Overview

overview

10

Static

static

7

kdump64.dll

windows7-x64

7

kdump64.dll

windows10-2004-x64

7

wps.exe

windows7-x64

10

wps.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wps.exe

  • Size

    177KB

  • MD5

    f44992d14033a2b5b1064104658a29e1

  • SHA1

    62673aa6e8bde17f218524cbe3bf50cb5b949f3b

  • SHA256

    331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4

  • SHA512

    9a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b

  • SSDEEP

    3072:65nSsRkXPsSadfviPNPVY5bYm1wkUBL/1cAR+oOb5vENb/fZOKeb0WhmNNdnLeny:65SsRkXPYGPG5cm6Bd3oEt/fZOaBi/fi

Score
10/10
plugxtrojanvmprotect

Malware Config

Signatures

  • Detects PlugX payload 24 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Plugx family
    plugx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 10 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wps.exe
    "C:\Users\Admin\AppData\Local\Temp\wps.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3224
  • C:\ProgramData\Kingsoft\office6\wps.exe
    "C:\ProgramData\Kingsoft\office6\wps.exe" 100 3224
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2884
  • C:\ProgramData\Kingsoft\office6\wps.exe
    "C:\ProgramData\Kingsoft\office6\wps.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 4708
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Kingsoft\office6\kdump64.dll
    Filesize

    148KB

    MD5

    d5dcfc5ac42bcba55a1170756f3493f4

    SHA1

    1bcefa919e0c9c1d114ed6384e4aff8f316482de

    SHA256

    8ba00843b9aba2cff6f2234a7daf040aadfebce4c05b13061da63b48f63bfa4f

    SHA512

    dbaf78188b53629d667bdcb4fcdc0c35045e77330bbe209739c86fbe2d7c2ba04b3adeedc6576186e1af20f8eb373a9788ed3b0050f80f61485475dcf23b0a24

    Download Submit

  • C:\ProgramData\Kingsoft\office6\wps.dat
    Filesize

    152KB

    MD5

    a1ed676cf36394b6b4fb449309b91b5b

    SHA1

    4cf7a01b132e4855581e39f5d0da204301fdae98

    SHA256

    8da2085b60e44aa5fa46c8613757e1582df098e27373b2c8916d2725f28b46de

    SHA512

    ce224d2376a7d78777691f9eceb8a48755787b390b73e309d48337b8d097a9370e66780237e2884294c76205f93f27e82744804781abe8eaee255c9e2f0f3f11

    Download Submit

  • C:\ProgramData\Kingsoft\office6\wps.exe
    Filesize

    177KB

    MD5

    f44992d14033a2b5b1064104658a29e1

    SHA1

    62673aa6e8bde17f218524cbe3bf50cb5b949f3b

    SHA256

    331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4

    SHA512

    9a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b

    Download Submit

  • memory/2536-59-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2536-32-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2536-33-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2536-35-0x0000000000C70000-0x0000000000CAA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2536-36-0x0000000000C70000-0x0000000000CAA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2536-56-0x0000000000C70000-0x0000000000CAA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2536-58-0x0000000001030000-0x00000000010FD000-memory.dmp

    Filesize

    820KB

    Download

  • memory/2820-78-0x000002B8D51A0000-0x000002B8D51DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2820-76-0x000002B8D51A0000-0x000002B8D51DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2820-73-0x000002B8D51A0000-0x000002B8D51DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2820-77-0x000002B8D51A0000-0x000002B8D51DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2820-75-0x000002B8D3860000-0x000002B8D3861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2884-28-0x00007FFECD4A0000-0x00007FFECD4A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2884-27-0x00000000020A0000-0x00000000020DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2884-29-0x00000000020A0000-0x00000000020DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2884-23-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2884-24-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2884-69-0x0000000002110000-0x00000000021DD000-memory.dmp

    Filesize

    820KB

    Download

  • memory/2884-71-0x00000000020A0000-0x00000000020DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2884-70-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3224-3-0x00007FFECD4A0000-0x00007FFECD4A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3224-4-0x00000000022E0000-0x00000000023E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3224-6-0x00000000008D0000-0x000000000090A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3224-67-0x00000000008D0000-0x000000000090A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3224-5-0x00000000008D0000-0x000000000090A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3224-66-0x00000000023E0000-0x00000000024AD000-memory.dmp

    Filesize

    820KB

    Download

  • memory/3224-37-0x00007FFEBF9C0000-0x00007FFEBFA04000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3224-0-0x00007FFEBF9C0000-0x00007FFEBFA04000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3224-1-0x00007FFEBF9C0000-0x00007FFEBFA04000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4708-53-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4708-62-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4708-38-0x00000182AC1F0000-0x00000182AC1F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4708-39-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4708-41-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4708-42-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4708-52-0x00000182AC340000-0x00000182AC341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4708-60-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4708-54-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4708-55-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4708-57-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4708-61-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4708-79-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp

    Filesize

    232KB

    Download