Overview

overview

10

Static

static

3

fc1e2a0ed2...9f.exe

windows7-x64

10

fc1e2a0ed2...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe

  • Size

    616KB

  • MD5

    adc1463af9514ac48cd963385f08c40f

  • SHA1

    5d5d0c94473b30234efc9915ee67db7accc02c5d

  • SHA256

    fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f

  • SHA512

    076d9e8523a56e90553aca20a736c3d72e11f4189ba6686ccc9b08e6830df25b3ffb58457d55eb36a2257c7704113fd7e6f9899cb1b8a0859ac00cd43b94c567

  • SSDEEP

    12288:YUomEFRu3xEPE69cRgjq7Vv87gZCf5mKtKX6jtXM6DlZ2NBYBPhzMqDxnnID:YmOMSPE6KRkq7fXRiXXlZ2NByPiqFnS

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 22 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe
    "C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe
      "C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
  • C:\ProgramData\Bitdefender\USOPrivate.exe
    "C:\ProgramData\Bitdefender\USOPrivate.exe" 100 2868
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2460
  • C:\ProgramData\Bitdefender\USOPrivate.exe
    "C:\ProgramData\Bitdefender\USOPrivate.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2496
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\USOPrivate.dat
    Filesize

    152KB

    MD5

    1a62834b9f2423effb90e133141b1f05

    SHA1

    fec09cab25b88e1566f0f766db29c6204acf63fc

    SHA256

    a897a20a35e9c449a45932a75b626de649605e132ff49c0dbc745930fc0bbb89

    SHA512

    4f674ae447a9c6dcced488fc3bf408a9173602b75c1bac492a60805ca536351052619393d9a72f7cfd958d9f5b1df8eb4085a0267f9cdd293a7c3b4486d25267

    Download Submit

  • \Users\Admin\AppData\Local\Temp\USOPrivate.exe
    Filesize

    760KB

    MD5

    10866465a9b0c56af2cd093b80cdbc9f

    SHA1

    fc77be3e68a79b597ffed1b307d1b447787e7995

    SHA256

    9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa

    SHA512

    975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091

    Download Submit

  • \Users\Admin\AppData\Local\Temp\log.dll
    Filesize

    39KB

    MD5

    1cf26c4edf92541cee6dcb327a15ab97

    SHA1

    1838eb4a59e618e298a188347e37f76845c80cad

    SHA256

    be213cfb0795e8a645d50eec7e55520e952279963dcef4e11b49c022ec283129

    SHA512

    3bf8367435d51e0f8986bcfcabaf48780936f2baacaaa269496d77800364304d3bcf0edb9bcdb64ffe0130996f282b5ba40a232a15b799b01dda25f8a9504676

    Download Submit

  • memory/816-96-0x0000000000290000-0x00000000002CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/816-90-0x0000000000290000-0x00000000002CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/816-93-0x0000000000290000-0x00000000002CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/816-98-0x0000000000290000-0x00000000002CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/816-95-0x0000000000290000-0x00000000002CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/816-94-0x0000000000290000-0x00000000002CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/816-92-0x0000000000070000-0x0000000000071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-35-0x0000000077260000-0x0000000077261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-38-0x00000000002C0000-0x00000000002FA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2460-39-0x00000000002C0000-0x00000000002FA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2460-80-0x00000000002C0000-0x00000000002FA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2496-72-0x00000000002F0000-0x000000000032A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2496-73-0x00000000002F0000-0x000000000032A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2496-97-0x00000000002F0000-0x000000000032A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2496-49-0x0000000000080000-0x00000000000A5000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2496-69-0x0000000000060000-0x0000000000061000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2496-71-0x00000000002F0000-0x000000000032A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2496-76-0x00000000002F0000-0x000000000032A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2496-75-0x00000000002F0000-0x000000000032A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2496-74-0x00000000002F0000-0x000000000032A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2496-58-0x00000000002F0000-0x000000000032A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2496-45-0x0000000000060000-0x0000000000061000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2496-55-0x00000000002F0000-0x000000000032A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2496-54-0x0000000000060000-0x0000000000061000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2496-51-0x00000000000B0000-0x00000000000B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2788-52-0x0000000000290000-0x00000000002CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2788-44-0x0000000000290000-0x00000000002CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2868-70-0x0000000001E50000-0x0000000001E8A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2868-17-0x0000000001E50000-0x0000000001E8A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2868-15-0x0000000000480000-0x0000000000580000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2868-13-0x0000000077260000-0x0000000077261000-memory.dmp

    Filesize

    4KB

    Download