Overview

overview

10

Static

static

3

Injected_L...re.exe

windows7-x64

Analysis

  • max time kernel
    19s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-03-2024 15:17

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Injected_LoadExe_Malware.exe

  • Size

    428KB

  • MD5

    7f7f7f4694f450ed2a0c4ada853a37ca

  • SHA1

    3ed531540d781153b51afd253c8eb4c2d1f62deb

  • SHA256

    ed7a16bc643d74cd6a15ec9dcc8872e6a30b28b2ce012bd6f6ed6bfa75a61881

  • SHA512

    988da1646e17d33e270e5e898e09504aa770d00fb2164e0d49ee6bc7ba3d7fbb915616ea7b0ed5dc9ba4089fe91fc667da37636d1e02c9a0199a20e54885df6c

  • SSDEEP

    12288:+K2mhAMJ/cPlFBUVbCwc7FFaQyG4NvIX/gsXyssKR:v2O/GlFBsCwwFwb+Fs0

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 18 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 40 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe
    C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe Injected_LoadExe_Malware.bin
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:1680
  • C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe
    "C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Deletes itself
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2692
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2132
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2276
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1804

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll
        Filesize

        4KB

        MD5

        53c8cecfec9def827dd79eba8894c073

        SHA1

        4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a

        SHA256

        6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388

        SHA512

        2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui
        Filesize

        225KB

        MD5

        9b697afa24fa4e8e32c97bfe3f791344

        SHA1

        7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa

        SHA256

        1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e

        SHA512

        d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082

        Download Submit

      • C:\log\haha.txt
        Filesize

        3KB

        MD5

        ac7273c4620dd06fe8e2bb1a624d7476

        SHA1

        0b598d9ec682b1c8f0d1c08c285631641419c6c6

        SHA256

        f913513ffcfe906bd3c65a7d410aa1b8cc6302b5fb2cf23a46999f3f6d9aa342

        SHA512

        232fe41149f4c02974a33de69e6ad149af4b9a052598bc8311c71123207a0f9f004bb412e2714e9daff794904d08e782207bca852d9dfa0caea6184576bc74f6

        Download Submit

      • C:\log\haha.txt
        Filesize

        4KB

        MD5

        97a6f7c248f42672f01bd1f73f56349f

        SHA1

        969e5433b06ee4f64479a942d50cc547282ae843

        SHA256

        02fb6c00824864a9d92ad0aea7676435a246b4bf17d595353550f13a194ef2e5

        SHA512

        ff851ea573d13b69ae7cf48ef712eb21bc9f84c8ed38ed637828ff469f951ef18fa240ec65e2382f93446dfa72556996ef41bc426f14d2e58da816e88da2778f

        Download Submit

      • \??\c:\log\haha.txt
        Filesize

        19KB

        MD5

        8ff0b388b77c9ebe385009e07ceffc33

        SHA1

        d58abdfd0cab91bdaa31d9a5d8ba2af21725caf1

        SHA256

        d8aa3ebb0488b8447221e507d0be445d6e2aa6d097d006d4eaac52a2d1125fc5

        SHA512

        bbae63ca49aea9ba26b7fa05e696024440f89d7be92e7633aebf8fbdb6ec8947a7ef1b46656027ba5bb19205d5c74e929d6727dd359f9ba2888b52462728002e

        Download Submit

      • \??\c:\log\haha.txt
        Filesize

        21KB

        MD5

        99002283b4d06a615ffbe1f530caca77

        SHA1

        bd5e3b92904101cbd5b9b9a486410b9ea2b27fc1

        SHA256

        6c884dd5017f7e767218aab9eca2c914ff87a853ff3e303cf6d4104d3302e9da

        SHA512

        2ecc62bfa48d7726f922a9b191e5aec099c95f233cfe01baa7d068def0b35068c9fc6df943377316fd25ffc7350b9382a6541bf461ae7454aac9bd42d188267a

        Download Submit

      • \??\c:\log\haha.txt
        Filesize

        4KB

        MD5

        d5bdca37c3c1f51968aa4c3e3c04160c

        SHA1

        367eb307289d86d2d1cb784238806447a602365c

        SHA256

        6780c864f73a4fde44a59d2d1f0806ce64cf9cf4c2880c8d902c05c4630d8057

        SHA512

        086cb959140d547d6dbc4988ed8403cfa446ae5e1ec683cd42d20645565edb80097f68c2deca64d2d9bc7fada7a92e68089d3f5dd608f0204fc5691b47b85901

        Download Submit

      • \??\c:\log\haha.txt
        Filesize

        8KB

        MD5

        51431849eb93ea035c73263eebcc1143

        SHA1

        a47a4d25f97a34fe3c63958d49129d31643b7813

        SHA256

        7365cc413ae75e3a2d4baed6dc4393be9218834d373577d8ae93575d7ac2a476

        SHA512

        9192e2b1227615c4a5512b187a4645633e44688af14b0443db9aae99375e8b94e355362a9b825faf5fe98333e8fdb6a8e14357c94f6414cb210eb941fd266e91

        Download Submit

      • \??\c:\log\haha.txt
        Filesize

        9KB

        MD5

        6f5a3eabdeb952ad82f12b58a3feea15

        SHA1

        7d5ec075fae0e9d807aa4ed2cccfcab7a372c093

        SHA256

        d5a7d9d83c44c793d37aecc018d0486287a171e47eac60d830c32b215b3e7288

        SHA512

        87de0ae2450ac1e4c3df0167e8ba77bcca230cb5028645cf0900b6481b817f37dd6a4d2a3c6dbd4f400218ed291ae7f82163b1bb68acf6dcd80da7954650caf3

        Download Submit

      • \??\c:\log\haha.txt
        Filesize

        9KB

        MD5

        1de51f0b1f3d9cd6c3f5d9f1652403ec

        SHA1

        b09108267524884eb5c8a05e80c5fa54a71458d8

        SHA256

        8fe969fab115bf461f8ab4770c013170a97e6f1dc676592c749efd62b5badb30

        SHA512

        83a6bdc3a7996bf5f7f6d4f3518986514ed79f52c940aa4d88ea4ebf6b23c56848db39cdf24c1c3eb2b403fc38306b5cdc5d56acddf8cb3f4188656b669c8600

        Download Submit

      • \??\c:\log\haha.txt
        Filesize

        9KB

        MD5

        29d41085e30f51a751b532be1781385f

        SHA1

        c65319d9adb18a209e854bb28faeea32393effba

        SHA256

        8369e014c01cd450546a7bbe8c91376095f5c5eb05b1eb74a70b453a7529de8a

        SHA512

        3d5bef01a564261bc942f6dea0a6bc52226c9a10b3518bfd34a27d29e384ceee7fdc74d2a0fae5aaf3b51777b5ce1fefcb362e7a6b796fd064077736ebd08e16

        Download Submit

      • \Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
        Filesize

        285KB

        MD5

        9166c1276b296bc78fa816cd8448cd32

        SHA1

        b5e48ccae94269ca95904fc58440113e9a4cae00

        SHA256

        1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395

        SHA512

        35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26

        Download Submit

      • memory/1680-29-0x0000000000770000-0x00000000007C8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/1680-95-0x0000000000770000-0x00000000007C8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/1680-23-0x00000000005F0000-0x0000000000629000-memory.dmp

        Filesize

        228KB

        Download

      • memory/1680-22-0x0000000001200000-0x000000000124B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/1804-293-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2132-272-0x0000000000360000-0x00000000003B8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2132-171-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2132-172-0x0000000000360000-0x00000000003B8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2132-173-0x0000000000360000-0x00000000003B8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2132-160-0x0000000000090000-0x0000000000091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2132-165-0x0000000000360000-0x00000000003B8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2276-280-0x0000000002F10000-0x0000000002F11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2564-59-0x0000000000750000-0x00000000007A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2564-92-0x0000000000750000-0x00000000007A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2564-54-0x0000000000A80000-0x0000000000ACB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2692-126-0x0000000000450000-0x00000000004A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2692-66-0x0000000000080000-0x0000000000081000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2692-110-0x0000000000450000-0x00000000004A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2692-131-0x0000000000450000-0x00000000004A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2692-109-0x0000000000450000-0x00000000004A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2692-108-0x0000000000080000-0x0000000000081000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2692-98-0x0000000000450000-0x00000000004A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2692-123-0x0000000000450000-0x00000000004A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2692-120-0x0000000000450000-0x00000000004A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2692-79-0x0000000000450000-0x00000000004A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2692-113-0x0000000000450000-0x00000000004A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2692-181-0x0000000000450000-0x00000000004A8000-memory.dmp

        Filesize

        352KB

        Download

      • memory/2692-73-0x0000000000080000-0x0000000000081000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2692-71-0x00000000000E0000-0x00000000000E2000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2692-69-0x00000000000A0000-0x00000000000D6000-memory.dmp

        Filesize

        216KB

        Download