520b7fdab4dea7c18a85ad23a94eb257b777e69e504e1dd20cb8f

    Download Submit
  • C:\programdata\setup.exe
    Filesize

    341KB

    MD5

    608abb0c39949775368837a6c068b113

    SHA1

    24de091315d67bf66d0a089524d5742c79b90400

    SHA256

    bba7c47c1c2af0a0d54d2c44c3386f54b59874b9c878dfa8fdacf72937770a96

    SHA512

    89e843d7f7cb700c35c5bcbcdce6d800e9c6b4ccee3997ec0b38c09b452e3d6edbd638b9e9f520b7fdab4dea7c18a85ad23a94eb257b777e69e504e1dd20cb8f

    Download Submit
  • memory/752-151-0x0000000000000000-mapping.dmp
    Download
  • memory/752-154-0x0000000000A40000-0x0000000000A78000-memory.dmp
    Filesize

    224KB

    Download
  • memory/752-152-0x0000000000A40000-0x0000000000A78000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2532-145-0x0000000000000000-mapping.dmp
    Download
  • memory/2532-150-0x0000000001170000-0x00000000011A8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2532-153-0x0000000001170000-0x00000000011A8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/3532-146-0x0000000000E60000-0x0000000000E98000-memory.dmp
    Filesize

    224KB

    Download
  • memory/4636-149-0x0000000002180000-0x00000000021B8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/4636-141-0x0000000002080000-0x0000000002180000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4828-147-0x0000000000B20000-0x0000000000B58000-memory.dmp
    Filesize

    224KB

    Download
  • memory/4828-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4828-135-0x0000000000A20000-0x0000000000A47000-memory.dmp
    Filesize

    156KB

    Download