Overview

overview

10

Static

static

3

PS/RsTray.exe

windows7-x64

10

PS/RsTray.exe

windows10-2004-x64

10

PS/comserv.dll

windows7-x64

3

PS/comserv.dll

windows10-2004-x64

3

PS/comserv.dll.url

windows7-x64

1

PS/comserv.dll.url

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PS/RsTray.exe

  • Size

    174KB

  • MD5

    d65adc7ad95e88fab486707b8c228f17

  • SHA1

    dfa0589b58a469e34695a22313d184e5352a3282

  • SHA256

    a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

  • SHA512

    3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

  • SSDEEP

    3072:wq1/mmpPCL8OZwevvCRmvUGmeU1hbFZJslQLRzMaZ:wUmqCL8Oj3XZm5jNLRzVZ

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 20 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Plugx family
    plugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PS\RsTray.exe
    "C:\Users\Admin\AppData\Local\Temp\PS\RsTray.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3224
  • C:\ProgramData\PS\RsTray.exe
    C:\ProgramData\PS\RsTray.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3268
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 452
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\PS\RsTray.exe
    Filesize

    174KB

    MD5

    d65adc7ad95e88fab486707b8c228f17

    SHA1

    dfa0589b58a469e34695a22313d184e5352a3282

    SHA256

    a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

    SHA512

    3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

    Download Submit

  • C:\ProgramData\PS\comserv.dll
    Filesize

    2KB

    MD5

    6d54b4f07a1b92bd6fafe7160b2c887c

    SHA1

    6bf4a36e729a2c4156b1280db97252ba8ea7d9b4

    SHA256

    653fe0ab7b634e50ba09f962c6357bcf76ce633768aa41dd01d1a93ef83a0a54

    SHA512

    32c57ca7ce437fc7712948a6f30733112830ff570d89ca903e5a5bdec43277a19a453df8c027e0835ad1dff2f7927cf973e33efa1847ed608cb6eb534d8163a3

    Download Submit

  • C:\ProgramData\PS\comserv.dll.url
    Filesize

    122KB

    MD5

    fe14ef97d52c1c4f4764c36b76f18340

    SHA1

    60a931c6607ffe7dabdce33151f7d217b7581175

    SHA256

    d8c68c81908ca0b31a773cf78bc59b9d886ba72177b2b4f5a1d9ea46b95ce05e

    SHA512

    390366a82817d8e841084744cd879bd7be6ce1dff85e26e9fe4739b709c17718c4e836f2f543c1d84f47096230e2d9dbc6dab6c597acc8ae802c43b1d4ae7f0d

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    620B

    MD5

    37d6f93e2e2a833f4fa99075209f2a16

    SHA1

    94cfd1431c395bf4f242e9cdeb1b6d81f9d019b7

    SHA256

    2def962828c7d43851b437ca0c8e109d0995c4ad93bb99964dcf3df5af77cdb3

    SHA512

    4198760d1322d5e00fe76707ab8d6b5be437726161533e508213f47ee69760d8ff703ce6ee9c7cefec78a82911e11ed45f83320103205227f931f7a78f643db0

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    782B

    MD5

    886e3aca04dff874dc7293dbddaae518

    SHA1

    647121c088bcdbab31545684fe8a73ecf147db18

    SHA256

    86a1271f0ed74c2f6f81c957c4cdc5dd0700186ed085fcc9d06157ef3eea4a30

    SHA512

    9620e4453f0932778fb7c88303ce1abf8a35693e22e9e1ea4f181265513fda5b65e91d38fccb269565de1bc81468ff527f559533adfc015b3544ed26ca19c257

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    1KB

    MD5

    89291f20a7e06b6059504b399b556ad5

    SHA1

    405d6cd95266aec1aae285f7da9fc09ba5c85248

    SHA256

    042f71b739275fbe577652195dce69092b38c59cce5a4ea26f6f23e054d4cac9

    SHA512

    8801c1d4f40cbd1d5a1a44cb81e1ef9369b708e582e6ee76815ff4b8fc1b7edfb14c69fcc5aaf7340334288d02a43ae60ca383808fbcd3394baa692b091d3002

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    1KB

    MD5

    f968c58974afc46cf57e90540588dd3c

    SHA1

    87cfb746712d37131e4310c50968f6331dbe15c3

    SHA256

    dede4a9c4db3eedb1ef6e1b1359bf47b0669a988368323eff651c09fb3156ad0

    SHA512

    8eddbafb477f8d372b1d3ae7a10477f63f6065c2f6c563a20ff2b8a28b113c501cb8201ca4a8dc6f2258d8abdc7c6a398bb688921009a01bb07e74cb51a86f19

    Download Submit

  • memory/452-44-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/452-23-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/452-24-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/452-21-0x0000000000820000-0x0000000000821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/452-65-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/452-63-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/452-43-0x0000000000820000-0x0000000000821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/452-46-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/452-45-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/452-69-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/452-33-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/452-50-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/452-51-0x0000000000E30000-0x0000000000E61000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3224-30-0x0000000002450000-0x0000000002481000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3224-1-0x0000000002450000-0x0000000002481000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3224-0-0x0000000002350000-0x0000000002450000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3268-20-0x0000000000EB0000-0x0000000000EE1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/3268-22-0x0000000000EB0000-0x0000000000EE1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4496-55-0x0000000000790000-0x00000000007C1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4496-54-0x0000000000510000-0x0000000000511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4496-61-0x0000000000790000-0x00000000007C1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4496-64-0x0000000000790000-0x00000000007C1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4496-60-0x00000000005B0000-0x00000000005B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4496-56-0x0000000000790000-0x00000000007C1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4496-62-0x0000000000790000-0x00000000007C1000-memory.dmp

    Filesize

    196KB

    Download