Overview

overview

10

Static

static

3

Injected_L...re.exe

windows10-1703-x64

10

Injected_L...re.exe

windows7-x64

10

Injected_L...re.exe

windows10-1703-x64

10

Injected_L...re.exe

windows10-2004-x64

10

Injected_L...re.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-03-2024 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Injected_LoadExe_Malware.exe

  • Size

    428KB

  • MD5

    7f7f7f4694f450ed2a0c4ada853a37ca

  • SHA1

    3ed531540d781153b51afd253c8eb4c2d1f62deb

  • SHA256

    ed7a16bc643d74cd6a15ec9dcc8872e6a30b28b2ce012bd6f6ed6bfa75a61881

  • SHA512

    988da1646e17d33e270e5e898e09504aa770d00fb2164e0d49ee6bc7ba3d7fbb915616ea7b0ed5dc9ba4089fe91fc667da37636d1e02c9a0199a20e54885df6c

  • SSDEEP

    12288:+K2mhAMJ/cPlFBUVbCwc7FFaQyG4NvIX/gsXyssKR:v2O/GlFBsCwwFwb+Fs0

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 20 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe
    "C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
  • C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe
    "C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Deletes itself
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2180
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll
    Filesize

    4KB

    MD5

    53c8cecfec9def827dd79eba8894c073

    SHA1

    4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a

    SHA256

    6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388

    SHA512

    2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
    Filesize

    285KB

    MD5

    9166c1276b296bc78fa816cd8448cd32

    SHA1

    b5e48ccae94269ca95904fc58440113e9a4cae00

    SHA256

    1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395

    SHA512

    35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui
    Filesize

    225KB

    MD5

    9b697afa24fa4e8e32c97bfe3f791344

    SHA1

    7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa

    SHA256

    1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e

    SHA512

    d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082

    Download Submit

  • C:\log\haha.txt
    Filesize

    6KB

    MD5

    2252430978385da76aa25f6a8dc1c5b9

    SHA1

    834103ea84b02a5def72c10d48bb11d9246994e9

    SHA256

    5de23a22ecdd0fc8775c2b04f7648a11a78a7912c5dab6b19fe9b336bae92ccf

    SHA512

    012b2833e8542ac47c1fe997b487ea8012312a4706d9d45556416225d72f2c53a4afdd95bfb88c54aa9f77b6b29a9b3d91ea68393acd4b633a4192de6be310c2

    Download Submit

  • \??\c:\log\haha.txt
    Filesize

    27KB

    MD5

    1f612158771f44a03af09bde9a837af6

    SHA1

    e18d623ff9e75847e0cc63f3e203ec0aba58bc9e

    SHA256

    43cbe756b1af809a0502d322a01c5b5f04a13cd0f06783f4f8082002e7b8deec

    SHA512

    f98cdda2f3d45040ef548d632729d0a78cc5d0ee69bb09a44b6b486ea4564409f4190503c61f11e2aab68e6c784d65ab4a7ca96ddbc50c6f89e9787fcd883a9f

    Download Submit

  • \??\c:\log\haha.txt
    Filesize

    28KB

    MD5

    151409124bedfae949e399ea0a0b9432

    SHA1

    980dec2ecc515c7a6c9d0b93b34d8b9b7a24e952

    SHA256

    22ee1a865f5d40c93179db5da916d99fad38656235a7f429011939156a7fba78

    SHA512

    c8e4a938786e2fb5e943a295c8d094f8cd26ac60bb3b130891adbd487dca3428d57a2a53f8c1afe0d15b13c0a205791721d23287fd30e7eb34800634c120d3ad

    Download Submit

  • \??\c:\log\haha.txt
    Filesize

    4KB

    MD5

    4a6f661fb536266e74b5f19c0ec8a670

    SHA1

    914d2eecf296e50fcbec35a44ca6a02ba8d748f3

    SHA256

    eea55c60cb8e9e4e73d0f30aa4c5269c77778c988f51a3711809f862ee8adcda

    SHA512

    dddc2f6fb08fa473fe0c9a6e0c695178ff7aa8a90f2622fa0e6ea3d3e13eaf1cd8ee60aecc45cfd7f1312403bec3402f68b633a9585617d7b69c7fdf124210b0

    Download Submit

  • \??\c:\log\haha.txt
    Filesize

    9KB

    MD5

    614e4f64e9211e160a4cbcaa2a559e1e

    SHA1

    73c5868606c572e5dafc358c721d54c4b99840e4

    SHA256

    2e7509f2c30b38d463d4b1f26e191e71025ff1a07ba6faadfdceb3dcd5443b3e

    SHA512

    3e2f0e287f58b8c3087956f06840e9cb764a8c4d19e27885d4429b788a40eab8e09de3ed603390627b90e853a791a6415f637ff6e7835f640c564f8cf85e2629

    Download Submit

  • \??\c:\log\haha.txt
    Filesize

    9KB

    MD5

    80857c5feb763592ae39703b25175fe5

    SHA1

    f02797750931e4ac374dc16ca701b82799e31563

    SHA256

    d3711cc8bfdbd0f3b2774765a5436ceeeec2adeadeff32a943c1ba7f958334ca

    SHA512

    ffb9a8cb0bec6bc7cbb70e7390b8ef2c07ff7ae9f191da33d460f063c314c6218e75ead8b4da851762c214c64939d952d94dc182d54385de3dd4606148629a97

    Download Submit

  • memory/132-182-0x0000000002EB0000-0x0000000002F08000-memory.dmp

    Filesize

    352KB

    Download

  • memory/132-347-0x0000000002EB0000-0x0000000002F08000-memory.dmp

    Filesize

    352KB

    Download

  • memory/132-175-0x0000000002EB0000-0x0000000002F08000-memory.dmp

    Filesize

    352KB

    Download

  • memory/132-181-0x0000000002EB0000-0x0000000002F08000-memory.dmp

    Filesize

    352KB

    Download

  • memory/132-180-0x0000000000F00000-0x0000000000F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/132-170-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1708-27-0x0000000000BD0000-0x0000000000C09000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1708-46-0x00000000023A0000-0x00000000023F8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1708-24-0x00000000023A0000-0x00000000023F8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1708-19-0x0000000000C20000-0x0000000000C6B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2180-68-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2180-94-0x0000000000840000-0x0000000000841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2180-99-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2180-104-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2180-107-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2180-109-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2180-112-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2180-117-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2180-95-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2180-96-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2180-84-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2180-63-0x0000000000840000-0x0000000000841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2180-191-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2180-80-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2280-79-0x00000000017F0000-0x0000000001848000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2280-57-0x0000000000C70000-0x0000000000CBB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2280-56-0x00000000017F0000-0x0000000001848000-memory.dmp

    Filesize

    352KB

    Download