Overview

overview

10

Static

static

3

PS/RsTray.exe

windows7-x64

10

PS/RsTray.exe

windows10-2004-x64

10

PS/comserv.dll

windows7-x64

3

PS/comserv.dll

windows10-2004-x64

3

PS/comserv.dll.url

windows7-x64

1

PS/comserv.dll.url

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 15:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PS/RsTray.exe

  • Size

    174KB

  • MD5

    d65adc7ad95e88fab486707b8c228f17

  • SHA1

    dfa0589b58a469e34695a22313d184e5352a3282

  • SHA256

    a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

  • SHA512

    3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

  • SSDEEP

    3072:wq1/mmpPCL8OZwevvCRmvUGmeU1hbFZJslQLRzMaZ:wUmqCL8Oj3XZm5jNLRzVZ

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 17 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PS\RsTray.exe
    "C:\Users\Admin\AppData\Local\Temp\PS\RsTray.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2948
  • C:\ProgramData\PS\RsTray.exe
    C:\ProgramData\PS\RsTray.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 3048
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\PS\RsTray.exe
    Filesize

    174KB

    MD5

    d65adc7ad95e88fab486707b8c228f17

    SHA1

    dfa0589b58a469e34695a22313d184e5352a3282

    SHA256

    a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

    SHA512

    3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

    Download Submit

  • C:\ProgramData\PS\comserv.dll
    Filesize

    2KB

    MD5

    6d54b4f07a1b92bd6fafe7160b2c887c

    SHA1

    6bf4a36e729a2c4156b1280db97252ba8ea7d9b4

    SHA256

    653fe0ab7b634e50ba09f962c6357bcf76ce633768aa41dd01d1a93ef83a0a54

    SHA512

    32c57ca7ce437fc7712948a6f30733112830ff570d89ca903e5a5bdec43277a19a453df8c027e0835ad1dff2f7927cf973e33efa1847ed608cb6eb534d8163a3

    Download Submit

  • C:\ProgramData\PS\comserv.dll.url
    Filesize

    122KB

    MD5

    fe14ef97d52c1c4f4764c36b76f18340

    SHA1

    60a931c6607ffe7dabdce33151f7d217b7581175

    SHA256

    d8c68c81908ca0b31a773cf78bc59b9d886ba72177b2b4f5a1d9ea46b95ce05e

    SHA512

    390366a82817d8e841084744cd879bd7be6ce1dff85e26e9fe4739b709c17718c4e836f2f543c1d84f47096230e2d9dbc6dab6c597acc8ae802c43b1d4ae7f0d

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    782B

    MD5

    a6867dd99428722d3f814601082c0e29

    SHA1

    690746c6c9622fc188fd115a8627cc435747a28a

    SHA256

    116916cd4346fc94ac2c785b64077527defb80be59090ce5fbfaee8716374071

    SHA512

    9264ee43457c168046e73f08a788686f2b7a78f1eca36b2b002f7b7aad24b39e383195861ccefe16143e4306cdf6a794c75287d9c72c9682cf493a21e356bc82

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    1KB

    MD5

    230800a41ca47fe983c23b3fd6cc75c7

    SHA1

    93c3b7029384f81437334eb7b98485a5c7408acc

    SHA256

    5c602b5d7aa272d4803a3dba6e73082d39728831c2f9c2930314ffef962f53c0

    SHA512

    cf271e74de9184086280855a2d478496e79eda914738edbb74e14a9fa02413dac953028171cc7e8f21044b29bdc1c76eb7a73f74d09808982c81d4c9d9bef7ae

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    1KB

    MD5

    8fbed73bbccf2de04e92c67cfe395d2a

    SHA1

    391e3dc99feb62811af2c4f67dfddd6715f6424a

    SHA256

    7e26ac0ee46294946dcec627412282a8ff459be3db2778dba15e834a46bfc599

    SHA512

    9ca0bc9137d3c02c118a4becfa83119b9e36d580ce12d44639f4407e15fdf57cf154d07b96829de835fc1cb4d0d194abd38aeca0191a9b5e1d8e77873b6c0c07

    Download Submit

  • memory/2536-75-0x00000000002C0000-0x00000000002F1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2536-66-0x00000000002C0000-0x00000000002F1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2536-71-0x0000000000070000-0x0000000000071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2536-72-0x00000000002C0000-0x00000000002F1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2536-73-0x00000000002C0000-0x00000000002F1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2536-65-0x0000000000110000-0x0000000000111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2948-1-0x0000000001DE0000-0x0000000001E11000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2948-35-0x0000000001DE0000-0x0000000001E11000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2948-0-0x0000000001C80000-0x0000000001D80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3004-19-0x0000000000340000-0x0000000000371000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3004-28-0x0000000000340000-0x0000000000371000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3048-23-0x00000000000A0000-0x00000000000BD000-memory.dmp

    Filesize

    116KB

    Download

  • memory/3048-48-0x00000000001D0000-0x0000000000201000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3048-36-0x00000000001D0000-0x0000000000201000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3048-46-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-47-0x00000000001D0000-0x0000000000201000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3048-49-0x00000000001D0000-0x0000000000201000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3048-53-0x00000000001D0000-0x0000000000201000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3048-26-0x00000000001D0000-0x0000000000201000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3048-21-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-74-0x00000000001D0000-0x0000000000201000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3048-25-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-24-0x00000000000C0000-0x00000000000C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3048-78-0x00000000001D0000-0x0000000000201000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3048-79-0x00000000001D0000-0x0000000000201000-memory.dmp

    Filesize

    196KB

    Download