02cb95700440b100604ece78649b2ef41b2b7ea8ff68afbb02a01148a3f7c106

Analysis

max time kernel
101s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

originalfile/PlugX_RTF_dropper_42fba80f105aa53dfbf50aeba2d73cae.rtf
Size

507KB
MD5

42fba80f105aa53dfbf50aeba2d73cae
SHA1

a49b135a66afba5713936d4758ca5d40f19b9e71
SHA256

ac7d02465d0b1992809e16aaae2cd779470a99e0860c4d8a2785d97ce988667b
SHA512

b42b529585da21bae4d36fb1e9b5f2471e77d87505db91f8859068816d355fdd8b4aaaa922512a8a39259b247b9aeaeba92cfb0ab5140122f83dd163b8ed00cf
SSDEEP

6144:h5LReC+jODUJ6aCujPjtNbShm6YNYa2Zg3:h5o3jOU6aCCtw8p

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2132	WINWORD.EXE
2132	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2132	WINWORD.EXE
2132	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE
2132	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 468	2132	WINWORD.EXE	84
PID 2132 wrote to memory of 468	2132	WINWORD.EXE	84

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\originalfile\PlugX_RTF_dropper_42fba80f105aa53dfbf50aeba2d73cae.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3EB579C3.wmf

Filesize
56KB

MD5
99d718ae90e9835ba3f6277c8d777977

SHA1
0f49fa550b4b7389f0bd24b9fc1c5b212b7820ec

SHA256
66c0e8d5fd37b7633d9f71ed12a6c2e2a3b10c12920710b2ea02127eef3cd18f

SHA512
fff0fb7c44459b120b5f134cf3e4dceda6bfd81bccb2642b90db00d91814bc6e138fbc0100a429066fb901eed7189791ffa223ea929615f6c56550b9c6a728f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\61C5E0E8.wmf

Filesize
642B

MD5
4f03b86e4d6631c26ff5fffc7332be1d

SHA1
14952a78ea51df67d5b5b6c6b4de3d96ba7935bd

SHA256
83f4ea26254d69825486bffd1d400217aac7245c5c48fe5acc3ccdea173c4851

SHA512
4bed29b66444d826e89589b55dd786758ff68fcd2daf8296703d4443edb991fffce563e20db22bfb34fdb488638bbb43252392b6c105d12e721329adc2774632

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDD833.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
6632cb3e5425739255962a36306aa17d

SHA1
51c537eaf8c912b0a346b2305e6a235ed68c047c

SHA256
b557dbcc1c87b2e8c2feef1b1565eea0198482d02779f387d3f6027ee403610f

SHA512
69d5dc704c709dcd8d9174083c45922780715d634d75e5f486868e6078d707dbee7c3d253bf1e48be7dd79fa6ad61b09508e87aba8b018934fa37031058ddf09

Download Submit
memory/2132-13-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-6-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-8-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-9-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-1-0x00007FF833C50000-0x00007FF833C60000-memory.dmp

Filesize
64KB

Download
memory/2132-12-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-14-0x00007FF831BF0000-0x00007FF831C00000-memory.dmp

Filesize
64KB

Download
memory/2132-16-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-17-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-15-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-11-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-10-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-7-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-4-0x00007FF833C50000-0x00007FF833C60000-memory.dmp

Filesize
64KB

Download
memory/2132-18-0x00007FF831BF0000-0x00007FF831C00000-memory.dmp

Filesize
64KB

Download
memory/2132-2-0x00007FF833C50000-0x00007FF833C60000-memory.dmp

Filesize
64KB

Download
memory/2132-47-0x00007FF873C6D000-0x00007FF873C6E000-memory.dmp

Filesize
4KB

Download
memory/2132-48-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-49-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-50-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2132-3-0x00007FF833C50000-0x00007FF833C60000-memory.dmp

Filesize
64KB

Download
memory/2132-5-0x00007FF833C50000-0x00007FF833C60000-memory.dmp

Filesize
64KB

Download
memory/2132-0-0x00007FF873C6D000-0x00007FF873C6E000-memory.dmp

Filesize
4KB

Download
memory/2132-438-0x00007FF833C50000-0x00007FF833C60000-memory.dmp

Filesize
64KB

Download
memory/2132-439-0x00007FF833C50000-0x00007FF833C60000-memory.dmp

Filesize
64KB

Download
memory/2132-441-0x00007FF833C50000-0x00007FF833C60000-memory.dmp

Filesize
64KB

Download
memory/2132-440-0x00007FF833C50000-0x00007FF833C60000-memory.dmp

Filesize
64KB

Download
memory/2132-442-0x00007FF873BD0000-0x00007FF873DC5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads