Malware Analysis Report

2024-07-11 07:35

Sample ID 240620-kwsc4ayfle
Target unescape.zip
SHA256 625fba7fa29e9eb30a9cc98ece69706cbd66792b4185f92e14363657bd0e76d5
Tags
plugx persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

625fba7fa29e9eb30a9cc98ece69706cbd66792b4185f92e14363657bd0e76d5

Threat Level: Known bad

The file unescape.zip was found to be: Known bad.

Malicious Activity Summary

plugx persistence trojan

PlugX

Loads dropped DLL

Executes dropped EXE

Unexpected DNS network traffic destination

Adds Run key to start application

Unsigned PE

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 08:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 08:57

Reported

2024-06-20 09:02

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\http_dll.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2940 wrote to memory of 1936 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\http_dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\http_dll.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 08:57

Reported

2024-06-20 09:02

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

202s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\http_dll.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5080 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5080 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5080 wrote to memory of 5052 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\http_dll.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\http_dll.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5052 -ip 5052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 556

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 08:57

Reported

2024-06-20 09:02

Platform

win7-20240611-en

Max time kernel

289s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\unsecapp.exe"

Signatures

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 3.64.163.50 N/A N/A
Destination IP 3.64.163.50 N/A N/A
Destination IP 3.64.163.50 N/A N/A
Destination IP 3.64.163.50 N/A N/A
Destination IP 3.64.163.50 N/A N/A
Destination IP 3.64.163.50 N/A N/A
Destination IP 3.64.163.50 N/A N/A
Destination IP 3.64.163.50 N/A N/A
Destination IP 3.64.163.50 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Malware ProtectionbOr = "\"C:\\ProgramData\\Microsoft Malware ProtectionbOr\\unsecapp.exe\" 72" C:\Users\Admin\AppData\Local\Temp\unsecapp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Malware ProtectionbOr = "\"C:\\ProgramData\\Microsoft Malware ProtectionbOr\\unsecapp.exe\" 72" C:\Users\Admin\AppData\Local\Temp\unsecapp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\PROXY C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\unsecapp.exe

"C:\Users\Admin\AppData\Local\Temp\unsecapp.exe"

C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe

"C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe" 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.apple-net.com udp
DE 3.64.163.50:80 www.apple-net.com tcp
US 8.8.8.8:53 www.apple-net.com udp
DE 3.64.163.50:80 www.apple-net.com tcp
US 8.8.8.8:53 www.apple-net.com udp
DE 3.64.163.50:443 www.apple-net.com tcp
DE 3.64.163.50:443 www.apple-net.com tcp
DE 3.64.163.50:443 www.apple-net.com tcp
DE 3.64.163.50:443 www.apple-net.com tcp
DE 3.64.163.50:53 www.apple-net.com tcp
DE 3.64.163.50:53 www.apple-net.com tcp
DE 3.64.163.50:53 www.apple-net.com tcp
DE 3.64.163.50:53 www.apple-net.com tcp
DE 3.64.163.50:53 www.apple-net.com tcp
DE 3.64.163.50:8080 www.apple-net.com tcp
DE 3.64.163.50:8080 www.apple-net.com tcp
DE 3.64.163.50:8080 www.apple-net.com tcp
DE 3.64.163.50:8080 www.apple-net.com tcp
DE 3.64.163.50:80 www.apple-net.com tcp
DE 3.64.163.50:80 www.apple-net.com tcp
DE 3.64.163.50:443 www.apple-net.com tcp
DE 3.64.163.50:443 www.apple-net.com tcp
DE 3.64.163.50:443 www.apple-net.com tcp
DE 3.64.163.50:443 www.apple-net.com tcp
DE 3.64.163.50:53 www.apple-net.com tcp
DE 3.64.163.50:53 www.apple-net.com tcp
DE 3.64.163.50:53 www.apple-net.com tcp
DE 3.64.163.50:53 www.apple-net.com tcp

Files

C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe

MD5 28c6f235946fd694d2634c7a2f24c1ba
SHA1 e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5
SHA256 c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763
SHA512 16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be

memory/2024-11-0x0000000000100000-0x000000000012F000-memory.dmp

C:\ProgramData\Microsoft Malware ProtectionbOr\http_dll.dll

MD5 cc496b5bf0fe335447d1c08eb84ad8ab
SHA1 11ada1737b52fac71138160f8ff14d23819308e7
SHA256 f8b107ba060fc57899e02b6b5117c2603e169d8ee4beddf53be6d453e4fc12fb
SHA512 361e830fd956eaf26d49bba92118a1e1d717cf0169f8def9989a813d123655bda9a45fa09d0ac4a34165d76ce4f279ea50ef35b0d6a5303881e4b0b42c972019

memory/2024-13-0x0000000000100000-0x000000000012F000-memory.dmp

C:\ProgramData\Microsoft Malware ProtectionbOr\http_dll.dat

MD5 e1feeb80a32ba300fa408ac2a74ed81d
SHA1 515ab546514e528e037220c1a9e093d42b6bb8a9
SHA256 b522aba81f2230118537e15088366e450962382025fbb837a591d29d0b242ff9
SHA512 0a574d81ef4bfb4ee374c6aef84316e8f7d9d2835dbaa5ca23813d75ca0522034cc49fba38477bf9b199c419796c40f3799f988918c845dabeacb43e110c873b

memory/2024-6-0x0000000000720000-0x0000000000820000-memory.dmp

memory/2852-19-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-18-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2852-20-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-21-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-22-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-23-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-24-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-25-0x0000000000450000-0x0000000000550000-memory.dmp

memory/2852-26-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-27-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-28-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-29-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-30-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-31-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-32-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-33-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-34-0x0000000000290000-0x00000000002BF000-memory.dmp

memory/2852-35-0x0000000000290000-0x00000000002BF000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 08:57

Reported

2024-06-20 09:02

Platform

win10v2004-20240508-en

Max time kernel

292s

Max time network

297s

Command Line

"C:\Users\Admin\AppData\Local\Temp\unsecapp.exe"

Signatures

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Malware ProtectionbOr = "\"C:\\ProgramData\\Microsoft Malware ProtectionbOr\\unsecapp.exe\" 97" C:\Users\Admin\AppData\Local\Temp\unsecapp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Malware ProtectionbOr = "\"C:\\ProgramData\\Microsoft Malware ProtectionbOr\\unsecapp.exe\" 97" C:\Users\Admin\AppData\Local\Temp\unsecapp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\PROXY C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\unsecapp.exe

"C:\Users\Admin\AppData\Local\Temp\unsecapp.exe"

C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe

"C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe" 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp
US 8.8.8.8:53 www.apple-net.com udp

Files

memory/1608-1-0x0000000000F70000-0x0000000001070000-memory.dmp

memory/1608-2-0x0000000000EE0000-0x0000000000F0F000-memory.dmp

C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe

MD5 28c6f235946fd694d2634c7a2f24c1ba
SHA1 e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5
SHA256 c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763
SHA512 16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be

C:\ProgramData\Microsoft Malware ProtectionbOr\http_dll.dll

MD5 cc496b5bf0fe335447d1c08eb84ad8ab
SHA1 11ada1737b52fac71138160f8ff14d23819308e7
SHA256 f8b107ba060fc57899e02b6b5117c2603e169d8ee4beddf53be6d453e4fc12fb
SHA512 361e830fd956eaf26d49bba92118a1e1d717cf0169f8def9989a813d123655bda9a45fa09d0ac4a34165d76ce4f279ea50ef35b0d6a5303881e4b0b42c972019

memory/1608-9-0x0000000000EE0000-0x0000000000F0F000-memory.dmp

C:\ProgramData\Microsoft Malware ProtectionbOr\http_dll.dat

MD5 e1feeb80a32ba300fa408ac2a74ed81d
SHA1 515ab546514e528e037220c1a9e093d42b6bb8a9
SHA256 b522aba81f2230118537e15088366e450962382025fbb837a591d29d0b242ff9
SHA512 0a574d81ef4bfb4ee374c6aef84316e8f7d9d2835dbaa5ca23813d75ca0522034cc49fba38477bf9b199c419796c40f3799f988918c845dabeacb43e110c873b

memory/2720-15-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-16-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-14-0x0000000000ED0000-0x0000000000FD0000-memory.dmp

memory/2720-17-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-18-0x0000000000ED0000-0x0000000000FD0000-memory.dmp

memory/2720-19-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-20-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-21-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-22-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-23-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-24-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-25-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-26-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-27-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-28-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-29-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-30-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-31-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-32-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-33-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-34-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-35-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-36-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-37-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-38-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-39-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-40-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-41-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-42-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-43-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-44-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-45-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-46-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-47-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-48-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-49-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-50-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-51-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-52-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-53-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-54-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-55-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-56-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-57-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-58-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-59-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-60-0x0000000000E60000-0x0000000000E8F000-memory.dmp

memory/2720-61-0x0000000000E60000-0x0000000000E8F000-memory.dmp