Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
18-02-2024 16:09
General
-
Target
LZMA.exe
-
Size
388KB
-
MD5
89266366e2c712e8b47b2b9ed30d60b7
-
SHA1
a94bb0440fe6c0d7a6c102037561ffbe6203a251
-
SHA256
f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0
-
SHA512
385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95
-
SSDEEP
12288:1PzUcyOjaTbV7DWZzZg1iuc30Oy7CxMFr:Vz1y6AbV+qwEr
Malware Config
Signatures
-
Detects PlugX payload 25 IoCs
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\LZMA.exe"C:\Users\Admin\AppData\Local\Temp\LZMA.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 100 29321⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 209 28323⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
388KB
MD589266366e2c712e8b47b2b9ed30d60b7
SHA1a94bb0440fe6c0d7a6c102037561ffbe6203a251
SHA256f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0
SHA512385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95
-
Filesize
400KB
MD5dd55071ced298687339566cbe9b23c40
SHA11b5f760daab97658f7c0f7c28db35f10bde761bb
SHA256ed10a005bbab4385775e5964586bad0c1d267edbf87ce98feb3cc7135877cca1
SHA512ae9753860775be0039463c408e080a2541465562702c2407b46d3ab15dacdae6721325eb60ae72e0b389da2524e6122593a6f9bf42f1c2df5c2cb8463c4026c8
-
Filesize
228KB
MD5fc5100b1fc7e642bf76fdc3df1846df5
SHA1664d22bc60a7cd08b8ba5aee9f045fa21de719cb
SHA2568a7e960d9aefce2bc6c515e63a46ea5d6e7db964301eb8a26c3dd561707eac77
SHA51246cc8e84c7e5668e4fa5da0eabab725da2c5c93bfcce6d7774e668b3e011c6f24d9e0513aac097366504e1139525879b9a43b128c37c719c0a25401ceb9fbe47
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
4KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
4KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
108KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
8KB
-
Filesize
180KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
1024KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
180KB