Overview

overview

10

Static

static

1

1.zip

windows10-1703-x64

10

1.zip

windows7-x64

10

Analysis

  • max time kernel
    1201s
  • max time network
    1202s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08-03-2023 20:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.zip

  • Size

    178KB

  • MD5

    03f26e0d4c481b27eaf276963337311c

  • SHA1

    854b995c2508960f93fdff419a955ac72844e78b

  • SHA256

    9f94021d4e3b56b43a8be387f933db96d3f204601b9d3137559b3ae944650edb

  • SHA512

    6effe344370843091a2d060b6b18d3024023249fea0cec017523d9430e06e067fbbef5ad9b7f1b9712236980ff4f73bc0322064eedbbb37cc3216aacc4956e97

  • SSDEEP

    3072:ENOkf7P32G6nFAuWOfD3IDPcVXvp6xuTA+DQEALq+mYo7VQ0xBexnewAKHCfGID:ENOkfCxFAFyI4Fp4/+D69md7KTxnewfm

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 30 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 8 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\1.zip
    1⤵
      PID:1692
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\explorer.exe
        explorer .
        2⤵
          PID:1852
        • C:\Users\Admin\AppData\Local\Temp\esetservice.exe
          esetservice.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1932
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Program Files\7-Zip\7zG.exe
          "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap24648:82:7zEvent31784
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:608
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0xc8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
      • C:\ProgramData\Windows NT\Windows eset service\esetservice.exe
        "C:\ProgramData\\Windows NT\\Windows eset service\esetservice.exe" 100 1932
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:1092
      • C:\ProgramData\Windows NT\Windows eset service\esetservice.exe
        "C:\ProgramData\Windows NT\Windows eset service\esetservice.exe" 200 0
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\runonce.exe
          C:\Windows\system32\runonce.exe 201 0
          2⤵
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1696
          • C:\Windows\SysWOW64\msiexec.exe
            C:\Windows\system32\msiexec.exe 209 1696
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:904

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Windows NT\Windows eset service\esetservice.exe
        Filesize

        32KB

        MD5

        68d91a34ce51cf15c45dd68f7f1257e8

        SHA1

        5d076537f56ee7389410698d700cc4fd7d736453

        SHA256

        81698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d

        SHA512

        e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65

        Download Submit

      • C:\ProgramData\Windows NT\Windows eset service\esetservice.exe
        Filesize

        32KB

        MD5

        68d91a34ce51cf15c45dd68f7f1257e8

        SHA1

        5d076537f56ee7389410698d700cc4fd7d736453

        SHA256

        81698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d

        SHA512

        e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65

        Download Submit

      • C:\ProgramData\Windows NT\Windows eset service\esetservice.exe
        Filesize

        32KB

        MD5

        68d91a34ce51cf15c45dd68f7f1257e8

        SHA1

        5d076537f56ee7389410698d700cc4fd7d736453

        SHA256

        81698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d

        SHA512

        e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65

        Download Submit

      • C:\ProgramData\Windows NT\Windows eset service\http_dll.dll
        Filesize

        45KB

        MD5

        d1a06b95c1d7ceaa4dc4c8b85367d673

        SHA1

        766b56f2a91581a20d4e8c3b311007dac3c09177

        SHA256

        b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

        SHA512

        6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

        Download Submit

      • C:\ProgramData\Windows NT\Windows eset service\http_dll.dll
        Filesize

        45KB

        MD5

        d1a06b95c1d7ceaa4dc4c8b85367d673

        SHA1

        766b56f2a91581a20d4e8c3b311007dac3c09177

        SHA256

        b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

        SHA512

        6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

        Download Submit

      • C:\ProgramData\Windows NT\Windows eset service\lang.dat
        Filesize

        141KB

        MD5

        d973223b0329118de57055177d78817b

        SHA1

        953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad

        SHA256

        edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e

        SHA512

        eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5

        Download Submit

      • C:\ProgramData\Windows NT\Windows eset service\lang.dat
        Filesize

        141KB

        MD5

        d973223b0329118de57055177d78817b

        SHA1

        953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad

        SHA256

        edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e

        SHA512

        eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\esetservice.exe
        Filesize

        32KB

        MD5

        68d91a34ce51cf15c45dd68f7f1257e8

        SHA1

        5d076537f56ee7389410698d700cc4fd7d736453

        SHA256

        81698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d

        SHA512

        e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\esetservice.exe
        Filesize

        32KB

        MD5

        68d91a34ce51cf15c45dd68f7f1257e8

        SHA1

        5d076537f56ee7389410698d700cc4fd7d736453

        SHA256

        81698c9d6e69506637208ca564b14b7febbfe4efbc574c490332a985adcbb12d

        SHA512

        e4cec6a713537d51451752c06e69e98b8053c3d50a5628e30adc770a883e946573757b4e10689a3e40023a19f5ed2f9d4890d07ced71726d1c984bf9130bcb65

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\http_dll.dll
        Filesize

        45KB

        MD5

        d1a06b95c1d7ceaa4dc4c8b85367d673

        SHA1

        766b56f2a91581a20d4e8c3b311007dac3c09177

        SHA256

        b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

        SHA512

        6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\lang.dat
        Filesize

        141KB

        MD5

        d973223b0329118de57055177d78817b

        SHA1

        953a3d81eaacf9cd3a4c0e2708ae33f12fb352ad

        SHA256

        edfb699cbf082db13c59fe2695c64287baa46e96721c8a82eba04d718778091e

        SHA512

        eead4c06792c825f21b5b0f99a95ed2c9be9e572e6f49ba00660bf756fb59beb96cc1cd5f3444b48b218bbf9e1f2fd549a36b9ab35e26c160b3675ac95db0bf5

        Download Submit

      • \ProgramData\Windows NT\Windows eset service\http_dll.dll
        Filesize

        45KB

        MD5

        d1a06b95c1d7ceaa4dc4c8b85367d673

        SHA1

        766b56f2a91581a20d4e8c3b311007dac3c09177

        SHA256

        b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

        SHA512

        6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

        Download Submit

      • \ProgramData\Windows NT\Windows eset service\http_dll.dll
        Filesize

        45KB

        MD5

        d1a06b95c1d7ceaa4dc4c8b85367d673

        SHA1

        766b56f2a91581a20d4e8c3b311007dac3c09177

        SHA256

        b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

        SHA512

        6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

        Download Submit

      • \Users\Admin\AppData\Local\Temp\http_dll.dll
        Filesize

        45KB

        MD5

        d1a06b95c1d7ceaa4dc4c8b85367d673

        SHA1

        766b56f2a91581a20d4e8c3b311007dac3c09177

        SHA256

        b700a48ba312c1b9deeac9fcf57ed426e79c8466327f1a4f5b1b057f2ca908e8

        SHA512

        6d7f1f3be71316afe7d10b1e474d3e599353411f70d79182f013f6e653fa9a1d7ff81070c639ff55486eaad4da9de8bc6005c80b31b29fbf3211047c163d14fa

        Download Submit

      • memory/876-54-0x0000000003740000-0x0000000003750000-memory.dmp

        Filesize

        64KB

        Download

      • memory/876-56-0x0000000003730000-0x0000000003731000-memory.dmp

        Filesize

        4KB

        Download

      • memory/876-55-0x0000000003730000-0x0000000003731000-memory.dmp

        Filesize

        4KB

        Download

      • memory/904-124-0x0000000000090000-0x0000000000091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/904-128-0x0000000000370000-0x00000000003AC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/904-127-0x0000000000370000-0x00000000003AC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/904-126-0x0000000000370000-0x00000000003AC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/904-125-0x0000000000370000-0x00000000003AC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/904-123-0x0000000000370000-0x00000000003AC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1092-88-0x00000000002C0000-0x00000000002FC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1092-116-0x00000000002C0000-0x00000000002FC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-99-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-95-0x00000000000A0000-0x00000000000C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1696-144-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-106-0x0000000000080000-0x0000000000081000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1696-107-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-108-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-109-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-110-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-111-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-112-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-115-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-96-0x00000000000D0000-0x00000000000D2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1696-117-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-97-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-142-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-93-0x0000000000080000-0x0000000000081000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1696-140-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-138-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-136-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-129-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-132-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-133-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1696-134-0x0000000000230000-0x000000000026C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1932-82-0x00000000003C0000-0x00000000003FC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1932-69-0x00000000003C0000-0x00000000003FC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1932-68-0x0000000001D00000-0x0000000001E00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2020-92-0x00000000002B0000-0x00000000002EC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2020-98-0x00000000002B0000-0x00000000002EC000-memory.dmp

        Filesize

        240KB

        Download