Analysis

  • max time kernel
    300s
  • max time network
    301s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07-02-2024 20:57

General

  • Target

    NvSmartMax.rar

  • Size

    146KB

  • MD5

    c56cac95726fd10b5a85be1c87336354

  • SHA1

    b29b5a35c3ecd559047e8477e949ac72e9bdc52d

  • SHA256

    e49e2826c4d9fae960ca6baecd6754400e5da74446c5b511beb15831b42f2b1d

  • SHA512

    d6dd8283320330199e9235e4e8bb2ed7995f5c6cb51a08e2118502660bc8ce29d7490198e1dcba9641b199b8d7f80c1708948230b69392cfd8391c5a7d505ab5

  • SSDEEP

    3072:MljIdulYQyNl7bAT+JbjClf00YM8SzR1hv0iuzFWC9FnbfztQf:Mj+uqXAT6jClkao5WCrbCf

Score
10/10

Malware Config

Signatures

  • Detects PlugX payload 25 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 37 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2800
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2704
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap19207:100:7zEvent6980
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2940
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Users\Admin\AppData\Local\Temp\Nv.exe
        nv
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:300
    • C:\ProgramData\SxS\Nv.exe
      "C:\ProgramData\SxS\Nv.exe" 100 300
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:868
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      1⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 1400
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:432
    • C:\ProgramData\SxS\Nv.exe
      "C:\ProgramData\SxS\Nv.exe" 200 0
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1332

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\SxS\Nv.exe
      Filesize

      35KB

      MD5

      567454f23114827bb6394cb2a39b7558

      SHA1

      348df1cf1896359afb60e377844e42e6b6cecbd5

      SHA256

      12cc8beee16c16ab409971054335a73bec15e94210e5d388660ab6b1a69faeb1

      SHA512

      132faf68816aef41c369b1b20de453e7a83522eeab3d03b3608b972ec1393403e67195c72d1a65ac9d8e4037d535cafe75db4bce77ec7b9525eee73101e60b82

    • C:\ProgramData\SxS\Nv.exe
      Filesize

      16KB

      MD5

      6fb42249972ff72e4394978cada4b151

      SHA1

      a1fdd01e6ba9f6a003ff1e9db35e1ab2975a67ec

      SHA256

      aaf8f9a8be670616731a5f5b41ad3e9d20e601c9dd46d1acb3908483d2cce7c3

      SHA512

      ce47cf4b800ab0db9c6785716611c58ded64e421f3290dc44b8a615f2d35738e6a728981c5844eea735a7edf1b6e519a1fd50c44679f8048d6b4384c1af51e41

    • C:\ProgramData\SxS\Nv.mp3
      Filesize

      10KB

      MD5

      56e2d0804ef02eb06b67198316438ede

      SHA1

      44801d650f56beab5eaa1ba5527d8799adb4e727

      SHA256

      8728bd42eed8b4c4b558992531d0c44697d47c7bfcf60c2aa1e54eb1743b535d

      SHA512

      32c33413a93d5d0261b50be454fbf2d74f3b4d63b5585b50523fb4826aea454c23659d6d0c109aee5620d59771861b83e8ce910ed07abc3e693779e3db2783b3

    • C:\ProgramData\SxS\Nv.mp3
      Filesize

      45KB

      MD5

      8181e25b82b809075936cd5871307499

      SHA1

      d442f3e6367593cdb4d1b04857a3e2347860570e

      SHA256

      aca64c47b8d224d84e1a30ed841fb67540629d6955710d19d466f6f778440101

      SHA512

      70b8575ad3da85c8e180f91a8f62858ed48f8ef2c52e520172e43c43b514a6e73c86c7dcde47a8c09bc33355ea2dd33753bf621ce3f8dc908699d9b6d75eaa2f

    • C:\ProgramData\SxS\NvSmartMax.dll
      Filesize

      1KB

      MD5

      364aedd62318de58603f5cbe59be1f2b

      SHA1

      929fd4750f7c9bc235477464c164a9034b5b0332

      SHA256

      fa9a0fec3ed1c6a008ed862ca53559039183e4288b0e8bd2ceebef430d850d1a

      SHA512

      261e85eb361e53d51996dcba71a7e761bc875ddaaf71f31a18d2ddb3d7c07af9f337584b7b7440e8f2368b5aa33ee9035540cae7ea3e52c4ee71bc6e4f854b3c

    • C:\ProgramData\SxS\bug.log
      Filesize

      580B

      MD5

      517274021f580090e3b05ffcf8049ffe

      SHA1

      013bafab4586b02209594039e633c08139b2c517

      SHA256

      0669976ab7464092d492ec079fb18c2c3c2b390cd1a5cdd581000255287095c5

      SHA512

      8f4b4eaf1c25c0046d249d4009bfd00d752a7673f863f77cbc5030b157da4d3099d9a04474f729aa4542749379c96eab1512a6afa0f90880f180268effca9745

    • C:\ProgramData\SxS\bug.log
      Filesize

      742B

      MD5

      5a9f634c4d5f649b9b8ab461c26af052

      SHA1

      b4a10800ea5198e0d9dd7e3136ab06d96eab43bb

      SHA256

      8484070442fbfcac840caeba03b383b4e82fa5bf7aba6e85728ff65043e3e933

      SHA512

      4721f5d1f76d159d3d6537da7e75872ba5665094b14ffa313139c74eb6068b9e0170e0ae531938360be00a26ba0893cacbf285bfc5bff028b4e7ec17521e933c

    • C:\Users\Admin\AppData\Local\Temp\Nv.exe
      Filesize

      46KB

      MD5

      09b8b54f78a10c435cd319070aa13c28

      SHA1

      6474d0369f97e72e01e4971128d1062f5c2b3656

      SHA256

      523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

      SHA512

      c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    • C:\Users\Admin\AppData\Local\Temp\Nv.mp3
      Filesize

      120KB

      MD5

      5ef7c3bcbc11cd02c95e509b226eebe9

      SHA1

      794a90212d226628c8ce4441c3418c1ecca0e3b8

      SHA256

      3d64e638f961b922398e2efaf75504da007e41ea979f213f8eb4f83e00efeebb

      SHA512

      c86f464f736125d8fb499efe2555cae1aea5d67fbf15be816883e058ad9107eb399d3ade6c5afe811a2eb59ebdc1d52c992124359fa26085a650eb940fe2eae4

    • C:\Users\Admin\AppData\Local\Temp\NvSmartMax.dll
      Filesize

      20KB

      MD5

      0b21678ed8e2b117344cfceba8f097dd

      SHA1

      db53bb022cb6de016713f1570f2ae501f20f9c76

      SHA256

      eaaa7899b37a3b04dcd02ad6d51e83e035be535f129773621ef0f399a2a98ee3

      SHA512

      182268649b360f44f021570ddc9290f5051a8be556ffd66355bc325027ba48c5fe824e1bea925411bdaef4c17e0f3d81a1d3c710b59c4462540d567da625a41a

    • \ProgramData\SxS\NvSmartMax.dll
      Filesize

      5KB

      MD5

      efbc7e63b808809fb97023ff97d43e93

      SHA1

      121f600b8e378d7c5f4f1b761b81f5b210c97f58

      SHA256

      d6c84f55958192cd12715bb52b8ca130c2df4f93ea3c8adfcc929263ce29902e

      SHA512

      7a36aa0cbb546e7b3425c109e241b4e8645d51175bb7d3525bd408d967d860455cc376e757c2ef00d4a99a3ba76c73727b6397876b88d267a04d27a82bf7d990

    • memory/300-36-0x0000000000280000-0x00000000002B0000-memory.dmp
      Filesize

      192KB

    • memory/300-76-0x0000000000280000-0x00000000002B0000-memory.dmp
      Filesize

      192KB

    • memory/300-35-0x0000000000410000-0x0000000000510000-memory.dmp
      Filesize

      1024KB

    • memory/300-37-0x0000000000280000-0x00000000002B0000-memory.dmp
      Filesize

      192KB

    • memory/432-110-0x0000000000090000-0x0000000000091000-memory.dmp
      Filesize

      4KB

    • memory/432-113-0x0000000000260000-0x0000000000290000-memory.dmp
      Filesize

      192KB

    • memory/432-108-0x0000000000260000-0x0000000000290000-memory.dmp
      Filesize

      192KB

    • memory/432-112-0x0000000000260000-0x0000000000290000-memory.dmp
      Filesize

      192KB

    • memory/432-116-0x0000000000260000-0x0000000000290000-memory.dmp
      Filesize

      192KB

    • memory/868-98-0x0000000000280000-0x00000000002B0000-memory.dmp
      Filesize

      192KB

    • memory/868-57-0x0000000000280000-0x00000000002B0000-memory.dmp
      Filesize

      192KB

    • memory/868-56-0x0000000000280000-0x00000000002B0000-memory.dmp
      Filesize

      192KB

    • memory/1332-61-0x0000000000410000-0x0000000000440000-memory.dmp
      Filesize

      192KB

    • memory/1332-62-0x0000000000410000-0x0000000000440000-memory.dmp
      Filesize

      192KB

    • memory/1400-92-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-85-0x0000000000020000-0x0000000000021000-memory.dmp
      Filesize

      4KB

    • memory/1400-86-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-69-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-67-0x0000000000100000-0x0000000000101000-memory.dmp
      Filesize

      4KB

    • memory/1400-65-0x0000000000120000-0x000000000013D000-memory.dmp
      Filesize

      116KB

    • memory/1400-63-0x0000000000100000-0x0000000000101000-memory.dmp
      Filesize

      4KB

    • memory/1400-87-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-88-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-95-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-94-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-100-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-96-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-97-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-93-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-71-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-115-0x0000000000180000-0x00000000001B0000-memory.dmp
      Filesize

      192KB

    • memory/1400-66-0x0000000000140000-0x0000000000142000-memory.dmp
      Filesize

      8KB