Analysis
-
max time kernel
1199s -
max time network
1201s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
08-03-2023 20:44
General
-
Target
1.zip
-
Size
178KB
-
MD5
03f26e0d4c481b27eaf276963337311c
-
SHA1
854b995c2508960f93fdff419a955ac72844e78b
-
SHA256
9f94021d4e3b56b43a8be387f933db96d3f204601b9d3137559b3ae944650edb
-
SHA512
6effe344370843091a2d060b6b18d3024023249fea0cec017523d9430e06e067fbbef5ad9b7f1b9712236980ff4f73bc0322064eedbbb37cc3216aacc4956e97
-
SSDEEP
3072:ENOkf7P32G6nFAuWOfD3IDPcVXvp6xuTA+DQEALq+mYo7VQ0xBexnewAKHCfGID:ENOkfCxFAFyI4Fp4/+D69md7KTxnewfm
Malware Config
Signatures
-
Detects PlugX payload 31 IoCs
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Unexpected DNS network traffic destination 10 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Drops file in System32 directory 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 43 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\1.zip1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer .2⤵
-
C:\Users\Admin\AppData\Local\Temp\esetservice.exeesetservice.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exerundll32 http_dll.dll2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap21614:82:7zEvent26891⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Windows NT\Windows eset service\esetservice.exe"C:\ProgramData\\Windows NT\\Windows eset service\esetservice.exe" 100 32201⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Windows NT\Windows eset service\esetservice.exe"C:\ProgramData\Windows NT\Windows eset service\esetservice.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exeC:\Windows\system32\runonce.exe 201 02⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 49963⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Windows NT\Windows eset service\esetservice.exeFilesize
32KB
MD568d91a34ce51cf15c45dd68f7f1257e8
SHA15d076537f56ee7389410698d700cc4fd7d736453
SHA25681698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d
SHA512e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65
-
C:\ProgramData\Windows NT\Windows eset service\esetservice.exeFilesize
32KB
MD568d91a34ce51cf15c45dd68f7f1257e8
SHA15d076537f56ee7389410698d700cc4fd7d736453
SHA25681698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d
SHA512e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65
-
C:\ProgramData\Windows NT\Windows eset service\esetservice.exeFilesize
32KB
MD568d91a34ce51cf15c45dd68f7f1257e8
SHA15d076537f56ee7389410698d700cc4fd7d736453
SHA25681698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d
SHA512e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65
-
C:\ProgramData\Windows NT\Windows eset service\esetservice.exeFilesize
32KB
MD568d91a34ce51cf15c45dd68f7f1257e8
SHA15d076537f56ee7389410698d700cc4fd7d736453
SHA25681698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d
SHA512e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65
-
C:\ProgramData\Windows NT\Windows eset service\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
C:\ProgramData\Windows NT\Windows eset service\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
C:\ProgramData\Windows NT\Windows eset service\lang.datFilesize
141KB
MD5d973223b0329118de57055177d78817b
SHA1953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad
SHA256edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e
SHA512eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5
-
C:\ProgramData\Windows NT\Windows eset service\lang.datFilesize
141KB
MD5d973223b0329118de57055177d78817b
SHA1953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad
SHA256edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e
SHA512eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5
-
C:\Users\Admin\AppData\Local\Temp\esetservice.exeFilesize
32KB
MD568d91a34ce51cf15c45dd68f7f1257e8
SHA15d076537f56ee7389410698d700cc4fd7d736453
SHA25681698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d
SHA512e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65
-
C:\Users\Admin\AppData\Local\Temp\esetservice.exeFilesize
32KB
MD568d91a34ce51cf15c45dd68f7f1257e8
SHA15d076537f56ee7389410698d700cc4fd7d736453
SHA25681698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d
SHA512e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65
-
C:\Users\Admin\AppData\Local\Temp\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
C:\Users\Admin\AppData\Local\Temp\lang.datFilesize
141KB
MD5d973223b0329118de57055177d78817b
SHA1953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad
SHA256edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e
SHA512eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5
-
\ProgramData\Windows NT\Windows eset service\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
\ProgramData\Windows NT\Windows eset service\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
\Users\Admin\AppData\Local\Temp\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
memory/784-185-0x00000000034B0000-0x00000000034EC000-memory.dmpFilesize
240KB
-
memory/784-183-0x00000000034B0000-0x00000000034EC000-memory.dmpFilesize
240KB
-
memory/784-190-0x00000000034B0000-0x00000000034EC000-memory.dmpFilesize
240KB
-
memory/784-188-0x00000000034B0000-0x00000000034EC000-memory.dmpFilesize
240KB
-
memory/784-187-0x00000000034B0000-0x00000000034EC000-memory.dmpFilesize
240KB
-
memory/784-186-0x00000000034B0000-0x00000000034EC000-memory.dmpFilesize
240KB
-
memory/784-184-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/3220-146-0x0000000002340000-0x000000000237C000-memory.dmpFilesize
240KB
-
memory/3220-133-0x0000000002340000-0x000000000237C000-memory.dmpFilesize
240KB
-
memory/3220-132-0x0000000002200000-0x0000000002300000-memory.dmpFilesize
1024KB
-
memory/4924-157-0x0000000000EA0000-0x0000000000EDC000-memory.dmpFilesize
240KB
-
memory/4924-159-0x0000000000EA0000-0x0000000000EDC000-memory.dmpFilesize
240KB
-
memory/4996-178-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-168-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-173-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-176-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-204-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-202-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-180-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-171-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-170-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-169-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-167-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/4996-172-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-160-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-189-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-158-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-191-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-194-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-196-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-198-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/4996-200-0x0000000000CC0000-0x0000000000CFC000-memory.dmpFilesize
240KB
-
memory/5020-153-0x0000000001FB0000-0x0000000001FEC000-memory.dmpFilesize
240KB
-
memory/5020-177-0x0000000001FB0000-0x0000000001FEC000-memory.dmpFilesize
240KB