Overview

overview

10

Static

static

3

aa.rar

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-04-2024 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa.rar

  • Size

    191KB

  • MD5

    1f5da599ec39b53f38093acb1d77d8e4

  • SHA1

    f2c6a5094baed51cb35151271394bd208226fc6d

  • SHA256

    a0b1b2960c06849e66e36c739829d409d03870e400d6402f438e80741cb2ef34

  • SHA512

    e9e21285bca2156b6320a60a4d2de1e67ac266e4483663b8bb47569b357ff8e287149f5dbe6b0fe88d3ed898f96ce12e3394378e684722ddee9cc1d930237a0c

  • SSDEEP

    3072:QFkxQpxPrp85bdiA7OW6QyxrWHONGmLnSxMs8a2HOeAtz3z0a4Gn8:Qf7sEA7Odhx1fat2ub7T/n8

Score
10/10
plugxpersistencetrojan

Malware Config

Extracted

Family

plugx

C2

45.251.240.55:443

45.251.240.55:8080

45.251.240.55:8000
Mutex

EDysZYTmoiuUydWatmWb

Attributes
  • folder

    AAM UpdatesHtA

Signatures

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 43 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\aa.rar
    1⤵
    • Modifies registry class
    PID:1168
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3120
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Windows\explorer.exe
      explorer .
      2⤵
        PID:4508
      • C:\Windows\system32\rundll32.exe
        rundll32 hex.dll,#1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5084
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 hex.dll,#1
          3⤵
          • Loads dropped DLL
          PID:5044
      • C:\Users\Admin\AppData\Local\Temp\AAM Updates.exe
        "AAM Updates.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:808
        • C:\ProgramData\AAM UpdatesHtA\AAM Updates.exe
          "C:\ProgramData\AAM UpdatesHtA\AAM Updates.exe" 346
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3672
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap14091:84:7zEvent8992
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1856
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4972

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\AAM Updates.exe
        Filesize

        185KB

        MD5

        c70d8dce46b4551133ecc58aed84bf0e

        SHA1

        00626346632fdfb2a1d5831793e92a3601ec4d9f

        SHA256

        0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681

        SHA512

        12117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\adobeupdate.dat
        Filesize

        157KB

        MD5

        317705ca7476ac9a754b80fded717f6b

        SHA1

        ed690e1eb83b4a71529e2b8e92d9699f53171250

        SHA256

        abd6521990e88bd18bbcba063744efe0ccac23063bb340720cc3f610d9b1c770

        SHA512

        2d452ab0fa2f2692061b1afb43bea1ead1bc47b328a00e8508e1121446646cb6ce686bf4d9538cdaf2c176ba0ae59df701930331cc52a3d94cc1ba9d64abf167

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\hex.dll
        Filesize

        20KB

        MD5

        b061d981d224454ffd8d692cf7ee92b7

        SHA1

        2c93c30207786343f3de6ca540d14fefc237a9b4

        SHA256

        14f9278f3515fae71ccb8073cfaf73bdcc00eab3888d8cee6fb43a4f51c9e699

        SHA512

        ac1923f62becd49f164f9ff6782468e554a6a13b5d00cff3fb889f8198d311004ecfe9658ccad58b348e2b39d4e8c51d9623e658d64a2fdcafa82e4b86493014

        Download Submit
      • memory/808-13-0x0000000003040000-0x0000000006C76000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-28-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-25-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-26-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-27-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-24-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-32-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-33-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-34-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-35-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-36-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-37-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-38-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download
      • memory/3672-39-0x0000000002380000-0x0000000005FB6000-memory.dmp
        Filesize

        60.2MB

        Download