Overview

overview

10

Static

static

1

图片2023...md.exe

windows7-x64

10

图片2023...md.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2023 03:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    图片20233155168jpg.cmd.exe

  • Size

    602KB

  • MD5

    50e0dc8b208f29699d895388d2441cc0

  • SHA1

    be4376a162f4f1a00da2124645e55301e641c440

  • SHA256

    59c99ff6fe40a2d811eeebd5c63f5ddf96107a890cd6c4b41821adbcf97f9204

  • SHA512

    8c29774e16686417fe6a552dfecb9ce2ee8d138c916f7f13b78dd974a10847b68f6fbb2452ab6a579e621ef66a47dda16b4ff8cc6d6a96bfcb1eff27bef4e1aa

  • SSDEEP

    12288:DGHCnaomAEg3uPdkgOX+tZdxJsq1al2NyCGtN/NazPT46om5vGq:DGHCm8uPdJFdzakYBNazxoq

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 26 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\图片20233155168jpg.cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\图片20233155168jpg.cmd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4756
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\TraceIndexer.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\TraceIndexer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4584
  • C:\ProgramData\googleupdate\TraceIndexer.exe
    "C:\ProgramData\googleupdate\TraceIndexer.exe" 100 4584
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1504
  • C:\ProgramData\googleupdate\TraceIndexer.exe
    "C:\ProgramData\googleupdate\TraceIndexer.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\system32\msiexec.exe 201 0
      2⤵
      • Blocklisted process makes network request
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 1224
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:3704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\googleupdate\ATKEX.dll
    Filesize

    33KB

    MD5

    ae8091b6a252a2c34033eaac7e1001d6

    SHA1

    f2de8d84d51a1cbb9f0100f94361c13a341f7163

    SHA256

    ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

    SHA512

    616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

    Download Submit
  • C:\ProgramData\googleupdate\ATKEX.dll
    Filesize

    33KB

    MD5

    ae8091b6a252a2c34033eaac7e1001d6

    SHA1

    f2de8d84d51a1cbb9f0100f94361c13a341f7163

    SHA256

    ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

    SHA512

    616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

    Download Submit
  • C:\ProgramData\googleupdate\ATKEX.dll
    Filesize

    33KB

    MD5

    ae8091b6a252a2c34033eaac7e1001d6

    SHA1

    f2de8d84d51a1cbb9f0100f94361c13a341f7163

    SHA256

    ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

    SHA512

    616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

    Download Submit
  • C:\ProgramData\googleupdate\ATKEX.dll
    Filesize

    33KB

    MD5

    ae8091b6a252a2c34033eaac7e1001d6

    SHA1

    f2de8d84d51a1cbb9f0100f94361c13a341f7163

    SHA256

    ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

    SHA512

    616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

    Download Submit
  • C:\ProgramData\googleupdate\TraceIndexer.exe
    Filesize

    457KB

    MD5

    07321f91bad9653b4fa737e5c993de90

    SHA1

    9b0e7f445739825816e970205fe92adf7d3e1fc8

    SHA256

    c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

    SHA512

    c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

    Download Submit
  • C:\ProgramData\googleupdate\TraceIndexer.exe
    Filesize

    457KB

    MD5

    07321f91bad9653b4fa737e5c993de90

    SHA1

    9b0e7f445739825816e970205fe92adf7d3e1fc8

    SHA256

    c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

    SHA512

    c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

    Download Submit
  • C:\ProgramData\googleupdate\TraceIndexer.exe
    Filesize

    457KB

    MD5

    07321f91bad9653b4fa737e5c993de90

    SHA1

    9b0e7f445739825816e970205fe92adf7d3e1fc8

    SHA256

    c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

    SHA512

    c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

    Download Submit
  • C:\ProgramData\googleupdate\debug.dump
    Filesize

    113KB

    MD5

    96237e8adaff3cb27fc02b5cc2a817b7

    SHA1

    6c5a43e26a30b401e5657c56eb8a0fbfe9916859

    SHA256

    ab112d5d3b66116293eb4205fdf778d34f90b1e27b020c2cad65e551d16b483f

    SHA512

    b53346c08e45d75bbae5ef863c5ecc4a340073a9c550122792fd407708534201a7aefd2366b9c825bdff6ed105953371729bf0903a8152093403165ff9098c8c

    Download Submit
  • C:\ProgramData\googleupdate\debug.dump
    Filesize

    113KB

    MD5

    96237e8adaff3cb27fc02b5cc2a817b7

    SHA1

    6c5a43e26a30b401e5657c56eb8a0fbfe9916859

    SHA256

    ab112d5d3b66116293eb4205fdf778d34f90b1e27b020c2cad65e551d16b483f

    SHA512

    b53346c08e45d75bbae5ef863c5ecc4a340073a9c550122792fd407708534201a7aefd2366b9c825bdff6ed105953371729bf0903a8152093403165ff9098c8c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ATKEX.dll
    Filesize

    33KB

    MD5

    ae8091b6a252a2c34033eaac7e1001d6

    SHA1

    f2de8d84d51a1cbb9f0100f94361c13a341f7163

    SHA256

    ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

    SHA512

    616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ATKEX.dll
    Filesize

    33KB

    MD5

    ae8091b6a252a2c34033eaac7e1001d6

    SHA1

    f2de8d84d51a1cbb9f0100f94361c13a341f7163

    SHA256

    ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

    SHA512

    616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\TraceIndexer.exe
    Filesize

    457KB

    MD5

    07321f91bad9653b4fa737e5c993de90

    SHA1

    9b0e7f445739825816e970205fe92adf7d3e1fc8

    SHA256

    c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

    SHA512

    c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\TraceIndexer.exe
    Filesize

    457KB

    MD5

    07321f91bad9653b4fa737e5c993de90

    SHA1

    9b0e7f445739825816e970205fe92adf7d3e1fc8

    SHA256

    c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

    SHA512

    c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\TraceIndexer.exe
    Filesize

    457KB

    MD5

    07321f91bad9653b4fa737e5c993de90

    SHA1

    9b0e7f445739825816e970205fe92adf7d3e1fc8

    SHA256

    c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

    SHA512

    c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\debug.dump
    Filesize

    113KB

    MD5

    96237e8adaff3cb27fc02b5cc2a817b7

    SHA1

    6c5a43e26a30b401e5657c56eb8a0fbfe9916859

    SHA256

    ab112d5d3b66116293eb4205fdf778d34f90b1e27b020c2cad65e551d16b483f

    SHA512

    b53346c08e45d75bbae5ef863c5ecc4a340073a9c550122792fd407708534201a7aefd2366b9c825bdff6ed105953371729bf0903a8152093403165ff9098c8c

    Download Submit
  • memory/1224-197-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1224-208-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1224-191-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1224-198-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1224-195-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1224-194-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1224-179-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1224-192-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1224-180-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1224-188-0x00000000001D0000-0x00000000001D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1224-189-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1224-190-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1504-199-0x0000000001100000-0x000000000112D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1504-176-0x0000000001100000-0x000000000112D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1504-173-0x0000000001100000-0x000000000112D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2316-181-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2316-178-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3704-206-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3704-202-0x0000000000AD0000-0x0000000000AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3704-201-0x0000000002610000-0x000000000263D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3704-203-0x0000000002610000-0x000000000263D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3704-200-0x0000000002610000-0x000000000263D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3704-205-0x0000000002610000-0x000000000263D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3704-204-0x0000000002610000-0x000000000263D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3704-207-0x0000000002610000-0x000000000263D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3704-209-0x0000000000C30000-0x0000000000C5D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/3704-210-0x0000000002610000-0x000000000263D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4584-153-0x0000000002460000-0x000000000248D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4584-154-0x0000000002460000-0x000000000248D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4584-152-0x00000000025A0000-0x00000000026A0000-memory.dmp
    Filesize

    1024KB

    Download