Malware Analysis Report

2024-07-11 07:37

Sample ID 231231-ey155acdg2
Target 27f49c4608311a736ef96673b2300531
SHA256 93d33626886e97abf4087f5445b2a02738ea21d8624b3f015625cd646e9d986e
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93d33626886e97abf4087f5445b2a02738ea21d8624b3f015625cd646e9d986e

Threat Level: Known bad

The file 27f49c4608311a736ef96673b2300531 was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-31 04:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 04:21

Reported

2024-01-05 12:40

Platform

win7-20231215-en

Max time kernel

0s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27f49c4608311a736ef96673b2300531.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\27f49c4608311a736ef96673b2300531.exe

"C:\Users\Admin\AppData\Local\Temp\27f49c4608311a736ef96673b2300531.exe"

C:\ProgramData\AAM UpdatesblF\AAM Updates.exe

"C:\ProgramData\AAM UpdatesblF\AAM Updates.exe" 275

C:\Users\Admin\AppData\Local\Temp\web.exe

"C:\Users\Admin\AppData\Local\Temp\web.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" url.dll, FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\web.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rainydaysweb.com udp
US 8.8.8.8:53 rainydaysweb.com udp
US 204.11.56.48:80 rainydaysweb.com tcp
US 204.11.56.48:80 rainydaysweb.com tcp
US 204.11.56.48:80 rainydaysweb.com tcp
US 8.8.8.8:53 rainydaysweb.com udp
US 204.11.56.48:443 rainydaysweb.com tcp
US 204.11.56.48:443 rainydaysweb.com tcp
US 204.11.56.48:443 rainydaysweb.com tcp
US 204.11.56.48:443 rainydaysweb.com tcp
US 8.8.8.8:53 rainydaysweb.com udp
US 204.11.56.48:8080 rainydaysweb.com tcp
US 204.11.56.48:8080 rainydaysweb.com tcp

Files

memory/2168-12-0x0000000000540000-0x0000000000640000-memory.dmp

\Users\Admin\AppData\Local\Temp\hex.dll

MD5 7f0c9d945de893037c28f0d44c7c25ba
SHA1 7b442756eb0b8b7a19a4a58ef4eb459782c573a6
SHA256 6cad961824c9185ee76bd5c458af740d5ef75269e806c2884e63eb9453951f4c
SHA512 ffa50474754e590d8c44b43fb0e086dadeede5970948ae461a263ea99c404193fcbe894c58c44c2901a8f99ad3b369497d5364fbc685eef12e94d220b1d0191f

memory/2188-25-0x0000000000510000-0x0000000000610000-memory.dmp

memory/2188-24-0x0000000001EE0000-0x0000000005B11000-memory.dmp

memory/2188-26-0x0000000001EE0000-0x0000000005B11000-memory.dmp

\ProgramData\AAM UpdatesblF\AAM Updates.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2168-11-0x0000000001D60000-0x0000000005991000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\web.exe

MD5 c70d8dce46b4551133ecc58aed84bf0e
SHA1 00626346632fdfb2a1d5831793e92a3601ec4d9f
SHA256 0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
SHA512 12117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92

memory/2188-27-0x0000000001EE0000-0x0000000005B11000-memory.dmp

memory/2188-28-0x0000000001EE0000-0x0000000005B11000-memory.dmp

memory/2188-29-0x0000000001EE0000-0x0000000005B11000-memory.dmp

memory/2188-30-0x0000000000510000-0x0000000000610000-memory.dmp

memory/2188-31-0x0000000001EE0000-0x0000000005B11000-memory.dmp

memory/2188-32-0x0000000001EE0000-0x0000000005B11000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 04:21

Reported

2024-01-05 12:41

Platform

win10v2004-20231222-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A