Overview

overview

10

Static

static

3

PS/RsTray.exe

windows7-x64

10

PS/RsTray.exe

windows10-2004-x64

10

PS/comserv.dll

windows7-x64

1

PS/comserv.dll

windows10-2004-x64

1

PS/comserv.dll.url

windows7-x64

1

PS/comserv.dll.url

windows10-2004-x64

1

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PS/RsTray.exe

  • Size

    174KB

  • MD5

    d65adc7ad95e88fab486707b8c228f17

  • SHA1

    dfa0589b58a469e34695a22313d184e5352a3282

  • SHA256

    a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

  • SHA512

    3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

  • SSDEEP

    3072:wq1/mmpPCL8OZwevvCRmvUGmeU1hbFZJslQLRzMaZ:wUmqCL8Oj3XZm5jNLRzVZ

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 21 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PS\RsTray.exe
    "C:\Users\Admin\AppData\Local\Temp\PS\RsTray.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4544
  • C:\ProgramData\PS\RsTray.exe
    C:\ProgramData\PS\RsTray.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Deletes itself
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 1384
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:3596
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4444 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1392

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\PS\RsTray.exe
      Filesize

      174KB

      MD5

      d65adc7ad95e88fab486707b8c228f17

      SHA1

      dfa0589b58a469e34695a22313d184e5352a3282

      SHA256

      a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

      SHA512

      3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

      Download Submit

    • C:\ProgramData\PS\comserv.dll
      Filesize

      2KB

      MD5

      6d54b4f07a1b92bd6fafe7160b2c887c

      SHA1

      6bf4a36e729a2c4156b1280db97252ba8ea7d9b4

      SHA256

      653fe0ab7b634e50ba09f962c6357bcf76ce633768aa41dd01d1a93ef83a0a54

      SHA512

      32c57ca7ce437fc7712948a6f30733112830ff570d89ca903e5a5bdec43277a19a453df8c027e0835ad1dff2f7927cf973e33efa1847ed608cb6eb534d8163a3

      Download Submit

    • C:\ProgramData\PS\comserv.dll.url
      Filesize

      122KB

      MD5

      fe14ef97d52c1c4f4764c36b76f18340

      SHA1

      60a931c6607ffe7dabdce33151f7d217b7581175

      SHA256

      d8c68c81908ca0b31a773cf78bc59b9d886ba72177b2b4f5a1d9ea46b95ce05e

      SHA512

      390366a82817d8e841084744cd879bd7be6ce1dff85e26e9fe4739b709c17718c4e836f2f543c1d84f47096230e2d9dbc6dab6c597acc8ae802c43b1d4ae7f0d

      Download Submit

    • C:\ProgramData\SxS\bug.log
      Filesize

      456B

      MD5

      cab1030b85f438b749d33334e1624a03

      SHA1

      31f1a8876c89a2f48816484d09ba4960bc765e75

      SHA256

      2d8550569f70e7e0ffdd4ba8812ccd25679c61982ddcc2c2c03bb0bd97f8ac3f

      SHA512

      91aa0ddf8d5608c3ed053b5be4a6acaa22ea84fbfd0fbd402368c95eef599fda59c76044ddca2109e882ca4cfca95e97921c88aae6502c0fc3bdd5d4e9434cac

      Download Submit

    • C:\ProgramData\SxS\bug.log
      Filesize

      618B

      MD5

      dfdd5077a93daf1cfd379fda3f3e86ea

      SHA1

      47c50616142294c15c09af1a0d46c5228efe9b42

      SHA256

      ef4b98828942947c0ad2fbc3f0805fc617d20323acd8a3f5ec391e4b94e70b0c

      SHA512

      7b9d7a0073e170bc8a441de14dafa3cc62e5a313752602ce3451e80a0688d415c5cdd08131dbc50870e4a0232edb8ee9e575120048672ac0e98c9d4c70402720

      Download Submit

    • C:\ProgramData\SxS\bug.log
      Filesize

      1KB

      MD5

      0e6e4d8a8d7ed00222fd3deeab9ae21b

      SHA1

      ce707d0721d176105ced1b08514bb843e6abefe4

      SHA256

      bbaf761291721b487931e952be62783ba173ec0e89ccfaa5d843b45a566c326b

      SHA512

      e3570722da09145c9bc992c93a89014b5fbe5e6508f544fb00f8fc03ed12f22f79b1b14cd03ffdaf6fe54436a4e0f89f32c9867b0706cb1f4269ddc755e5eba3

      Download Submit

    • C:\ProgramData\SxS\bug.log
      Filesize

      1KB

      MD5

      23b004f3a2c80a0d70e4b5a24e30f11e

      SHA1

      8711482e55be263c514a87dd3b2032004dc91103

      SHA256

      d55c46b2ea7a968188e4af3600d51edb4be781d4658383a3aba01e8e2f09353b

      SHA512

      dea718c9e3cd63552dfba826a3fe614083c51a87006e25ea71ebd61e507e1e1a5321ed7f059669d7a6e277f8dd268477ba632a676cfd4d463610f63b38dd3166

      Download Submit

    • memory/1384-23-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1384-42-0x00000000012B0000-0x00000000012B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1384-25-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1384-22-0x00000000012B0000-0x00000000012B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1384-66-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1384-67-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1384-32-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1384-62-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1384-45-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1384-44-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1384-43-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1384-48-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1384-49-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1384-50-0x0000000001950000-0x0000000001981000-memory.dmp

      Filesize

      196KB

      Download

    • memory/3596-59-0x0000000000CF0000-0x0000000000D21000-memory.dmp

      Filesize

      196KB

      Download

    • memory/3596-54-0x0000000000CF0000-0x0000000000D21000-memory.dmp

      Filesize

      196KB

      Download

    • memory/3596-60-0x0000000000CF0000-0x0000000000D21000-memory.dmp

      Filesize

      196KB

      Download

    • memory/3596-61-0x0000000000CF0000-0x0000000000D21000-memory.dmp

      Filesize

      196KB

      Download

    • memory/3596-58-0x0000000000C50000-0x0000000000C51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3596-53-0x00000000008D0000-0x00000000008D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3596-63-0x0000000000CF0000-0x0000000000D21000-memory.dmp

      Filesize

      196KB

      Download

    • memory/4544-0-0x00000000023D0000-0x00000000024D0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4544-29-0x0000000002370000-0x00000000023A1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/4544-1-0x0000000002370000-0x00000000023A1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/4608-21-0x0000000000EC0000-0x0000000000EF1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/4608-20-0x0000000000EC0000-0x0000000000EF1000-memory.dmp

      Filesize

      196KB

      Download