Overview

overview

10

Static

static

3

fc1e2a0ed2...9f.exe

windows7-x64

10

fc1e2a0ed2...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe

  • Size

    616KB

  • MD5

    adc1463af9514ac48cd963385f08c40f

  • SHA1

    5d5d0c94473b30234efc9915ee67db7accc02c5d

  • SHA256

    fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f

  • SHA512

    076d9e8523a56e90553aca20a736c3d72e11f4189ba6686ccc9b08e6830df25b3ffb58457d55eb36a2257c7704113fd7e6f9899cb1b8a0859ac00cd43b94c567

  • SSDEEP

    12288:YUomEFRu3xEPE69cRgjq7Vv87gZCf5mKtKX6jtXM6DlZ2NBYBPhzMqDxnnID:YmOMSPE6KRkq7fXRiXXlZ2NByPiqFnS

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 24 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe
    "C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe
      "C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2124
  • C:\ProgramData\Bitdefender\USOPrivate.exe
    "C:\ProgramData\Bitdefender\USOPrivate.exe" 100 2124
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2816
  • C:\ProgramData\Bitdefender\USOPrivate.exe
    "C:\ProgramData\Bitdefender\USOPrivate.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 4856
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:3868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\USOPrivate.dat
    Filesize

    152KB

    MD5

    1a62834b9f2423effb90e133141b1f05

    SHA1

    fec09cab25b88e1566f0f766db29c6204acf63fc

    SHA256

    a897a20a35e9c449a45932a75b626de649605e132ff49c0dbc745930fc0bbb89

    SHA512

    4f674ae447a9c6dcced488fc3bf408a9173602b75c1bac492a60805ca536351052619393d9a72f7cfd958d9f5b1df8eb4085a0267f9cdd293a7c3b4486d25267

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe
    Filesize

    760KB

    MD5

    10866465a9b0c56af2cd093b80cdbc9f

    SHA1

    fc77be3e68a79b597ffed1b307d1b447787e7995

    SHA256

    9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa

    SHA512

    975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\log.dll
    Filesize

    39KB

    MD5

    1cf26c4edf92541cee6dcb327a15ab97

    SHA1

    1838eb4a59e618e298a188347e37f76845c80cad

    SHA256

    be213cfb0795e8a645d50eec7e55520e952279963dcef4e11b49c022ec283129

    SHA512

    3bf8367435d51e0f8986bcfcabaf48780936f2baacaaa269496d77800364304d3bcf0edb9bcdb64ffe0130996f282b5ba40a232a15b799b01dda25f8a9504676

    Download Submit

  • memory/2124-55-0x000001A6E3720000-0x000001A6E375A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2124-17-0x00007FF9A4480000-0x00007FF9A4481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2124-19-0x000001A6E35C0000-0x000001A6E36C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2124-20-0x000001A6E3720000-0x000001A6E375A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2124-21-0x000001A6E3720000-0x000001A6E375A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2816-73-0x000001D640C00000-0x000001D640C3A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2816-41-0x000001D640C00000-0x000001D640C3A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2816-42-0x000001D640C00000-0x000001D640C3A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2816-39-0x00007FF9A4480000-0x00007FF9A4481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3868-78-0x000002170E9A0000-0x000002170E9DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3868-75-0x000002170E9A0000-0x000002170E9DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3868-83-0x000002170E9A0000-0x000002170E9DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3868-77-0x000002170E930000-0x000002170E931000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3868-80-0x000002170E9A0000-0x000002170E9DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3868-81-0x000002170E9A0000-0x000002170E9DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3868-79-0x000002170E9A0000-0x000002170E9DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4092-47-0x000001F55E9C0000-0x000001F55E9FA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4092-46-0x000001F55E9C0000-0x000001F55E9FA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4856-65-0x0000021009190000-0x00000210091CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4856-69-0x0000021009190000-0x00000210091CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4856-72-0x0000021009190000-0x00000210091CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4856-48-0x0000021008FD0000-0x0000021008FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4856-68-0x0000021009190000-0x00000210091CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4856-67-0x0000021009190000-0x00000210091CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4856-66-0x0000021009190000-0x00000210091CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4856-49-0x0000021009190000-0x00000210091CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4856-64-0x0000021009190000-0x00000210091CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4856-63-0x0000021008FD0000-0x0000021008FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4856-82-0x0000021009190000-0x00000210091CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4856-52-0x0000021009190000-0x00000210091CA000-memory.dmp

    Filesize

    232KB

    Download