Analysis

  • max time kernel
    153s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-03-2024 15:15

General

  • Target

    Injected_LoadExe_Malware.exe

  • Size

    428KB

  • MD5

    7f7f7f4694f450ed2a0c4ada853a37ca

  • SHA1

    3ed531540d781153b51afd253c8eb4c2d1f62deb

  • SHA256

    ed7a16bc643d74cd6a15ec9dcc8872e6a30b28b2ce012bd6f6ed6bfa75a61881

  • SHA512

    988da1646e17d33e270e5e898e09504aa770d00fb2164e0d49ee6bc7ba3d7fbb915616ea7b0ed5dc9ba4089fe91fc667da37636d1e02c9a0199a20e54885df6c

  • SSDEEP

    12288:+K2mhAMJ/cPlFBUVbCwc7FFaQyG4NvIX/gsXyssKR:v2O/GlFBsCwwFwb+Fs0

Score
10/10

Malware Config

Signatures

  • Detects PlugX payload 20 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe
    "C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:2500
  • C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe
    "C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Deletes itself
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2868
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll

    Filesize

    4KB

    MD5

    53c8cecfec9def827dd79eba8894c073

    SHA1

    4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a

    SHA256

    6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388

    SHA512

    2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui

    Filesize

    225KB

    MD5

    9b697afa24fa4e8e32c97bfe3f791344

    SHA1

    7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa

    SHA256

    1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e

    SHA512

    d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082

  • C:\log\haha.txt

    Filesize

    4KB

    MD5

    e9a5d0321439cb69ad4a3805042128a1

    SHA1

    f80004d9380e0e94edbed91f1b0c4ecdc393473d

    SHA256

    477df02ec43ddb2287c7ccde765f114d5391f91ef6452603c9b991f757a31447

    SHA512

    e435ae289aa7e5f61297229398eb5686aa5dacbca96728274625ed8f7e8bbdff5a8d70a4bf606a1bf142ad8c7fc022eadfb2563484307f0b6e28f2bfc1539136

  • \??\c:\log\haha.txt

    Filesize

    23KB

    MD5

    71be2e1148489794f02f049eec1e64fa

    SHA1

    ae6281b653f8ac5f5d12f55e3a16973e738f46bf

    SHA256

    955b4dbda39904d535dc013ebb08722c259506106ef824a43fcefbff4bf34627

    SHA512

    d0d1a0826eae0693181e3ff74faba76e227d5a19d0d3333b040e2884a3cc0aad60ec45d15191d63a6cd89813efbdb57de03bd09bad789436f3e4856e1f9ebe0a

  • \??\c:\log\haha.txt

    Filesize

    25KB

    MD5

    77bd5c48ed49f08ca7c5c950c6cd6f4d

    SHA1

    9165e2c7fbd15906eaac8d1186727528741e2e6b

    SHA256

    0fd10bd7ea44348fc96de391a48632f328dc8303c4eac46a81ab45b805cea817

    SHA512

    1901afbad383da275dc821f8048b5afa7963e5b6db8a56928b6ff0d225ddca1dff7492368acaec6ee29a777ce43c581e2e2bc9bc4ef19456799dfeaea8f53109

  • \??\c:\log\haha.txt

    Filesize

    4KB

    MD5

    d56867a49c9eaf834dc416bfde9034a6

    SHA1

    36433329d6971acedd0f88c4601d736537b53d50

    SHA256

    fc26fa6e029934274d8a07325abf7034b9708b0a54bdb8c48568b25864391453

    SHA512

    d9bf63e24c171400c989b117191d54f20e344e9c62e689ba3da176c6aa752b4bb969e7c3cac78efcae26d7c003d81181679dede68d464808422e621ba13e8a5e

  • \??\c:\log\haha.txt

    Filesize

    6KB

    MD5

    136fe31318b808f8b6421d152e3e3b7a

    SHA1

    c0679372c0badeb73e71641fdb38fb09e52afa86

    SHA256

    4aecaf094ff8eacf42f1dcef4b145cd8a79722046621739fed20cc517fab480f

    SHA512

    c95a8704c30e495831323cfb13fc26e8935aa87c6c000223914f489596beaefd6aa2023874728eda1d4f3bca1f07c22823d8125183cb82727e3fc09e3c1df0a3

  • \??\c:\log\haha.txt

    Filesize

    7KB

    MD5

    990dd9e4255660503ce6efdfbbf40774

    SHA1

    7f0974a0c6f517f5f596256963e4ecf636b3fa7f

    SHA256

    195dab4e2c9a2d9307eb0e4190fb261b4c705e4ca83555f43df36d5ec47178c9

    SHA512

    4b9fcc86b97cdaee9a398d7e30f43e4fbd5c6c0431b6c1816cfab16e0402db9b5c3eae306142e56501422fa463a74408e19cf0ab768cdc31cfa72588dfcb405c

  • \??\c:\log\haha.txt

    Filesize

    9KB

    MD5

    39f4c9e71513fa2e7e09defc1a8c6d9e

    SHA1

    c4244d3b9197a11a8bf30e850196373937a45f8a

    SHA256

    24cf0ff50eb18eb3a74749814e3afe6613750ac9619b6b41427e354b1cc4e8f7

    SHA512

    51ca54b025fbe9b04caf3c26efca93f6de2c56bc573b3ed7c350188208c50c9822fbcb8b7d8007deefb18cd3899cb21fa49ae01a623277f54319526a37dafb24

  • \??\c:\log\haha.txt

    Filesize

    9KB

    MD5

    0abecb5b6951a43445a6d2ca9daeeb7d

    SHA1

    b89aeb913cec4bd6d787cbcd9202213be4fc442c

    SHA256

    f71e383959c368664c1670baf62db39932f1cc8c7b2bf46533c9151fcadd4b6c

    SHA512

    2ba083d11f09821c4d45e731fc804ab3dfeea6eac7a90ab7e2d1bee64803ab71bda368bcb02334d05870dac99a63635d1694434e347b4494fed848689276cf92

  • \??\c:\log\haha.txt

    Filesize

    9KB

    MD5

    c050898ccc96e1fd1b1240690e1df6b9

    SHA1

    3655fc41138983eb224de6e9a7bac5b2ec56abc4

    SHA256

    ff2d9ceabf53c3f180a45b85a65b168ab0b10701aeebb43f812dace1d25d68fa

    SHA512

    c60aec9983ade23c9086a2edd6b277f4b453a1941ccc79d6855d2015c6ab3ab6a93ea141f6f950c1dfa1eac87c3ea616e1c57f313b0885a0be356c487efe1e05

  • \Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

    Filesize

    285KB

    MD5

    9166c1276b296bc78fa816cd8448cd32

    SHA1

    b5e48ccae94269ca95904fc58440113e9a4cae00

    SHA256

    1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395

    SHA512

    35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26

  • memory/2452-59-0x0000000000870000-0x00000000008C8000-memory.dmp

    Filesize

    352KB

  • memory/2452-54-0x0000000000A20000-0x0000000000A6B000-memory.dmp

    Filesize

    300KB

  • memory/2452-86-0x0000000000870000-0x00000000008C8000-memory.dmp

    Filesize

    352KB

  • memory/2500-23-0x00000000001E0000-0x0000000000219000-memory.dmp

    Filesize

    228KB

  • memory/2500-29-0x0000000000460000-0x00000000004B8000-memory.dmp

    Filesize

    352KB

  • memory/2500-24-0x0000000000460000-0x00000000004B8000-memory.dmp

    Filesize

    352KB

  • memory/2500-22-0x0000000000E00000-0x0000000000E4B000-memory.dmp

    Filesize

    300KB

  • memory/2500-96-0x0000000000460000-0x00000000004B8000-memory.dmp

    Filesize

    352KB

  • memory/2768-180-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

  • memory/2768-352-0x0000000000300000-0x0000000000358000-memory.dmp

    Filesize

    352KB

  • memory/2768-188-0x0000000000300000-0x0000000000358000-memory.dmp

    Filesize

    352KB

  • memory/2768-189-0x0000000000300000-0x0000000000358000-memory.dmp

    Filesize

    352KB

  • memory/2768-187-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

  • memory/2768-181-0x0000000000300000-0x0000000000358000-memory.dmp

    Filesize

    352KB

  • memory/2868-121-0x0000000000410000-0x0000000000468000-memory.dmp

    Filesize

    352KB

  • memory/2868-111-0x0000000000410000-0x0000000000468000-memory.dmp

    Filesize

    352KB

  • memory/2868-80-0x0000000000410000-0x0000000000468000-memory.dmp

    Filesize

    352KB

  • memory/2868-123-0x0000000000410000-0x0000000000468000-memory.dmp

    Filesize

    352KB

  • memory/2868-127-0x0000000000410000-0x0000000000468000-memory.dmp

    Filesize

    352KB

  • memory/2868-132-0x0000000000410000-0x0000000000468000-memory.dmp

    Filesize

    352KB

  • memory/2868-166-0x0000000000410000-0x0000000000468000-memory.dmp

    Filesize

    352KB

  • memory/2868-114-0x0000000000410000-0x0000000000468000-memory.dmp

    Filesize

    352KB

  • memory/2868-66-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

  • memory/2868-110-0x0000000000410000-0x0000000000468000-memory.dmp

    Filesize

    352KB

  • memory/2868-109-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

  • memory/2868-99-0x0000000000410000-0x0000000000468000-memory.dmp

    Filesize

    352KB

  • memory/2868-70-0x00000000000A0000-0x00000000000D6000-memory.dmp

    Filesize

    216KB

  • memory/2868-72-0x0000000000120000-0x0000000000122000-memory.dmp

    Filesize

    8KB

  • memory/2868-197-0x0000000000410000-0x0000000000468000-memory.dmp

    Filesize

    352KB

  • memory/2868-74-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB