plugx | 93d33626886e97abf4087f5445b2a02738ea21d8624b3f015625cd646e9d986e

Analysis

max time kernel
0s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27f49c4608311a736ef96673b2300531.exe
Size

204KB
MD5

27f49c4608311a736ef96673b2300531
SHA1

da24c13d479932796e992c1f42e979e637e476d0
SHA256

93d33626886e97abf4087f5445b2a02738ea21d8624b3f015625cd646e9d986e
SHA512

8a698f8ac861e5545141e36faf35e91123cdb9ddaa2f7d8923ca4d80cf276325ccba900321b3b503473d2769c93a92ec6fa9bd2c2b3f2b3552202fdf25f7d30c
SSDEEP

3072:DQIURTXJ+MokVhHrSCT8u56E19MW1etykWtSGzB2P5/js9PtNCfEhaCtpe5k0gLu:Ds9ochO4r1fb+GlC5/21Nk8pOgq

Score

10^/10

plugx trojan

Malware Config

Extracted

Family

plugx

rainydaysweb.com:80

rainydaysweb.com:443

rainydaysweb.com:53

Attributes

folder
AAM UpdatesblF

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1964	1684	27f49c4608311a736ef96673b2300531.exe	18
PID 1684 wrote to memory of 1964	1684	27f49c4608311a736ef96673b2300531.exe	18
PID 1684 wrote to memory of 1964	1684	27f49c4608311a736ef96673b2300531.exe	18
PID 1684 wrote to memory of 1964	1684	27f49c4608311a736ef96673b2300531.exe	18
PID 1684 wrote to memory of 1964	1684	27f49c4608311a736ef96673b2300531.exe	18
PID 1684 wrote to memory of 1964	1684	27f49c4608311a736ef96673b2300531.exe	18
PID 1684 wrote to memory of 1964	1684	27f49c4608311a736ef96673b2300531.exe	18

C:\Users\Admin\AppData\Local\Temp\27f49c4608311a736ef96673b2300531.exe
"C:\Users\Admin\AppData\Local\Temp\27f49c4608311a736ef96673b2300531.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll, FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\web.exe
  2⤵
  PID:1964

C:\ProgramData\AAM UpdatesblF\AAM Updates.exe
"C:\ProgramData\AAM UpdatesblF\AAM Updates.exe" 275
1⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\web.exe
"C:\Users\Admin\AppData\Local\Temp\web.exe"
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\web.exe

Filesize
185KB

MD5
c70d8dce46b4551133ecc58aed84bf0e

SHA1
00626346632fdfb2a1d5831793e92a3601ec4d9f

SHA256
0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681

SHA512
12117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92

Download Submit
\Users\Admin\AppData\Local\Temp\hex.dll

Filesize
20KB

MD5
7f0c9d945de893037c28f0d44c7c25ba

SHA1
7b442756eb0b8b7a19a4a58ef4eb459782c573a6

SHA256
6cad961824c9185ee76bd5c458af740d5ef75269e806c2884e63eb9453951f4c

SHA512
ffa50474754e590d8c44b43fb0e086dadeede5970948ae461a263ea99c404193fcbe894c58c44c2901a8f99ad3b369497d5364fbc685eef12e94d220b1d0191f

Download Submit
memory/2168-12-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2168-11-0x0000000001D60000-0x0000000005991000-memory.dmp

Filesize
60.2MB

Download
memory/2188-24-0x0000000001EE0000-0x0000000005B11000-memory.dmp

Filesize
60.2MB

Download
memory/2188-26-0x0000000001EE0000-0x0000000005B11000-memory.dmp

Filesize
60.2MB

Download
memory/2188-25-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2188-27-0x0000000001EE0000-0x0000000005B11000-memory.dmp

Filesize
60.2MB

Download
memory/2188-28-0x0000000001EE0000-0x0000000005B11000-memory.dmp

Filesize
60.2MB

Download
memory/2188-29-0x0000000001EE0000-0x0000000005B11000-memory.dmp

Filesize
60.2MB

Download
memory/2188-30-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/2188-31-0x0000000001EE0000-0x0000000005B11000-memory.dmp

Filesize
60.2MB

Download
memory/2188-32-0x0000000001EE0000-0x0000000005B11000-memory.dmp

Filesize
60.2MB

Download