Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
-
submitted
19-11-2023 03:00
General
-
Target
PlugX_3C74A85C2CF883BD9D4B9F8B9746030F_DW20.dll
-
Size
228KB
-
MD5
3c74a85c2cf883bd9d4b9f8b9746030f
-
SHA1
40541a03e910b21df681bec69cfe59678ebba86c
-
SHA256
66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967
-
SHA512
15ab0c68e1dc8f5dc87231942f008228fe658ce221efe0ba90dfbfedea7e9cf401cac37098674a1d7cd489c97d061b847f09b86c24453575e2d46d4d9326e29c
-
SSDEEP
3072:Y3Bb2V38tdLIKbEN2HSKjZNPH4cGHk51Kk+u5arueqFl8sLbxDZxWRko5V:YRbvkKgN8/RH4hHk5gUUYFl8UmT
Malware Config
Signatures
-
Detects PlugX payload 22 IoCs
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 5 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\PlugX_3C74A85C2CF883BD9D4B9F8B9746030F_DW20.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\PlugX_3C74A85C2CF883BD9D4B9F8B9746030F_DW20.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E510.tmpC:\Users\Admin\AppData\Local\Temp\E510.tmp3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Gadget.exeC:\Users\Admin\AppData\Local\Temp\\Gadget.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\WS\Gadget.exeC:\ProgramData\WS\Gadget.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 6843⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WS\Gadget.exeFilesize
25KB
MD56b97b3cd2fcfb4b74985143230441463
SHA18985c2394ed9a58c36f907962b0724fe66c204a6
SHA2565c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715
-
C:\ProgramData\WS\Gadget.exeFilesize
25KB
MD56b97b3cd2fcfb4b74985143230441463
SHA18985c2394ed9a58c36f907962b0724fe66c204a6
SHA2565c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715
-
C:\ProgramData\WS\Gadget.exeFilesize
25KB
MD56b97b3cd2fcfb4b74985143230441463
SHA18985c2394ed9a58c36f907962b0724fe66c204a6
SHA2565c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715
-
C:\ProgramData\WS\SideBar.dllFilesize
41KB
MD5901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA18bb71adf1c418061510c40240852c3cd61fb214c
SHA2563144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA5126500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab
-
C:\ProgramData\WS\SideBar.dllFilesize
41KB
MD5901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA18bb71adf1c418061510c40240852c3cd61fb214c
SHA2563144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA5126500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab
-
C:\ProgramData\WS\SideBar.dll.docFilesize
121KB
MD597c11e7d6b1926cd4be13804b36239ac
SHA1b388b86a782ae14fee2a31bc7626a816c3eabc5a
SHA256a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a
SHA5128ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121
-
C:\ProgramData\WS\SideBar.dll.docFilesize
121KB
MD597c11e7d6b1926cd4be13804b36239ac
SHA1b388b86a782ae14fee2a31bc7626a816c3eabc5a
SHA256a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a
SHA5128ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121
-
C:\Users\Admin\AppData\Local\Temp\E510.tmpFilesize
225KB
MD5c116cd083284cc599c024c3479ca9b70
SHA1bf831962162a0446454e3e32d764cc0e5daafde0
SHA25690a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
SHA512d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560
-
C:\Users\Admin\AppData\Local\Temp\E510.tmpFilesize
225KB
MD5c116cd083284cc599c024c3479ca9b70
SHA1bf831962162a0446454e3e32d764cc0e5daafde0
SHA25690a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
SHA512d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560
-
C:\Users\Admin\AppData\Local\Temp\Gadget.exeFilesize
25KB
MD56b97b3cd2fcfb4b74985143230441463
SHA18985c2394ed9a58c36f907962b0724fe66c204a6
SHA2565c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715
-
C:\Users\Admin\AppData\Local\Temp\Gadget.exeFilesize
25KB
MD56b97b3cd2fcfb4b74985143230441463
SHA18985c2394ed9a58c36f907962b0724fe66c204a6
SHA2565c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715
-
C:\Users\Admin\AppData\Local\Temp\SideBar.dllFilesize
41KB
MD5901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA18bb71adf1c418061510c40240852c3cd61fb214c
SHA2563144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA5126500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab
-
C:\Users\Admin\AppData\Local\Temp\SideBar.dll.docFilesize
121KB
MD597c11e7d6b1926cd4be13804b36239ac
SHA1b388b86a782ae14fee2a31bc7626a816c3eabc5a
SHA256a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a
SHA5128ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121
-
\ProgramData\WS\SideBar.dllFilesize
41KB
MD5901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA18bb71adf1c418061510c40240852c3cd61fb214c
SHA2563144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA5126500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab
-
\Users\Admin\AppData\Local\Temp\Sidebar.dllFilesize
41KB
MD5901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA18bb71adf1c418061510c40240852c3cd61fb214c
SHA2563144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA5126500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab
-
memory/684-38-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/684-40-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/684-79-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/684-58-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/684-70-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/684-69-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/684-37-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/684-57-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/684-54-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/684-60-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/684-55-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/684-42-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/684-52-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/684-53-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/3484-41-0x0000000000560000-0x0000000000590000-memory.dmpFilesize
192KB
-
memory/3484-16-0x0000000000560000-0x0000000000590000-memory.dmpFilesize
192KB
-
memory/3484-12-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/3484-14-0x00000000007E0000-0x00000000008E0000-memory.dmpFilesize
1024KB
-
memory/4232-39-0x0000000000790000-0x00000000007C0000-memory.dmpFilesize
192KB
-
memory/4232-36-0x0000000000790000-0x00000000007C0000-memory.dmpFilesize
192KB
-
memory/4232-35-0x0000000000790000-0x00000000007C0000-memory.dmpFilesize
192KB
-
memory/4232-33-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/4504-63-0x0000000004D80000-0x0000000004DB0000-memory.dmpFilesize
192KB
-
memory/4504-64-0x0000000002FC0000-0x0000000002FC1000-memory.dmpFilesize
4KB
-
memory/4504-66-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/4504-68-0x0000000004D80000-0x0000000004DB0000-memory.dmpFilesize
192KB
-
memory/4504-67-0x0000000004D80000-0x0000000004DB0000-memory.dmpFilesize
192KB
-
memory/4504-65-0x0000000004D80000-0x0000000004DB0000-memory.dmpFilesize
192KB
-
memory/4504-71-0x0000000000940000-0x0000000000970000-memory.dmpFilesize
192KB
-
memory/4504-72-0x0000000004D80000-0x0000000004DB0000-memory.dmpFilesize
192KB