Overview

overview

10

Static

static

3

5ead238621...a5.exe

windows7-x64

10

5ead238621...a5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 11:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5.exe

  • Size

    491KB

  • MD5

    e7f3d45d4e51176150f58d4b885e01e4

  • SHA1

    f8141b3f21e3f9f354eb960b841050cc2aabe03d

  • SHA256

    5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5

  • SHA512

    63e87fc692ded07fc5f304813cc046ec8ac45958ca2254f1064e4cae0e03d4db4d4c6b5373f69b8b5075286d2206e10b30b05dad61cc15e64e18795d1d707174

  • SSDEEP

    12288:ZGqN/XdctpVtkYoAcoDDpY1sbF7A0Lxjulj/:PNcBtkjAcoMs5kUylj/

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 18 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Unexpected DNS network traffic destination 12 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5.exe
    "C:\Users\Admin\AppData\Local\Temp\5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Layer.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Layer.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
  • C:\ProgramData\PlayWav\Layer.exe
    "C:\ProgramData\PlayWav\Layer.exe" 100 2628
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2472
  • C:\ProgramData\PlayWav\Layer.exe
    "C:\ProgramData\PlayWav\Layer.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 820
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\RoboForm.DLL
    Filesize

    89KB

    MD5

    a573648a7f56fa012c3e83f0c94a9709

    SHA1

    6be21e85c3aab4ca47db9341f6cc96c98c7bc185

    SHA256

    fc8ee97fd67dbcd47780713f076c36bedf7c29be0ba6f1912635b0557fc3764f

    SHA512

    39ee077f36560b386d271e31cf096561096c8d4686b9024a5f489bcb37a4ac2f96eb118a18708f1487139c47367dcc45efa9ac3959cfaabcad2830afa7e612e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.log
    Filesize

    133KB

    MD5

    f8d21123dfa0d37caece024c47d434bb

    SHA1

    7f48d0b6d215fcbf6f9dddc900c7258c93e3cdc3

    SHA256

    f264e45f50ac959cc1eef7100c45684243be5ae8b541aa08f3c06ad6089f5404

    SHA512

    9c3d1b9ac0b82015f3fe2201cb3a1bf093dc97c893ecd11420d9a42b3024a134e5e5987e12214e770b72beec228bf478e460ef8c7da8f1bfbad78dbe7011b07f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\Layer.exe
    Filesize

    99KB

    MD5

    431aa2dcbd1ff6815adc76537d63fb36

    SHA1

    fd294d12e590889dd26bc278a8540f46dbfbf879

    SHA256

    5cff0f4f3e01640a607f30861e42dff908fb8ceb5d8b833a560d1109c9b9a4e6

    SHA512

    0c0246f6468ac7e13a2e846e4d409d204069035b7f8b5aac0d0104a49ed1b36b7f5bad1d8e83fe09f37fb0a1dfe038282b79f82d797a3c846f738bcad09b995c

    Download Submit

  • memory/820-77-0x0000000000170000-0x00000000001A7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/820-70-0x0000000000170000-0x00000000001A7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/820-860-0x0000000000170000-0x00000000001A7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/820-80-0x0000000000170000-0x00000000001A7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/820-49-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/820-52-0x00000000000A0000-0x00000000000C0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/820-53-0x00000000000C0000-0x00000000000C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/820-54-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/820-56-0x0000000000170000-0x00000000001A7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/820-58-0x0000000000170000-0x00000000001A7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/820-76-0x0000000000170000-0x00000000001A7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/820-73-0x0000000000170000-0x00000000001A7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/820-69-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/820-72-0x0000000000170000-0x00000000001A7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/820-71-0x0000000000170000-0x00000000001A7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1240-57-0x0000000000330000-0x0000000000367000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1240-48-0x0000000000330000-0x0000000000367000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2472-99-0x0000000000290000-0x00000000002C7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2472-43-0x0000000000290000-0x00000000002C7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2628-24-0x0000000000150000-0x0000000000187000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2628-61-0x0000000000150000-0x0000000000187000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2628-22-0x00000000001D0000-0x00000000002D0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2684-262-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-264-0x00000000002F0000-0x0000000000327000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2684-1108-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-1110-0x00000000002F0000-0x0000000000327000-memory.dmp

    Filesize

    220KB

    Download