Overview

overview

10

Static

static

6

sample3.pdf

windows7-x64

10

sample3.pdf

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-04-2024 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample3.pdf

  • Size

    603KB

  • MD5

    2b203ff7805a789f64ec614dee2a7e7b

  • SHA1

    dfa47a1bacea6afc7e334a31ad53045338d29ec5

  • SHA256

    a6dbaab6da4004321c979abf0b0270f44f56f793ac47751ccbc2989e258aea24

  • SHA512

    263b79355f8541dabfd26b5e85bdf7e3423bab5081eb3c99131f5dad42cdde6eeed0d00b520bf7400a5ae86883a0270759cfa846ce71832d717ea2ccd2491257

  • SSDEEP

    12288:dGROjjzZ2fNv33w32iaMLavQVXsEAop5tNIBUwlDq7p:GOjjzyNw2qLO6XstECFpq7p

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 20 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 14 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sample3.pdf"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp\Winword.js
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Users\Admin\AppData\Local\Temp\~temqp.tmp
        ~temqp.tmp
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
          "C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 100 2672
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1204
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c Adobe.pdf
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Adobe.pdf"
          4⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:1808
  • C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
    "C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2304
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\A9R2740.tmp
    Filesize

    358B

    MD5

    56ed89ee9a4627e7d3b5c7a650f7ca04

    SHA1

    ff490b2f89f7bcc800daa8d29193dbd3e422eb98

    SHA256

    75e7e334ed2eab91acaf769a92111c3aa0f21176368d7c5da9972e32311ea8e7

    SHA512

    9f59c0d9a72724f8b258e726f5f69f78fa79909fc486cbc182bdf289c28c49e235c6151b94f264c8b44f350404bd44cbe0dc2d4080b681c3765397fbf3ff7ff5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Adobe.pdf
    Filesize

    78KB

    MD5

    6123154c0ead8f7050e0865614f79671

    SHA1

    0f7db7be2a7d35db235773711ac7b30a8ac072a3

    SHA256

    8cfa1d6a3f07cc71ef995d41084565b506247f23df99f5924f83aaa9517d1215

    SHA512

    4d1e9e495cf904d965dd0f888f59985783e9474b0d63406696447cc3f034515e044051079a38d6085c0259ef4fa10d7489d0f368e912536dae6320a642609d8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
    Filesize

    56KB

    MD5

    4c8cdd74359dad73a2d499e5775b9bb9

    SHA1

    89fde2c26d2bdbc5592aa54c65fac51e3f6df631

    SHA256

    457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba

    SHA512

    3395cbc20b924d1ea5694180b67a4f410fbfa25e9d977334911a3c9ea93724c7cec763ea2c77444761b93d353888ee262021c7be0cb98918fd5e5044571552c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.jax
    Filesize

    111KB

    MD5

    dc996c4855add1f655c899e9806c8b3e

    SHA1

    757c919328aae9f8dfe36293f2095da73a866e89

    SHA256

    a018fba9f923edf661a915311b72b25cd414f658b64e7f4272ca9622be049259

    SHA512

    fbea508af9ef82d519d7f94c7b40266c8f002afc31421c7e303b74e6853804061e7b571c501244cd0ace377245db9259fbf330738749ab67718a60a05c31b6d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Winword.js
    Filesize

    446KB

    MD5

    19047595de7edc3550963ced15347ce1

    SHA1

    012695dfb871d0b72d5875faf9ac8c1ebac68952

    SHA256

    a6c2bbb4726b396adea3fabaf6ea9f86fa48bdce6cadeb9999679bd54b918c91

    SHA512

    71e243d64689ae900257ba57421d3daf88732376d557804665f1dc4f1899fbdd68a8f7d39f24795ec98896181483c3c73ef8f93a4ed3a6e57e1c6f434a817a36

    Download Submit

  • \Users\Admin\AppData\Local\Temp\CAM\CommFunc.dll
    Filesize

    40KB

    MD5

    6be2cf583a8d3187a04772aee4c05ab6

    SHA1

    d8ddeaf4a9c23bc05829bbb7b1738513bb1ac310

    SHA256

    b81c356b56b292b51b0e03ee2c69d96de2a3e0e6f6e7f6111119400a6c7ac14f

    SHA512

    b571ebda31070b5c48fca922e209712379dff14d32989d6acf664320b6c8ea1031e18a16903ac56e6909c93403467de4679bcc3989691ebf7bd11ece0ff1acfb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\~temqp.tmp
    Filesize

    222KB

    MD5

    37bc5cdaf9b026e334edd6752e3cdb00

    SHA1

    ee7eb5b20e25aeb4456a360e50185f245a6cc065

    SHA256

    c9a42238d5b1815458031395ef99896cf96656c1016abbe91ca9b0449f1eea6b

    SHA512

    efec59fefba7095d91bcab3ad3c4e44e24634385179189335085f006fd5a0ed79e05831e4350555c8be19f8bcd2bb36d5a36d82841df53e047d7b9039262ddbf

    Download Submit

  • memory/1204-29-0x00000000002F0000-0x000000000031C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1204-62-0x00000000002F0000-0x000000000031C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1204-27-0x00000000005A0000-0x00000000006A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1204-25-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1584-110-0x0000000000260000-0x000000000028C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1584-106-0x0000000000260000-0x000000000028C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1584-104-0x0000000000260000-0x000000000028C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1584-103-0x0000000000050000-0x0000000000051000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-102-0x0000000000260000-0x000000000028C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-93-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-56-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-55-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-74-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-75-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-76-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-77-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-78-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-81-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-116-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-53-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-109-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-51-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2304-47-0x00000000000C0000-0x00000000000C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2304-45-0x00000000000A0000-0x00000000000BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2304-43-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-108-0x0000000000170000-0x000000000019C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2548-40-0x0000000000420000-0x000000000044C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2548-54-0x0000000000420000-0x000000000044C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2992-0-0x0000000003400000-0x0000000003476000-memory.dmp

    Filesize

    472KB

    Download