Analysis
-
max time kernel
160s -
max time network
170s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
20-03-2024 15:15
General
-
Target
Injected_LoadExe_Malware.exe
-
Size
428KB
-
MD5
7f7f7f4694f450ed2a0c4ada853a37ca
-
SHA1
3ed531540d781153b51afd253c8eb4c2d1f62deb
-
SHA256
ed7a16bc643d74cd6a15ec9dcc8872e6a30b28b2ce012bd6f6ed6bfa75a61881
-
SHA512
988da1646e17d33e270e5e898e09504aa770d00fb2164e0d49ee6bc7ba3d7fbb915616ea7b0ed5dc9ba4089fe91fc667da37636d1e02c9a0199a20e54885df6c
-
SSDEEP
12288:+K2mhAMJ/cPlFBUVbCwc7FFaQyG4NvIX/gsXyssKR:v2O/GlFBsCwwFwb+Fs0
Malware Config
Signatures
-
Detects PlugX payload 22 IoCs
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in System32 directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 20 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 12323⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD553c8cecfec9def827dd79eba8894c073
SHA14fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a
SHA2566104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388
SHA5122049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2
-
Filesize
285KB
MD59166c1276b296bc78fa816cd8448cd32
SHA1b5e48ccae94269ca95904fc58440113e9a4cae00
SHA2561d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395
SHA51235d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26
-
Filesize
225KB
MD59b697afa24fa4e8e32c97bfe3f791344
SHA17b8563102dbb1de9cf96cfb51dcdf0b5116e26aa
SHA2561cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e
SHA512d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082
-
Filesize
2KB
MD58f2be62f5052567463e5c8005142dd3b
SHA1afd8d2f7cb68d0386444a64795307be85ee85bc4
SHA25632daf8a2fcc2f471e59e56fc656208b56d3818bda4719fc4627dd7e75f1a82fd
SHA51292a3e7e92114c9d4a557edc4e5d02ce5cf42e8e5523a56216b2767d6807077a46fd4f8ed994abc83f7ab8ecb27558afb96be324e47a50ca448910cdde4950cbd
-
Filesize
16KB
MD5063da9b7999489a10d25beedc6a278f7
SHA12eb413ed2705917e2af288a1b38e2a9bfa187d9f
SHA25660f4907e1122c756400e77003462299f57ec2f72aaa7ed25115d7ae2110688f8
SHA5121f17c054024f9f16376731d91ae8744b872cd9f08c3df97eb1e7a9ea7298ab0fbde95576a763383dcc068a4937d7db982c3dc440ffabf63e8872cd395fc51443
-
Filesize
18KB
MD5db2adba81ac47e23fa478dbc7a67e824
SHA1a0e8b92b9f54243f74ee9ca92ebc98989bf897f1
SHA2565632c8e0f0b32e74ce4ca78b869a8c3ec762a095bc5986f51bf10b0743e074cf
SHA512c929abd1310351f6adfb32588dcf85a002e1221cf5ea260ccab7d3bc9af994995d83f8a395f7d509684f7dd3d8b95c01c158efdda2de891e93e00a2268437e71
-
Filesize
4KB
MD5c0ad846b51359657cff772197cf39967
SHA15993729b0c6f678dac013f2927d5ffd0386e094d
SHA256f5be449e92d65e542d7d77c91b39f511b9b1adde14eed250773ba89075a4799b
SHA512bd716892b1e114c23a16e2d139ed892463c278f6fac5633b0ad02ccea63328368bfb14241b858239c950d5b70dd813205516b43d83ab5c68e10d439e4fddd737
-
Filesize
9KB
MD599d18bf27bee9b499eb7fe5f10ae27fe
SHA1475e0a5839cf87a5708d538ed33e46f132783942
SHA256ce34b519cc52753e59500b0b53c54bdbb66146d9e85f5127b055563085f39361
SHA5121d444805a01c0fc047306364588ab3d75057e54c4f2c7006d1874a43e6689bbec46b249b2e9c50a4f89808fa346d9ce2740ae86f515157b5f8c6ea41ba8b3954
-
Filesize
9KB
MD5029cfb72ffdcacbcf4a6cfe53c348b52
SHA1458b71b5fa06a55c0b41bf5a45e1713d2321096c
SHA256199f09bfae0ca09128e9c6ef2527e8345c0ed49c8400cd0e5eaad8f4a2588932
SHA512707a4a87019876978cb402d2a95d1eecda8842aeff9621ed362f20a66017f9dc1d60ba3cde4dd670c77eda81c03de5d26c74ab97d583f12c39f5dc18ec3d56b6
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
300KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
228KB
-
Filesize
300KB
-
Filesize
352KB