Malware Analysis Report

2024-07-11 07:38

Sample ID 240318-nrlljagd4v
Target d369b0abb477bed3cda7ee99b203d45d
SHA256 769863ec7ba1e28a77c7cc0bda19bb79e6869cae63ecdfab97c669fc40348a0c
Tags
plugx persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

769863ec7ba1e28a77c7cc0bda19bb79e6869cae63ecdfab97c669fc40348a0c

Threat Level: Known bad

The file d369b0abb477bed3cda7ee99b203d45d was found to be: Known bad.

Malicious Activity Summary

plugx persistence trojan

PlugX

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-18 11:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 11:37

Reported

2024-03-18 11:40

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe"

Signatures

PlugX

trojan plugx

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation \??\c:\windows\temp\avg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\temp\avg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A
N/A N/A C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A
N/A N/A C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe \??\c:\windows\temp\avg.exe
PID 1808 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe \??\c:\windows\temp\avg.exe
PID 1808 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe \??\c:\windows\temp\avg.exe
PID 4584 wrote to memory of 2988 N/A \??\c:\windows\temp\avg.exe C:\Windows\SysWOW64\rundll32.exe
PID 4584 wrote to memory of 2988 N/A \??\c:\windows\temp\avg.exe C:\Windows\SysWOW64\rundll32.exe
PID 4584 wrote to memory of 2988 N/A \??\c:\windows\temp\avg.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 3908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\arpa.exe
PID 2988 wrote to memory of 3908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\arpa.exe
PID 2988 wrote to memory of 3908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\arpa.exe
PID 3908 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe
PID 3908 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe
PID 3908 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe

"C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe"

\??\c:\windows\temp\avg.exe

c:\windows\temp\avg.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" url.dll, FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\arpa.exe

C:\Users\Admin\AppData\Local\Temp\arpa.exe

"C:\Users\Admin\AppData\Local\Temp\arpa.exe"

C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

"C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe" -app

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
CN 45.248.87.140:443 tcp
US 8.8.8.8:53 152.141.79.40.in-addr.arpa udp

Files

C:\Windows\Temp\avg.exe

MD5 fba356748c02da7a65ddef9470aa1cf2
SHA1 e0e3b538d015b1eb06a8a663bc746a36c3cc5848
SHA256 792eba5ba91a52bfb3b369107f38fb9a7e7b7987cd870f465338eae59e81f3f6
SHA512 f626824b33ea03f690500058c73ba662a1363535f80e7b05149dc8b580bd6bf514b334f3509283933993d0947b254c30cb6ddbf7be99d53de471997a2ef2f71d

C:\Users\Admin\AppData\Local\Temp\arpa.exe

MD5 28c6f235946fd694d2634c7a2f24c1ba
SHA1 e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5
SHA256 c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763
SHA512 16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 5b92266d9a26260b4c9920ede267ba37
SHA1 372d5455fdb689787e7e49f7799510c6c2cdf6b7
SHA256 d3c41834ea1a05eb19b6012a9c0c4a2dd9df243af0df56885edabedfe3fea261
SHA512 db9b277d74d1c50b8580b8dbeef1f5c3f54a6cf436a95c658bf7b8201d48ed651400fdde84d7297abf7f71b1f8f2bf335716833e564fa25cf10483b5f8766ec5

C:\Users\Admin\AppData\Local\Temp\http_dll.dat

MD5 27a4ed145a9a6cb41af09b8927fd5bee
SHA1 815be32e1ae7ec20621e87239a6279fbba2fc8b5
SHA256 3fbbf30015b64b50912c09c43052ac48b1983e869cebfb88dd1271fcb4e60d10
SHA512 2978496330e0dcfafad6b9186181febe4af28cb7bec227bfab3f0be711e5160b96692a9752e260bf585abc0a5d481bd4d408ead88e0e2973552e4abb934107a8

memory/3908-15-0x0000000001590000-0x0000000001690000-memory.dmp

memory/3908-14-0x0000000001520000-0x0000000001540000-memory.dmp

memory/4568-26-0x0000000000E20000-0x0000000000E40000-memory.dmp

memory/4568-27-0x0000000000E90000-0x0000000000F90000-memory.dmp

memory/4568-28-0x0000000000E90000-0x0000000000F90000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 11:37

Reported

2024-03-18 11:40

Platform

win7-20231129-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe"

Signatures

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\temp\avg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A
N/A N/A C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionLYo = "\"C:\\ProgramData\\ESET Malware ProtectionLYo\\unsecapp.exe\" -app" C:\Users\Admin\AppData\Local\Temp\arpa.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe \??\c:\windows\temp\avg.exe
PID 2232 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe \??\c:\windows\temp\avg.exe
PID 2232 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe \??\c:\windows\temp\avg.exe
PID 2232 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe \??\c:\windows\temp\avg.exe
PID 2896 wrote to memory of 940 N/A \??\c:\windows\temp\avg.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 940 N/A \??\c:\windows\temp\avg.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 940 N/A \??\c:\windows\temp\avg.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 940 N/A \??\c:\windows\temp\avg.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 940 N/A \??\c:\windows\temp\avg.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 940 N/A \??\c:\windows\temp\avg.exe C:\Windows\SysWOW64\rundll32.exe
PID 2896 wrote to memory of 940 N/A \??\c:\windows\temp\avg.exe C:\Windows\SysWOW64\rundll32.exe
PID 940 wrote to memory of 1704 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\arpa.exe
PID 940 wrote to memory of 1704 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\arpa.exe
PID 940 wrote to memory of 1704 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\arpa.exe
PID 940 wrote to memory of 1704 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\arpa.exe
PID 1704 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe
PID 1704 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe
PID 1704 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe
PID 1704 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\arpa.exe C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe

"C:\Users\Admin\AppData\Local\Temp\d369b0abb477bed3cda7ee99b203d45d.exe"

\??\c:\windows\temp\avg.exe

c:\windows\temp\avg.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" url.dll, FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\arpa.exe

C:\Users\Admin\AppData\Local\Temp\arpa.exe

"C:\Users\Admin\AppData\Local\Temp\arpa.exe"

C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe

"C:\ProgramData\ESET Malware ProtectionLYo\unsecapp.exe" -app

Network

Country Destination Domain Proto
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp
CN 45.248.87.140:443 tcp

Files

\Windows\Temp\avg.exe

MD5 fba356748c02da7a65ddef9470aa1cf2
SHA1 e0e3b538d015b1eb06a8a663bc746a36c3cc5848
SHA256 792eba5ba91a52bfb3b369107f38fb9a7e7b7987cd870f465338eae59e81f3f6
SHA512 f626824b33ea03f690500058c73ba662a1363535f80e7b05149dc8b580bd6bf514b334f3509283933993d0947b254c30cb6ddbf7be99d53de471997a2ef2f71d

C:\Users\Admin\AppData\Local\Temp\arpa.exe

MD5 28c6f235946fd694d2634c7a2f24c1ba
SHA1 e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5
SHA256 c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763
SHA512 16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 5b92266d9a26260b4c9920ede267ba37
SHA1 372d5455fdb689787e7e49f7799510c6c2cdf6b7
SHA256 d3c41834ea1a05eb19b6012a9c0c4a2dd9df243af0df56885edabedfe3fea261
SHA512 db9b277d74d1c50b8580b8dbeef1f5c3f54a6cf436a95c658bf7b8201d48ed651400fdde84d7297abf7f71b1f8f2bf335716833e564fa25cf10483b5f8766ec5

C:\Users\Admin\AppData\Local\Temp\http_dll.dat

MD5 27a4ed145a9a6cb41af09b8927fd5bee
SHA1 815be32e1ae7ec20621e87239a6279fbba2fc8b5
SHA256 3fbbf30015b64b50912c09c43052ac48b1983e869cebfb88dd1271fcb4e60d10
SHA512 2978496330e0dcfafad6b9186181febe4af28cb7bec227bfab3f0be711e5160b96692a9752e260bf585abc0a5d481bd4d408ead88e0e2973552e4abb934107a8

memory/1704-19-0x0000000000360000-0x0000000000460000-memory.dmp

memory/1704-18-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2556-34-0x0000000000110000-0x0000000000130000-memory.dmp

memory/2556-35-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/2556-36-0x00000000006F0000-0x00000000007F0000-memory.dmp