Analysis Overview
SHA256
93d33626886e97abf4087f5445b2a02738ea21d8624b3f015625cd646e9d986e
Threat Level: Known bad
The file 27f49c4608311a736ef96673b2300531 was found to be: Known bad.
Malicious Activity Summary
PlugX
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-12-31 04:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 04:21
Reported
2024-01-05 12:40
Platform
win7-20231215-en
Max time kernel
0s
Max time network
146s
Command Line
Signatures
PlugX
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27f49c4608311a736ef96673b2300531.exe
"C:\Users\Admin\AppData\Local\Temp\27f49c4608311a736ef96673b2300531.exe"
C:\ProgramData\AAM UpdatesblF\AAM Updates.exe
"C:\ProgramData\AAM UpdatesblF\AAM Updates.exe" 275
C:\Users\Admin\AppData\Local\Temp\web.exe
"C:\Users\Admin\AppData\Local\Temp\web.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" url.dll, FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\web.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rainydaysweb.com | udp |
| US | 8.8.8.8:53 | rainydaysweb.com | udp |
| US | 204.11.56.48:80 | rainydaysweb.com | tcp |
| US | 204.11.56.48:80 | rainydaysweb.com | tcp |
| US | 204.11.56.48:80 | rainydaysweb.com | tcp |
| US | 8.8.8.8:53 | rainydaysweb.com | udp |
| US | 204.11.56.48:443 | rainydaysweb.com | tcp |
| US | 204.11.56.48:443 | rainydaysweb.com | tcp |
| US | 204.11.56.48:443 | rainydaysweb.com | tcp |
| US | 204.11.56.48:443 | rainydaysweb.com | tcp |
| US | 8.8.8.8:53 | rainydaysweb.com | udp |
| US | 204.11.56.48:8080 | rainydaysweb.com | tcp |
| US | 204.11.56.48:8080 | rainydaysweb.com | tcp |
Files
memory/2168-12-0x0000000000540000-0x0000000000640000-memory.dmp
\Users\Admin\AppData\Local\Temp\hex.dll
| MD5 | 7f0c9d945de893037c28f0d44c7c25ba |
| SHA1 | 7b442756eb0b8b7a19a4a58ef4eb459782c573a6 |
| SHA256 | 6cad961824c9185ee76bd5c458af740d5ef75269e806c2884e63eb9453951f4c |
| SHA512 | ffa50474754e590d8c44b43fb0e086dadeede5970948ae461a263ea99c404193fcbe894c58c44c2901a8f99ad3b369497d5364fbc685eef12e94d220b1d0191f |
memory/2188-25-0x0000000000510000-0x0000000000610000-memory.dmp
memory/2188-24-0x0000000001EE0000-0x0000000005B11000-memory.dmp
memory/2188-26-0x0000000001EE0000-0x0000000005B11000-memory.dmp
\ProgramData\AAM UpdatesblF\AAM Updates.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2168-11-0x0000000001D60000-0x0000000005991000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\web.exe
| MD5 | c70d8dce46b4551133ecc58aed84bf0e |
| SHA1 | 00626346632fdfb2a1d5831793e92a3601ec4d9f |
| SHA256 | 0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681 |
| SHA512 | 12117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92 |
memory/2188-27-0x0000000001EE0000-0x0000000005B11000-memory.dmp
memory/2188-28-0x0000000001EE0000-0x0000000005B11000-memory.dmp
memory/2188-29-0x0000000001EE0000-0x0000000005B11000-memory.dmp
memory/2188-30-0x0000000000510000-0x0000000000610000-memory.dmp
memory/2188-31-0x0000000001EE0000-0x0000000005B11000-memory.dmp
memory/2188-32-0x0000000001EE0000-0x0000000005B11000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 04:21
Reported
2024-01-05 12:41
Platform
win10v2004-20231222-en