Overview

overview

10

Static

static

1

1.zip

windows10-1703-x64

10

1.zip

windows7-x64

10

Analysis

  • max time kernel
    1199s
  • max time network
    1201s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-03-2023 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.zip

  • Size

    178KB

  • MD5

    03f26e0d4c481b27eaf276963337311c

  • SHA1

    854b995c2508960f93fdff419a955ac72844e78b

  • SHA256

    9f94021d4e3b56b43a8be387f933db96d3f204601b9d3137559b3ae944650edb

  • SHA512

    6effe344370843091a2d060b6b18d3024023249fea0cec017523d9430e06e067fbbef5ad9b7f1b9712236980ff4f73bc0322064eedbbb37cc3216aacc4956e97

  • SSDEEP

    3072:ENOkf7P32G6nFAuWOfD3IDPcVXvp6xuTA+DQEALq+mYo7VQ0xBexnewAKHCfGID:ENOkfCxFAFyI4Fp4/+D69md7KTxnewfm

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 31 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 10 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 43 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\1.zip
    1⤵
      PID:1596
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\explorer.exe
        explorer .
        2⤵
          PID:1288
        • C:\Users\Admin\AppData\Local\Temp\esetservice.exe
          esetservice.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3220
        • C:\Windows\system32\rundll32.exe
          rundll32 http_dll.dll
          2⤵
            PID:4700
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:4728
          • C:\Program Files\7-Zip\7zG.exe
            "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap21614:82:7zEvent2689
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:1696
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:4340
          • C:\ProgramData\Windows NT\Windows eset service\esetservice.exe
            "C:\ProgramData\\Windows NT\\Windows eset service\esetservice.exe" 100 3220
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            PID:5020
          • C:\ProgramData\Windows NT\Windows eset service\esetservice.exe
            "C:\ProgramData\Windows NT\Windows eset service\esetservice.exe" 200 0
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4924
            • C:\Windows\SysWOW64\runonce.exe
              C:\Windows\system32\runonce.exe 201 0
              2⤵
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4996
              • C:\Windows\SysWOW64\msiexec.exe
                C:\Windows\system32\msiexec.exe 209 4996
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:784

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Windows NT\Windows eset service\esetservice.exe
            Filesize

            32KB

            MD5

            68d91a34ce51cf15c45dd68f7f1257e8

            SHA1

            5d076537f56ee7389410698d700cc4fd7d736453

            SHA256

            81698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d

            SHA512

            e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65

            Download Submit

          • C:\ProgramData\Windows NT\Windows eset service\esetservice.exe
            Filesize

            32KB

            MD5

            68d91a34ce51cf15c45dd68f7f1257e8

            SHA1

            5d076537f56ee7389410698d700cc4fd7d736453

            SHA256

            81698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d

            SHA512

            e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65

            Download Submit

          • C:\ProgramData\Windows NT\Windows eset service\esetservice.exe
            Filesize

            32KB

            MD5

            68d91a34ce51cf15c45dd68f7f1257e8

            SHA1

            5d076537f56ee7389410698d700cc4fd7d736453

            SHA256

            81698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d

            SHA512

            e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65

            Download Submit

          • C:\ProgramData\Windows NT\Windows eset service\esetservice.exe
            Filesize

            32KB

            MD5

            68d91a34ce51cf15c45dd68f7f1257e8

            SHA1

            5d076537f56ee7389410698d700cc4fd7d736453

            SHA256

            81698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d

            SHA512

            e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65

            Download Submit

          • C:\ProgramData\Windows NT\Windows eset service\http_dll.dll
            Filesize

            45KB

            MD5

            d1a06b95c1d7ceaa4dc4c8b85367d673

            SHA1

            766b56f2a91581a20d4e8c3b311007dac3c09177

            SHA256

            b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

            SHA512

            6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

            Download Submit

          • C:\ProgramData\Windows NT\Windows eset service\http_dll.dll
            Filesize

            45KB

            MD5

            d1a06b95c1d7ceaa4dc4c8b85367d673

            SHA1

            766b56f2a91581a20d4e8c3b311007dac3c09177

            SHA256

            b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

            SHA512

            6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

            Download Submit

          • C:\ProgramData\Windows NT\Windows eset service\lang.dat
            Filesize

            141KB

            MD5

            d973223b0329118de57055177d78817b

            SHA1

            953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad

            SHA256

            edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e

            SHA512

            eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5

            Download Submit

          • C:\ProgramData\Windows NT\Windows eset service\lang.dat
            Filesize

            141KB

            MD5

            d973223b0329118de57055177d78817b

            SHA1

            953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad

            SHA256

            edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e

            SHA512

            eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\esetservice.exe
            Filesize

            32KB

            MD5

            68d91a34ce51cf15c45dd68f7f1257e8

            SHA1

            5d076537f56ee7389410698d700cc4fd7d736453

            SHA256

            81698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d

            SHA512

            e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\esetservice.exe
            Filesize

            32KB

            MD5

            68d91a34ce51cf15c45dd68f7f1257e8

            SHA1

            5d076537f56ee7389410698d700cc4fd7d736453

            SHA256

            81698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d

            SHA512

            e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\http_dll.dll
            Filesize

            45KB

            MD5

            d1a06b95c1d7ceaa4dc4c8b85367d673

            SHA1

            766b56f2a91581a20d4e8c3b311007dac3c09177

            SHA256

            b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

            SHA512

            6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\lang.dat
            Filesize

            141KB

            MD5

            d973223b0329118de57055177d78817b

            SHA1

            953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad

            SHA256

            edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e

            SHA512

            eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5

            Download Submit

          • \ProgramData\Windows NT\Windows eset service\http_dll.dll
            Filesize

            45KB

            MD5

            d1a06b95c1d7ceaa4dc4c8b85367d673

            SHA1

            766b56f2a91581a20d4e8c3b311007dac3c09177

            SHA256

            b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

            SHA512

            6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

            Download Submit

          • \ProgramData\Windows NT\Windows eset service\http_dll.dll
            Filesize

            45KB

            MD5

            d1a06b95c1d7ceaa4dc4c8b85367d673

            SHA1

            766b56f2a91581a20d4e8c3b311007dac3c09177

            SHA256

            b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

            SHA512

            6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

            Download Submit

          • \Users\Admin\AppData\Local\Temp\http_dll.dll
            Filesize

            45KB

            MD5

            d1a06b95c1d7ceaa4dc4c8b85367d673

            SHA1

            766b56f2a91581a20d4e8c3b311007dac3c09177

            SHA256

            b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

            SHA512

            6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

            Download Submit

          • memory/784-185-0x00000000034B0000-0x00000000034EC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/784-183-0x00000000034B0000-0x00000000034EC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/784-190-0x00000000034B0000-0x00000000034EC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/784-188-0x00000000034B0000-0x00000000034EC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/784-187-0x00000000034B0000-0x00000000034EC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/784-186-0x00000000034B0000-0x00000000034EC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/784-184-0x0000000000F40000-0x0000000000F41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3220-146-0x0000000002340000-0x000000000237C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/3220-133-0x0000000002340000-0x000000000237C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/3220-132-0x0000000002200000-0x0000000002300000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4924-157-0x0000000000EA0000-0x0000000000EDC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4924-159-0x0000000000EA0000-0x0000000000EDC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-178-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-168-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-173-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-176-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-204-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-202-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-180-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-171-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-170-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-169-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-167-0x0000000000120000-0x0000000000121000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4996-172-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-160-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-189-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-158-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-191-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-194-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-196-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-198-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4996-200-0x0000000000CC0000-0x0000000000CFC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/5020-153-0x0000000001FB0000-0x0000000001FEC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/5020-177-0x0000000001FB0000-0x0000000001FEC000-memory.dmp

            Filesize

            240KB

            Download