Overview

overview

10

Static

static

f92423862c...5f.exe

windows7-x64

10

f92423862c...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    199s
  • max time network
    240s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2022 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f92423862cafe75535d33bbd79460b52f1882aee4df8925d4dfd4c1a7d20325f.exe

  • Size

    425KB

  • MD5

    cf98f01911d6d3f7c178840266a31829

  • SHA1

    2caa8db3df451cfdfbd5520c3517f6219885c307

  • SHA256

    f92423862cafe75535d33bbd79460b52f1882aee4df8925d4dfd4c1a7d20325f

  • SHA512

    9c47aa0a30e43eb8535bb48d8b268dbebe596ae26395e311de8a476257992cb4b2933f3a4d0a10cc3dd3fa248383492cd5bbaad82785dd4d3b2ef700c954f550

  • SSDEEP

    12288:ZK2mhAMJ/cPl1mJmZbWS8TCuflvFUeXc1DB3Z1enHojuDQQMAc:Y2O/Gl1mCyS6CiPexZ1enHo6DQQg

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 7 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 33 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f92423862cafe75535d33bbd79460b52f1882aee4df8925d4dfd4c1a7d20325f.exe
    "C:\Users\Admin\AppData\Local\Temp\f92423862cafe75535d33bbd79460b52f1882aee4df8925d4dfd4c1a7d20325f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.exe"
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1108
  • C:\ProgramData\MSVC\360.exe
    "C:\ProgramData\MSVC\360.exe" 100 1108
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:1684
  • C:\ProgramData\MSVC\360.exe
    "C:\ProgramData\MSVC\360.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 1140
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MSVC\360.exe
    Filesize

    437KB

    MD5

    e72ec6011d88822322677c9de75a3eaa

    SHA1

    bde02d9b2b69960d6f16ea3b867861fe5515c844

    SHA256

    93efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b

    SHA512

    d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c

    Download Submit
  • C:\ProgramData\MSVC\360.exe
    Filesize

    437KB

    MD5

    e72ec6011d88822322677c9de75a3eaa

    SHA1

    bde02d9b2b69960d6f16ea3b867861fe5515c844

    SHA256

    93efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b

    SHA512

    d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c

    Download Submit
  • C:\ProgramData\MSVC\360.fuck
    Filesize

    120KB

    MD5

    f561d0d28c536749c6dd72850135a49e

    SHA1

    b574c0f5536b226e616037b390f3cb3de7b062ab

    SHA256

    82c2471f9f1203a4c88619f0eecb48117321f55477022136bc39bdeb770d02ea

    SHA512

    4ffd27af456dfdf8bad489b64976c0388b5056846bb0dd060cc871b8bb08510c048ce9f5ef4df7cfa35a0b7733ee266c50e96decba2c63a855d727ee25aa14f0

    Download Submit
  • C:\ProgramData\MSVC\D3DX81ab.dll
    Filesize

    10KB

    MD5

    365e0de20192c7838da69d35149a914e

    SHA1

    9823e30b00f3fda97e674c9407791e007e20d9d0

    SHA256

    d610368d9af29b35465663406a7491e5eca23b95455581117c0f01654ee4ef72

    SHA512

    f341761ca7b0e2720bfadb9ce888ba8de4b59088e4bde2a800f1694a8d87b53f310489caaed0b1d9f4a05ee033bc7fe2b2e228f9e1bfa794c5f7dc5c156bb029

    Download Submit
  • C:\ProgramData\SxS\bug.log
    Filesize

    436B

    MD5

    257e32b23de5ff0903d007414fa2d135

    SHA1

    e5627b93cd4e98879ccc43e73dd010406de14abc

    SHA256

    c8f2fe61f12c28300bd2cda1f3b0b27994db420fcc22056f9c46146dfade77b4

    SHA512

    e104cf50c1d265d6b8e8a100e47cbc795314d8dc534e4f5729ee93f4b5bb812207f37a7c25126f64e8f61c7f69acbd0d076cabacb4c01c50e2ad69e74ae8302c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.exe
    Filesize

    437KB

    MD5

    e72ec6011d88822322677c9de75a3eaa

    SHA1

    bde02d9b2b69960d6f16ea3b867861fe5515c844

    SHA256

    93efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b

    SHA512

    d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.exe
    Filesize

    437KB

    MD5

    e72ec6011d88822322677c9de75a3eaa

    SHA1

    bde02d9b2b69960d6f16ea3b867861fe5515c844

    SHA256

    93efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b

    SHA512

    d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.fuck
    Filesize

    120KB

    MD5

    f561d0d28c536749c6dd72850135a49e

    SHA1

    b574c0f5536b226e616037b390f3cb3de7b062ab

    SHA256

    82c2471f9f1203a4c88619f0eecb48117321f55477022136bc39bdeb770d02ea

    SHA512

    4ffd27af456dfdf8bad489b64976c0388b5056846bb0dd060cc871b8bb08510c048ce9f5ef4df7cfa35a0b7733ee266c50e96decba2c63a855d727ee25aa14f0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\D3DX81ab.dll
    Filesize

    10KB

    MD5

    365e0de20192c7838da69d35149a914e

    SHA1

    9823e30b00f3fda97e674c9407791e007e20d9d0

    SHA256

    d610368d9af29b35465663406a7491e5eca23b95455581117c0f01654ee4ef72

    SHA512

    f341761ca7b0e2720bfadb9ce888ba8de4b59088e4bde2a800f1694a8d87b53f310489caaed0b1d9f4a05ee033bc7fe2b2e228f9e1bfa794c5f7dc5c156bb029

    Download Submit
  • \ProgramData\MSVC\D3DX81ab.dll
    Filesize

    10KB

    MD5

    365e0de20192c7838da69d35149a914e

    SHA1

    9823e30b00f3fda97e674c9407791e007e20d9d0

    SHA256

    d610368d9af29b35465663406a7491e5eca23b95455581117c0f01654ee4ef72

    SHA512

    f341761ca7b0e2720bfadb9ce888ba8de4b59088e4bde2a800f1694a8d87b53f310489caaed0b1d9f4a05ee033bc7fe2b2e228f9e1bfa794c5f7dc5c156bb029

    Download Submit
  • \ProgramData\MSVC\D3DX81ab.dll
    Filesize

    10KB

    MD5

    365e0de20192c7838da69d35149a914e

    SHA1

    9823e30b00f3fda97e674c9407791e007e20d9d0

    SHA256

    d610368d9af29b35465663406a7491e5eca23b95455581117c0f01654ee4ef72

    SHA512

    f341761ca7b0e2720bfadb9ce888ba8de4b59088e4bde2a800f1694a8d87b53f310489caaed0b1d9f4a05ee033bc7fe2b2e228f9e1bfa794c5f7dc5c156bb029

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\360.exe
    Filesize

    437KB

    MD5

    e72ec6011d88822322677c9de75a3eaa

    SHA1

    bde02d9b2b69960d6f16ea3b867861fe5515c844

    SHA256

    93efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b

    SHA512

    d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\360.exe
    Filesize

    437KB

    MD5

    e72ec6011d88822322677c9de75a3eaa

    SHA1

    bde02d9b2b69960d6f16ea3b867861fe5515c844

    SHA256

    93efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b

    SHA512

    d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\360.exe
    Filesize

    437KB

    MD5

    e72ec6011d88822322677c9de75a3eaa

    SHA1

    bde02d9b2b69960d6f16ea3b867861fe5515c844

    SHA256

    93efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b

    SHA512

    d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\360.exe
    Filesize

    437KB

    MD5

    e72ec6011d88822322677c9de75a3eaa

    SHA1

    bde02d9b2b69960d6f16ea3b867861fe5515c844

    SHA256

    93efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b

    SHA512

    d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\360.exe
    Filesize

    437KB

    MD5

    e72ec6011d88822322677c9de75a3eaa

    SHA1

    bde02d9b2b69960d6f16ea3b867861fe5515c844

    SHA256

    93efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b

    SHA512

    d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\D3DX81ab.dll
    Filesize

    10KB

    MD5

    365e0de20192c7838da69d35149a914e

    SHA1

    9823e30b00f3fda97e674c9407791e007e20d9d0

    SHA256

    d610368d9af29b35465663406a7491e5eca23b95455581117c0f01654ee4ef72

    SHA512

    f341761ca7b0e2720bfadb9ce888ba8de4b59088e4bde2a800f1694a8d87b53f310489caaed0b1d9f4a05ee033bc7fe2b2e228f9e1bfa794c5f7dc5c156bb029

    Download Submit
  • memory/1108-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1108-67-0x0000000000330000-0x0000000000360000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1108-66-0x0000000000230000-0x000000000024F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1140-78-0x00000000000A0000-0x00000000000BD000-memory.dmp
    Filesize

    116KB

    Download
  • memory/1140-80-0x0000000000000000-mapping.dmp
    Download
  • memory/1140-83-0x00000000001F0000-0x0000000000220000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1140-91-0x00000000001F0000-0x0000000000220000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1516-82-0x00000000003D0000-0x0000000000400000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1684-74-0x00000000002D0000-0x0000000000300000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1684-84-0x00000000002D0000-0x0000000000300000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1728-87-0x0000000000000000-mapping.dmp
    Download
  • memory/1728-89-0x0000000000260000-0x0000000000290000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2008-54-0x0000000074E61000-0x0000000074E63000-memory.dmp
    Filesize

    8KB

    Download