Overview

overview

10

Static

static

3

f75ddb8104...d0.exe

windows7-x64

10

f75ddb8104...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1919s
  • max time network
    1920s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2023 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f75ddb8104bd84b15c1bc9fae54d6a0da809ad001fc9e5c76ab2e733ccb684d0.exe

  • Size

    152KB

  • MD5

    32d85825a7f627cdf8070a379b6b464f

  • SHA1

    5cafbcdb8ff731cca458ecde9a73e8f0514f0647

  • SHA256

    f75ddb8104bd84b15c1bc9fae54d6a0da809ad001fc9e5c76ab2e733ccb684d0

  • SHA512

    3a169cc376ea74d8715a9852a16d04bebfad4a48a79b32bc88bbc5780d97faa7676156d21ee156be40fca45d92e0d046dc3e32db376c2a73971ac2e303e9983c

  • SSDEEP

    3072:vZMwqVSRFuYJOuN/9mlMH5KYCRDGNJeYh7hZ:hMwqVyXJOm8lqCRA

Score
10/10
plugxpersistencetrojan

Malware Config

Signatures

  • Detects PlugX payload 18 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f75ddb8104bd84b15c1bc9fae54d6a0da809ad001fc9e5c76ab2e733ccb684d0.exe
    "C:\Users\Admin\AppData\Local\Temp\f75ddb8104bd84b15c1bc9fae54d6a0da809ad001fc9e5c76ab2e733ccb684d0.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2564
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CheckpointUnlock.rmi"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3008
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RemoveSync.mht
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      caedc1b6af9cdf733b38c5807b111e01

      SHA1

      a479186d676d9b8d9cbf5ec2ebc53cea953d3fa3

      SHA256

      c3adf1d778eccae7202598d5d055191db297caab895d452ce9fda7631e3a3bfb

      SHA512

      ad732f682bea2556d16ab7d30296a1430c5ac6a7c864b08774ed0afb7404a0b168957167f50c99bd3bb1109f6f5b9ae5fbbf72f3901a1ed27e2dd97056cd3c59

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      6bb86cb74bb0ecfe04874ea76df3aa8f

      SHA1

      8330663363c763321320c7f871e3c9ade56ef46b

      SHA256

      53b233c6d0359bf08eefbfed8376e7e5782df7f893323e9e2ad93aad05a24031

      SHA512

      f3e71de9b52d30d2d782925a159cb3fddeae001fcaa406e75f3215415b9b7690b13e162b8d239bb1fadeccc01ec24c02e2da5c8aff5a395a465868bb5aba9b70

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      65812d34b3960b944ad2db2b552255b6

      SHA1

      ff158e9034d71c40435acacd124f5e99f517a28f

      SHA256

      900797a1db0764231853fc08b00da897beddd9ac433f8de5c35489a60a80a70f

      SHA512

      9266cccaa83efdf1c078af785c5bdc035c3179c2ddf357b01f5a43e84765c3b80375b74ad1028bf106b8fea2155050196061333d7543b59cb1669fbf57b24d47

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      428974b89247a8178c23c8047ff39e69

      SHA1

      f29bb3fc2141d36df2a9703a5a93ce644aaa9a87

      SHA256

      bd7655c69b832ef361b56645ec2cbb31f4067ae8b20a37a4bf6200bd5c353cc2

      SHA512

      561cdef8880fdf73d76c41405a5dcf03ad35752f0dca9d7294e531a5d63d2cafedc9663e943e9d27a00b7dbb6b9cb868c5d1fd0a415bb0aa33cc7e926b316cf6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      fa78734eed5766952f3f90bb9ac21ed7

      SHA1

      cbd68f3626383ac2b98498f7c8f33f1f4f8168b8

      SHA256

      c6d56db04b30a10c9bb90a601e545fc7d36c435f0df482a2a7c9e5d27ae4acfd

      SHA512

      761d46de0836e5b84d5bdbe77c8be45704c66ffdffa473face072916c1c353cbda459b4ce1c324fcf5a49d78a71ea7d0a39a50deaab01133f9941e122991cf0c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8e90a976584b89717ffdc79e74d18bcb

      SHA1

      594d453c2501b94bf279f108b620834859373bcb

      SHA256

      fe8ab0b16830a44c75c360bbca44bbf1ec735e24d7fc3f7b79dd5d6f8087acd4

      SHA512

      1728d2f6754e95236470cf5aa47fee86d8483e89fa1d904c798eeb5f47cbfb81ebccfdef1081f19dbad31593dda8e4b5e79f6a90c2f1c75f479d3fbe72e433a4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      9647a67389d1c81bc76d7dd2dd8f7336

      SHA1

      8d3840e3cffa43d75beabc8890309c0d05fce713

      SHA256

      e14cd60cfefc2fb6ae9b191e6e2c8a7c82063956914cc342041c9001104313a0

      SHA512

      a5cd2a385ed3e39735e6232acc596a9531343ba694cd9df0c40a146e85e72a6606c026f91d920f39266c77fab60ca562d68ec73ecf18f94519438100e149d33e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      5be119157393c1bb9d18ba1f9a4f6677

      SHA1

      598d8f0024d4c0feba5c82eebebcf351112faab5

      SHA256

      cf3ae46dca9d1d62d830e56c887b56f066909ea2b31aaf0daf49ec3099e0d122

      SHA512

      fac1e592af51f140f9474ced99932df05359e6f4e76772ee849c94606bb621eca7a9e2a816d9a57e24e88b1bb5348b4b3234dbcf0a9afc63d4dd0310652ea0e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab56CA.tmp
      Filesize

      61KB

      MD5

      f3441b8572aae8801c04f3060b550443

      SHA1

      4ef0a35436125d6821831ef36c28ffaf196cda15

      SHA256

      6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

      SHA512

      5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar5769.tmp
      Filesize

      163KB

      MD5

      9441737383d21192400eca82fda910ec

      SHA1

      725e0d606a4fc9ba44aa8ffde65bed15e65367e4

      SHA256

      bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

      SHA512

      7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

      Download Submit

    • memory/1696-2-0x0000000001CE0000-0x0000000001DE0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1696-15-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1696-76-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-20-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-18-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-17-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-16-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-32-0x0000000001CE0000-0x0000000001DE0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1696-33-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-21-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-37-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-39-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-41-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-55-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-57-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-5-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1696-4-0x0000000000430000-0x000000000045E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2144-26-0x0000000000090000-0x0000000000091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2144-34-0x0000000000280000-0x00000000002AE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2144-22-0x0000000000090000-0x0000000000091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2144-24-0x00000000000B0000-0x00000000000CB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2144-25-0x00000000000D0000-0x00000000000D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2144-28-0x0000000000280000-0x00000000002AE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2144-29-0x0000000000090000-0x0000000000091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2144-31-0x0000000000280000-0x00000000002AE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2144-30-0x0000000000280000-0x00000000002AE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3008-79-0x000007FEF70C0000-0x000007FEF70D1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3008-82-0x000007FEF4C30000-0x000007FEF4E30000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3008-84-0x000007FEF6030000-0x000007FEF6051000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3008-72-0x000007FEF7140000-0x000007FEF7174000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3008-71-0x000000013F040000-0x000000013F138000-memory.dmp

      Filesize

      992KB

      Download

    • memory/3008-83-0x000007FEF6500000-0x000007FEF653F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3008-81-0x000007FEF6540000-0x000007FEF6551000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3008-80-0x000007FEF6560000-0x000007FEF657D000-memory.dmp

      Filesize

      116KB

      Download

    • memory/3008-74-0x000007FEFA650000-0x000007FEFA668000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3008-78-0x000007FEF70E0000-0x000007FEF70F7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3008-77-0x000007FEF72E0000-0x000007FEF72F1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3008-75-0x000007FEFA5B0000-0x000007FEFA5C7000-memory.dmp

      Filesize

      92KB

      Download

    • memory/3008-73-0x000007FEF56C0000-0x000007FEF5974000-memory.dmp

      Filesize

      2.7MB

      Download