Analysis
-
max time kernel
1201s -
max time network
1202s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
08-03-2023 20:44
General
-
Target
1.zip
-
Size
178KB
-
MD5
03f26e0d4c481b27eaf276963337311c
-
SHA1
854b995c2508960f93fdff419a955ac72844e78b
-
SHA256
9f94021d4e3b56b43a8be387f933db96d3f204601b9d3137559b3ae944650edb
-
SHA512
6effe344370843091a2d060b6b18d3024023249fea0cec017523d9430e06e067fbbef5ad9b7f1b9712236980ff4f73bc0322064eedbbb37cc3216aacc4956e97
-
SSDEEP
3072:ENOkf7P32G6nFAuWOfD3IDPcVXvp6xuTA+DQEALq+mYo7VQ0xBexnewAKHCfGID:ENOkfCxFAFyI4Fp4/+D69md7KTxnewfm
Malware Config
Signatures
-
Detects PlugX payload 30 IoCs
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Unexpected DNS network traffic destination 8 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\1.zip1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer .2⤵
-
C:\Users\Admin\AppData\Local\Temp\esetservice.exeesetservice.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap24648:82:7zEvent317842⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Windows NT\Windows eset service\esetservice.exe"C:\ProgramData\\Windows NT\\Windows eset service\esetservice.exe" 100 19321⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Windows NT\Windows eset service\esetservice.exe"C:\ProgramData\Windows NT\Windows eset service\esetservice.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exeC:\Windows\system32\runonce.exe 201 02⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 16963⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Windows NT\Windows eset service\esetservice.exeFilesize
32KB
MD568d91a34ce51cf15c45dd68f7f1257e8
SHA15d076537f56ee7389410698d700cc4fd7d736453
SHA25681698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d
SHA512e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65
-
C:\ProgramData\Windows NT\Windows eset service\esetservice.exeFilesize
32KB
MD568d91a34ce51cf15c45dd68f7f1257e8
SHA15d076537f56ee7389410698d700cc4fd7d736453
SHA25681698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d
SHA512e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65
-
C:\ProgramData\Windows NT\Windows eset service\esetservice.exeFilesize
32KB
MD568d91a34ce51cf15c45dd68f7f1257e8
SHA15d076537f56ee7389410698d700cc4fd7d736453
SHA25681698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d
SHA512e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65
-
C:\ProgramData\Windows NT\Windows eset service\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
C:\ProgramData\Windows NT\Windows eset service\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
C:\ProgramData\Windows NT\Windows eset service\lang.datFilesize
141KB
MD5d973223b0329118de57055177d78817b
SHA1953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad
SHA256edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e
SHA512eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5
-
C:\ProgramData\Windows NT\Windows eset service\lang.datFilesize
141KB
MD5d973223b0329118de57055177d78817b
SHA1953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad
SHA256edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e
SHA512eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5
-
C:\Users\Admin\AppData\Local\Temp\esetservice.exeFilesize
32KB
MD568d91a34ce51cf15c45dd68f7f1257e8
SHA15d076537f56ee7389410698d700cc4fd7d736453
SHA25681698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d
SHA512e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65
-
C:\Users\Admin\AppData\Local\Temp\esetservice.exeFilesize
32KB
MD568d91a34ce51cf15c45dd68f7f1257e8
SHA15d076537f56ee7389410698d700cc4fd7d736453
SHA25681698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d
SHA512e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65
-
C:\Users\Admin\AppData\Local\Temp\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
C:\Users\Admin\AppData\Local\Temp\lang.datFilesize
141KB
MD5d973223b0329118de57055177d78817b
SHA1953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad
SHA256edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e
SHA512eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5
-
\ProgramData\Windows NT\Windows eset service\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
\ProgramData\Windows NT\Windows eset service\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
\Users\Admin\AppData\Local\Temp\http_dll.dllFilesize
45KB
MD5d1a06b95c1d7ceaa4dc4c8b85367d673
SHA1766b56f2a91581a20d4e8c3b311007dac3c09177
SHA256b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8
SHA5126d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa
-
memory/876-54-0x0000000003740000-0x0000000003750000-memory.dmpFilesize
64KB
-
memory/876-56-0x0000000003730000-0x0000000003731000-memory.dmpFilesize
4KB
-
memory/876-55-0x0000000003730000-0x0000000003731000-memory.dmpFilesize
4KB
-
memory/904-124-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/904-128-0x0000000000370000-0x00000000003AC000-memory.dmpFilesize
240KB
-
memory/904-127-0x0000000000370000-0x00000000003AC000-memory.dmpFilesize
240KB
-
memory/904-126-0x0000000000370000-0x00000000003AC000-memory.dmpFilesize
240KB
-
memory/904-125-0x0000000000370000-0x00000000003AC000-memory.dmpFilesize
240KB
-
memory/904-123-0x0000000000370000-0x00000000003AC000-memory.dmpFilesize
240KB
-
memory/1092-88-0x00000000002C0000-0x00000000002FC000-memory.dmpFilesize
240KB
-
memory/1092-116-0x00000000002C0000-0x00000000002FC000-memory.dmpFilesize
240KB
-
memory/1696-99-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-95-0x00000000000A0000-0x00000000000C2000-memory.dmpFilesize
136KB
-
memory/1696-144-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-106-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1696-107-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-108-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-109-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-110-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-111-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-112-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-115-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-96-0x00000000000D0000-0x00000000000D2000-memory.dmpFilesize
8KB
-
memory/1696-117-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-97-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-142-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-93-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1696-140-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-138-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-136-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-129-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-132-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-133-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1696-134-0x0000000000230000-0x000000000026C000-memory.dmpFilesize
240KB
-
memory/1932-82-0x00000000003C0000-0x00000000003FC000-memory.dmpFilesize
240KB
-
memory/1932-69-0x00000000003C0000-0x00000000003FC000-memory.dmpFilesize
240KB
-
memory/1932-68-0x0000000001D00000-0x0000000001E00000-memory.dmpFilesize
1024KB
-
memory/2020-92-0x00000000002B0000-0x00000000002EC000-memory.dmpFilesize
240KB
-
memory/2020-98-0x00000000002B0000-0x00000000002EC000-memory.dmpFilesize
240KB