Overview

overview

10

Static

static

3

Injected_L...re.exe

windows10-1703-x64

10

Injected_L...re.exe

windows7-x64

10

Injected_L...re.exe

windows10-1703-x64

10

Injected_L...re.exe

windows10-2004-x64

10

Injected_L...re.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-03-2024 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Injected_LoadExe_Malware.exe

  • Size

    428KB

  • MD5

    7f7f7f4694f450ed2a0c4ada853a37ca

  • SHA1

    3ed531540d781153b51afd253c8eb4c2d1f62deb

  • SHA256

    ed7a16bc643d74cd6a15ec9dcc8872e6a30b28b2ce012bd6f6ed6bfa75a61881

  • SHA512

    988da1646e17d33e270e5e898e09504aa770d00fb2164e0d49ee6bc7ba3d7fbb915616ea7b0ed5dc9ba4089fe91fc667da37636d1e02c9a0199a20e54885df6c

  • SSDEEP

    12288:+K2mhAMJ/cPlFBUVbCwc7FFaQyG4NvIX/gsXyssKR:v2O/GlFBsCwwFwb+Fs0

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 20 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe
    "C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:3648
  • C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe
    "C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Deletes itself
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 1052
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:3416
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1476

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll
      Filesize

      4KB

      MD5

      53c8cecfec9def827dd79eba8894c073

      SHA1

      4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a

      SHA256

      6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388

      SHA512

      2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
      Filesize

      285KB

      MD5

      9166c1276b296bc78fa816cd8448cd32

      SHA1

      b5e48ccae94269ca95904fc58440113e9a4cae00

      SHA256

      1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395

      SHA512

      35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui
      Filesize

      225KB

      MD5

      9b697afa24fa4e8e32c97bfe3f791344

      SHA1

      7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa

      SHA256

      1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e

      SHA512

      d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082

      Download Submit

    • C:\log\haha.txt
      Filesize

      2KB

      MD5

      8177d115fbb097b4ff4d26de644ecfea

      SHA1

      2e1efffc510673e56c59dc8aea41e19e0f177841

      SHA256

      cb0dd62e96fc15a1cefe599fc59fac32465319f7b66b3f83020b1e59125890d4

      SHA512

      8d6e6895ecb09fff00b86ad7113cc312e992d275ae092d3e3a3aa5da36c77e414e96878a63277cfc2e03412db05c89a87a6263136c64bac2b4c1b66ac34b7fff

      Download Submit

    • C:\log\haha.txt
      Filesize

      4KB

      MD5

      6a05d5c1b7a7fa21263f1431f402d90a

      SHA1

      0b65f67e7926667f0a128c19da6d8223addf49b4

      SHA256

      537817e02c2c784da4bbed912d085eedaf560cd13d003f31337cf2d88da2ed6d

      SHA512

      8607f375fcb4c2a4b3069e5259c2a20ecd69555ba0663bdcf4831852120a799a08b9def622a2c844e62e65c4770214477f69c6ab09ba79700c87034f63bdfd47

      Download Submit

    • \??\c:\log\haha.txt
      Filesize

      23KB

      MD5

      73b6ae6197e0d44208a2d60637ee5d05

      SHA1

      c476d7e9c716c53093512bd860c7ff6b69a0fee3

      SHA256

      0443929b53fb4683de4b49e64082b5683eb31ea37cf62de67418cc2da0e31d9d

      SHA512

      4477f90b3811e3063cb95114ffe3ad4b55197216e8a4369c86b3d40812807f4b81aaa21abd713c3f4452fce66098fc232ae1cab947d69b32cb9a19c7077b1797

      Download Submit

    • \??\c:\log\haha.txt
      Filesize

      25KB

      MD5

      030fb70c441e7b5b920935b501726715

      SHA1

      fb830f85daa9f1e19c40f1446d69dc298ca4bb87

      SHA256

      5a095ce4561460118bb77377ff287ff458925c409c291286b152096fc196de87

      SHA512

      e0c8b31f81d5160a1716578edebb5f7f3a345f36b27c92d04369263cd486c27b0affb42ec008fe5a0706e6713e52f0f90c4c9df2059ad49117fdaa6a15a1cdd3

      Download Submit

    • \??\c:\log\haha.txt
      Filesize

      4KB

      MD5

      cec8e976c9152a5bfcabfea4834f2f44

      SHA1

      2edc7b303f7c19718f608632334fac3d2f6325fc

      SHA256

      6b02268f3f14d7963167fa7c61a57ca0f584837a773cdfda42ff9da904b9218a

      SHA512

      69bd756273ba554aa832c0f11923ff5935aa0d070abf142f89f7b5446df25d7cce51900c6929a95f85a882591275235acc34c42455ae4208dd9755bcbed0d88e

      Download Submit

    • \??\c:\log\haha.txt
      Filesize

      8KB

      MD5

      7d92c3a71d23b9085aa008a1a20138bb

      SHA1

      d4e5ccd17039403df03c73f93c8a8ca70d7c69be

      SHA256

      01af4cfb0c244f0cbda1b4abdbc517d36a3da35dd7dda41bc3cd765163daacd4

      SHA512

      f8877245ec57820e0ac58f80018b06d001ceab5614381b3a08b78a7e069b1ac991ac89be16b1b903ac0d46135aeb866bbd7f7f626cd5e52173708ffd44cc03a6

      Download Submit

    • \??\c:\log\haha.txt
      Filesize

      9KB

      MD5

      983f3166c29099d02ec9ec99d597ab11

      SHA1

      6ab7abfece1893614b17d2335572617a0ce8bf52

      SHA256

      f9c9edea44946beab38289f2cb680d3f295a520a43df9bcfe27168244b1c4ab5

      SHA512

      63f08eb5e720035b3266bc5f82df434636f7ee686b653d43b4b84b1b2822764535e811fa4e49bf997c7b767b52f176942ce97f2469bc57170d0b74b3bb8fcae1

      Download Submit

    • \??\c:\log\haha.txt
      Filesize

      9KB

      MD5

      814e67ba68e89969d4a8722d44601981

      SHA1

      921a07413babfb01426b42c40e104ace61a8dcf3

      SHA256

      4d780633bb2eed165db8cb1074634f2354da202f1006e575810a12894fd26d7c

      SHA512

      3a072078551f55dc0b23c0751686a7e2aedaf9cbeeffcf4c0b10f3a3c5478b3eec0d0c1fcdaec99a005e6eeecf5431e8903a67d1a5107f76df6389b0f9440d75

      Download Submit

    • \??\c:\log\haha.txt
      Filesize

      9KB

      MD5

      a0f136b67c71ca312bd5e92d0da141b4

      SHA1

      11d21036aa790cfeb7d6f318e25352b5899f4b23

      SHA256

      d94850679b283df25960e29605f43d75b303723275910b728c24cab94ab30b64

      SHA512

      0f71c36af37db890d142389cc28b416a2b2f382f5883039b1d4bedfae12dd58e86431abd78848c3f73b7481963e15803146789c20a5ec9b9b6e0f06f34ec61ab

      Download Submit

    • memory/1052-109-0x0000000000F90000-0x0000000000FE8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1052-98-0x0000000000F90000-0x0000000000FE8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1052-177-0x0000000000F90000-0x0000000000FE8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1052-63-0x0000000000640000-0x0000000000641000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1052-68-0x0000000000F90000-0x0000000000FE8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1052-119-0x0000000000F90000-0x0000000000FE8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1052-114-0x0000000000F90000-0x0000000000FE8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1052-108-0x0000000000F90000-0x0000000000FE8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1052-101-0x0000000000F90000-0x0000000000FE8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1052-86-0x0000000000F90000-0x0000000000FE8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/1052-96-0x0000000000640000-0x0000000000641000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1052-97-0x0000000000F90000-0x0000000000FE8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3416-156-0x00000000003B0000-0x00000000003B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3416-169-0x0000000000D30000-0x0000000000D88000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3416-322-0x0000000000D30000-0x0000000000D88000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3416-161-0x0000000000D30000-0x0000000000D88000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3416-168-0x0000000000D30000-0x0000000000D88000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3416-167-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3648-85-0x00000000022D0000-0x0000000002328000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3648-21-0x00000000022D0000-0x0000000002328000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3648-26-0x00000000022D0000-0x0000000002328000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3648-20-0x0000000000BE0000-0x0000000000C19000-memory.dmp

      Filesize

      228KB

      Download

    • memory/3648-19-0x0000000000780000-0x00000000007CB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4108-51-0x0000000000620000-0x000000000066B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4108-52-0x0000000001500000-0x0000000001558000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4108-57-0x0000000001500000-0x0000000001558000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4108-73-0x0000000001500000-0x0000000001558000-memory.dmp

      Filesize

      352KB

      Download