Overview

overview

10

Static

static

1

LZMA.exe

windows7-x64

10

LZMA.exe

windows10-1703-x64

10

LZMA.exe

windows10-2004-x64

10

LZMA.exe

windows11-21h2-x64

10

expatai.dll

windows7-x64

1

expatai.dll

windows10-1703-x64

1

expatai.dll

windows10-2004-x64

1

expatai.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20240214-en
  • resource tags

    arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-02-2024 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LZMA.exe

  • Size

    388KB

  • MD5

    89266366e2c712e8b47b2b9ed30d60b7

  • SHA1

    a94bb0440fe6c0d7a6c102037561ffbe6203a251

  • SHA256

    f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0

  • SHA512

    385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95

  • SSDEEP

    12288:1PzUcyOjaTbV7DWZzZg1iuc30Oy7CxMFr:Vz1y6AbV+qwEr

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 23 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LZMA.exe
    "C:\Users\Admin\AppData\Local\Temp\LZMA.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4600
  • C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
    "C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 100 4600
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4172
  • C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
    "C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe 209 5060
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
    Filesize

    388KB

    MD5

    89266366e2c712e8b47b2b9ed30d60b7

    SHA1

    a94bb0440fe6c0d7a6c102037561ffbe6203a251

    SHA256

    f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0

    SHA512

    385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95

    Download Submit

  • C:\ProgramData\Microsoft\CryptSvcser\update.log
    Filesize

    228KB

    MD5

    fc5100b1fc7e642bf76fdc3df1846df5

    SHA1

    664d22bc60a7cd08b8ba5aee9f045fa21de719cb

    SHA256

    8a7e960d9aefce2bc6c515e63a46ea5d6e7db964301eb8a26c3dd561707eac77

    SHA512

    46cc8e84c7e5668e4fa5da0eabab725da2c5c93bfcce6d7774e668b3e011c6f24d9e0513aac097366504e1139525879b9a43b128c37c719c0a25401ceb9fbe47

    Download Submit

  • \ProgramData\Microsoft\CryptSvcser\expatai.dll
    Filesize

    400KB

    MD5

    dd55071ced298687339566cbe9b23c40

    SHA1

    1b5f760daab97658f7c0f7c28db35f10bde761bb

    SHA256

    ed10a005bbab4385775e5964586bad0c1d267edbf87ce98feb3cc7135877cca1

    SHA512

    ae9753860775be0039463c408e080a2541465562702c2407b46d3ab15dacdae6721325eb60ae72e0b389da2524e6122593a6f9bf42f1c2df5c2cb8463c4026c8

    Download Submit

  • memory/600-64-0x0000000002700000-0x000000000272D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/600-60-0x0000000002700000-0x000000000272D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/600-57-0x0000000002700000-0x000000000272D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/600-56-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/600-58-0x0000000002700000-0x000000000272D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/600-59-0x00000000000D0000-0x00000000000D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/600-61-0x0000000002700000-0x000000000272D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/600-62-0x0000000002700000-0x000000000272D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1180-32-0x0000000001440000-0x000000000146D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1180-26-0x0000000001440000-0x000000000146D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4172-55-0x0000000002C40000-0x0000000002C6D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4172-22-0x0000000002C40000-0x0000000002C6D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4600-35-0x0000000003100000-0x000000000312D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4600-2-0x0000000003100000-0x000000000312D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4600-0-0x0000000003140000-0x0000000003240000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/5060-28-0x0000000003200000-0x0000000003201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5060-52-0x0000000003580000-0x00000000035AD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5060-54-0x0000000003580000-0x00000000035AD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5060-51-0x0000000003580000-0x00000000035AD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5060-50-0x0000000003580000-0x00000000035AD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5060-47-0x0000000003580000-0x00000000035AD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5060-45-0x0000000003580000-0x00000000035AD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5060-46-0x0000000003580000-0x00000000035AD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5060-44-0x0000000003580000-0x00000000035AD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5060-43-0x0000000002F10000-0x0000000002F11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5060-31-0x0000000003580000-0x00000000035AD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5060-63-0x0000000003580000-0x00000000035AD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/5060-30-0x0000000003580000-0x00000000035AD000-memory.dmp

    Filesize

    180KB

    Download