Overview

overview

10

Static

static

3

PS/RsTray.exe

windows7-x64

10

PS/RsTray.exe

windows10-2004-x64

10

PS/comserv.dll

windows7-x64

1

PS/comserv.dll

windows10-2004-x64

1

PS/comserv.dll.url

windows7-x64

1

PS/comserv.dll.url

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2024 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PS/RsTray.exe

  • Size

    174KB

  • MD5

    d65adc7ad95e88fab486707b8c228f17

  • SHA1

    dfa0589b58a469e34695a22313d184e5352a3282

  • SHA256

    a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

  • SHA512

    3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

  • SSDEEP

    3072:wq1/mmpPCL8OZwevvCRmvUGmeU1hbFZJslQLRzMaZ:wUmqCL8Oj3XZm5jNLRzVZ

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 19 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PS\RsTray.exe
    "C:\Users\Admin\AppData\Local\Temp\PS\RsTray.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1860
  • C:\ProgramData\PS\RsTray.exe
    C:\ProgramData\PS\RsTray.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Deletes itself
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2668
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\PS\RsTray.exe
    Filesize

    174KB

    MD5

    d65adc7ad95e88fab486707b8c228f17

    SHA1

    dfa0589b58a469e34695a22313d184e5352a3282

    SHA256

    a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

    SHA512

    3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

    Download Submit

  • C:\ProgramData\PS\comserv.dll.url
    Filesize

    122KB

    MD5

    fe14ef97d52c1c4f4764c36b76f18340

    SHA1

    60a931c6607ffe7dabdce33151f7d217b7581175

    SHA256

    d8c68c81908ca0b31a773cf78bc59b9d886ba72177b2b4f5a1d9ea46b95ce05e

    SHA512

    390366a82817d8e841084744cd879bd7be6ce1dff85e26e9fe4739b709c17718c4e836f2f543c1d84f47096230e2d9dbc6dab6c597acc8ae802c43b1d4ae7f0d

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    782B

    MD5

    48e717b992505b897b10a6493d488a67

    SHA1

    dbaa8b7d7f1b86f207d00c094da1d106bc5749b4

    SHA256

    4313500e273b5af1e38019be9a4b695e82b16a4379306d941031d16ade7da78b

    SHA512

    272517067aa83cc3707a9652b4608b44c33f6a7ec1d0fc79b57ecdf1ff241e99d83cb8282234798040f8c10889bbb4a7578a43bef94d1a4a560334b23d7a0b1b

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    1KB

    MD5

    99ed45c2dedcc034e8093db5f4562987

    SHA1

    42c4d48f9121137f65dec2619ac989e9c422c8d7

    SHA256

    b20534160b5ac3d35f869db10b353cc080d72f62f9ab16ae9c2872a508c45990

    SHA512

    06f80cf625f0c7abf06ef6f2ad1d57208a02b228ea5d40afdecd462ae994c7bf3d2f8bb580a7364307e5cec841984b4efc69474db29297e9b50a2c9a0866174d

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    1KB

    MD5

    0fd31cef7732e6d7c37a01967b763664

    SHA1

    f521103585ad1e0ed32e7c6fb4366dd26eb14db3

    SHA256

    3b5b603f3d4ce5b588599063dc259b2d3e35fb6dd08593a77d8787f0d61a9c99

    SHA512

    34dab61adcfbcdfe87ae924e260327e369bbaea5def715e69f722b8351816eaa82f100d945a0b2faba24ee0b23abf372dec8f42764a47ae127c4e5709f4917d9

    Download Submit

  • \ProgramData\PS\comserv.dll
    Filesize

    2KB

    MD5

    6d54b4f07a1b92bd6fafe7160b2c887c

    SHA1

    6bf4a36e729a2c4156b1280db97252ba8ea7d9b4

    SHA256

    653fe0ab7b634e50ba09f962c6357bcf76ce633768aa41dd01d1a93ef83a0a54

    SHA512

    32c57ca7ce437fc7712948a6f30733112830ff570d89ca903e5a5bdec43277a19a453df8c027e0835ad1dff2f7927cf973e33efa1847ed608cb6eb534d8163a3

    Download Submit

  • memory/1860-1-0x0000000001DA0000-0x0000000001EA0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1860-2-0x0000000001BD0000-0x0000000001C01000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1860-0-0x0000000001BD0000-0x0000000001C01000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2596-20-0x00000000002D0000-0x0000000000301000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2596-19-0x00000000002D0000-0x0000000000301000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2668-47-0x0000000000170000-0x00000000001A1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2668-73-0x0000000000170000-0x00000000001A1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2668-27-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-25-0x0000000000170000-0x00000000001A1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2668-24-0x00000000000C0000-0x00000000000C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2668-23-0x00000000000A0000-0x00000000000BD000-memory.dmp

    Filesize

    116KB

    Download

  • memory/2668-21-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-36-0x0000000000170000-0x00000000001A1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2668-46-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2668-48-0x0000000000170000-0x00000000001A1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2668-78-0x0000000000170000-0x00000000001A1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2668-77-0x0000000000170000-0x00000000001A1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2668-53-0x0000000000170000-0x00000000001A1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2668-49-0x0000000000170000-0x00000000001A1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2668-28-0x0000000000170000-0x00000000001A1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2968-71-0x0000000000280000-0x00000000002B1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2968-72-0x0000000000280000-0x00000000002B1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2968-74-0x0000000000280000-0x00000000002B1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2968-70-0x0000000000280000-0x00000000002B1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2968-69-0x0000000000090000-0x0000000000091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2968-65-0x0000000000280000-0x00000000002B1000-memory.dmp

    Filesize

    196KB

    Download