Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
07-12-2022 10:48
General
-
Target
f92423862cafe75535d33bbd79460b52f1882aee4df8925d4dfd4c1a7d20325f.exe
-
Size
425KB
-
MD5
cf98f01911d6d3f7c178840266a31829
-
SHA1
2caa8db3df451cfdfbd5520c3517f6219885c307
-
SHA256
f92423862cafe75535d33bbd79460b52f1882aee4df8925d4dfd4c1a7d20325f
-
SHA512
9c47aa0a30e43eb8535bb48d8b268dbebe596ae26395e311de8a476257992cb4b2933f3a4d0a10cc3dd3fa248383492cd5bbaad82785dd4d3b2ef700c954f550
-
SSDEEP
12288:ZK2mhAMJ/cPl1mJmZbWS8TCuflvFUeXc1DB3Z1enHojuDQQMAc:Y2O/Gl1mCyS6CiPexZ1enHo6DQQg
Malware Config
Signatures
-
Detects PlugX payload 8 IoCs
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 17 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f92423862cafe75535d33bbd79460b52f1882aee4df8925d4dfd4c1a7d20325f.exe"C:\Users\Admin\AppData\Local\Temp\f92423862cafe75535d33bbd79460b52f1882aee4df8925d4dfd4c1a7d20325f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\MSVC\360.exe"C:\ProgramData\MSVC\360.exe" 100 15721⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\MSVC\360.exe"C:\ProgramData\MSVC\360.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 4243⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\MSVC\360.exeFilesize
437KB
MD5e72ec6011d88822322677c9de75a3eaa
SHA1bde02d9b2b69960d6f16ea3b867861fe5515c844
SHA25693efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b
SHA512d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c
-
C:\ProgramData\MSVC\360.exeFilesize
437KB
MD5e72ec6011d88822322677c9de75a3eaa
SHA1bde02d9b2b69960d6f16ea3b867861fe5515c844
SHA25693efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b
SHA512d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c
-
C:\ProgramData\MSVC\360.exeFilesize
437KB
MD5e72ec6011d88822322677c9de75a3eaa
SHA1bde02d9b2b69960d6f16ea3b867861fe5515c844
SHA25693efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b
SHA512d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c
-
C:\ProgramData\MSVC\360.fuckFilesize
120KB
MD5f561d0d28c536749c6dd72850135a49e
SHA1b574c0f5536b226e616037b390f3cb3de7b062ab
SHA25682c2471f9f1203a4c88619f0eecb48117321f55477022136bc39bdeb770d02ea
SHA5124ffd27af456dfdf8bad489b64976c0388b5056846bb0dd060cc871b8bb08510c048ce9f5ef4df7cfa35a0b7733ee266c50e96decba2c63a855d727ee25aa14f0
-
C:\ProgramData\MSVC\D3DX81ab.dllFilesize
10KB
MD5365e0de20192c7838da69d35149a914e
SHA19823e30b00f3fda97e674c9407791e007e20d9d0
SHA256d610368d9af29b35465663406a7491e5eca23b95455581117c0f01654ee4ef72
SHA512f341761ca7b0e2720bfadb9ce888ba8de4b59088e4bde2a800f1694a8d87b53f310489caaed0b1d9f4a05ee033bc7fe2b2e228f9e1bfa794c5f7dc5c156bb029
-
C:\ProgramData\MSVC\D3DX81ab.dllFilesize
10KB
MD5365e0de20192c7838da69d35149a914e
SHA19823e30b00f3fda97e674c9407791e007e20d9d0
SHA256d610368d9af29b35465663406a7491e5eca23b95455581117c0f01654ee4ef72
SHA512f341761ca7b0e2720bfadb9ce888ba8de4b59088e4bde2a800f1694a8d87b53f310489caaed0b1d9f4a05ee033bc7fe2b2e228f9e1bfa794c5f7dc5c156bb029
-
C:\ProgramData\MSVC\D3DX81ab.dllFilesize
10KB
MD5365e0de20192c7838da69d35149a914e
SHA19823e30b00f3fda97e674c9407791e007e20d9d0
SHA256d610368d9af29b35465663406a7491e5eca23b95455581117c0f01654ee4ef72
SHA512f341761ca7b0e2720bfadb9ce888ba8de4b59088e4bde2a800f1694a8d87b53f310489caaed0b1d9f4a05ee033bc7fe2b2e228f9e1bfa794c5f7dc5c156bb029
-
C:\ProgramData\SxS\bug.logFilesize
622B
MD5a21d8982219a38980491222b752d0e98
SHA19a40371b4d4eb4604b84c0137f41152f4194ce65
SHA256469aab2560846aff7810ee0f6364c3bed04b152ffcae13d2b9691262de2c2ea4
SHA5122d5965ac69928067f0f08f3f2ae06798ac7a15bcd885b7e73d8431b1cbb843ab00ec99a2b15621e3a6f152e63682aff10d12b7e354bc264a3ded769db87584f2
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.exeFilesize
437KB
MD5e72ec6011d88822322677c9de75a3eaa
SHA1bde02d9b2b69960d6f16ea3b867861fe5515c844
SHA25693efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b
SHA512d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.exeFilesize
437KB
MD5e72ec6011d88822322677c9de75a3eaa
SHA1bde02d9b2b69960d6f16ea3b867861fe5515c844
SHA25693efac9c96d5a1cab41efe1c96b3ada7ee5eff6014b1ca68ff087a8154e2f16b
SHA512d4fe25b7718a348bd6988aac4a31d1ea0f314f32bd2f5d30efecab6b076d19a5a18c66eb477afc32691717432a83b38f22c2be8ee477dba6d5d0794f01d8e22c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\360.fuckFilesize
120KB
MD5f561d0d28c536749c6dd72850135a49e
SHA1b574c0f5536b226e616037b390f3cb3de7b062ab
SHA25682c2471f9f1203a4c88619f0eecb48117321f55477022136bc39bdeb770d02ea
SHA5124ffd27af456dfdf8bad489b64976c0388b5056846bb0dd060cc871b8bb08510c048ce9f5ef4df7cfa35a0b7733ee266c50e96decba2c63a855d727ee25aa14f0
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\D3DX81ab.dllFilesize
10KB
MD5365e0de20192c7838da69d35149a914e
SHA19823e30b00f3fda97e674c9407791e007e20d9d0
SHA256d610368d9af29b35465663406a7491e5eca23b95455581117c0f01654ee4ef72
SHA512f341761ca7b0e2720bfadb9ce888ba8de4b59088e4bde2a800f1694a8d87b53f310489caaed0b1d9f4a05ee033bc7fe2b2e228f9e1bfa794c5f7dc5c156bb029
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\D3DX81ab.dllFilesize
10KB
MD5365e0de20192c7838da69d35149a914e
SHA19823e30b00f3fda97e674c9407791e007e20d9d0
SHA256d610368d9af29b35465663406a7491e5eca23b95455581117c0f01654ee4ef72
SHA512f341761ca7b0e2720bfadb9ce888ba8de4b59088e4bde2a800f1694a8d87b53f310489caaed0b1d9f4a05ee033bc7fe2b2e228f9e1bfa794c5f7dc5c156bb029
-
memory/424-152-0x0000000000000000-mapping.dmp
-
memory/424-154-0x00000000009B0000-0x00000000009E0000-memory.dmpFilesize
192KB
-
memory/424-158-0x00000000009B0000-0x00000000009E0000-memory.dmpFilesize
192KB
-
memory/684-157-0x0000000002C70000-0x0000000002CA0000-memory.dmpFilesize
192KB
-
memory/684-159-0x0000000002C70000-0x0000000002CA0000-memory.dmpFilesize
192KB
-
memory/684-156-0x0000000000000000-mapping.dmp
-
memory/1572-141-0x00000000004C0000-0x00000000004DF000-memory.dmpFilesize
124KB
-
memory/1572-142-0x00000000023C0000-0x00000000023F0000-memory.dmpFilesize
192KB
-
memory/1572-135-0x0000000000000000-mapping.dmp
-
memory/5040-151-0x0000000000E00000-0x0000000000E30000-memory.dmpFilesize
192KB
-
memory/5048-155-0x0000000000780000-0x00000000007B0000-memory.dmpFilesize
192KB
-
memory/5048-150-0x0000000000780000-0x00000000007B0000-memory.dmpFilesize
192KB