Overview

overview

10

Static

static

7

kdump64.dll

windows7-x64

7

kdump64.dll

windows10-2004-x64

7

wps.dat

windows7-x64

3

wps.dat

windows10-2004-x64

3

wps.exe

windows7-x64

10

wps.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wps.exe

  • Size

    177KB

  • MD5

    f44992d14033a2b5b1064104658a29e1

  • SHA1

    62673aa6e8bde17f218524cbe3bf50cb5b949f3b

  • SHA256

    331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4

  • SHA512

    9a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b

  • SSDEEP

    3072:65nSsRkXPsSadfviPNPVY5bYm1wkUBL/1cAR+oOb5vENb/fZOKeb0WhmNNdnLeny:65SsRkXPYGPG5cm6Bd3oEt/fZOaBi/fi

Score
10/10
plugxtrojanvmprotect

Malware Config

Signatures

  • Detects PlugX payload 22 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Plugx family
    plugx
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 10 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wps.exe
    "C:\Users\Admin\AppData\Local\Temp\wps.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2648
  • C:\ProgramData\Kingsoft\office6\wps.exe
    "C:\ProgramData\Kingsoft\office6\wps.exe" 100 2648
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2800
  • C:\ProgramData\Kingsoft\office6\wps.exe
    "C:\ProgramData\Kingsoft\office6\wps.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2724
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Kingsoft\office6\kdump64.dll
    Filesize

    148KB

    MD5

    d5dcfc5ac42bcba55a1170756f3493f4

    SHA1

    1bcefa919e0c9c1d114ed6384e4aff8f316482de

    SHA256

    8ba00843b9aba2cff6f2234a7daf040aadfebce4c05b13061da63b48f63bfa4f

    SHA512

    dbaf78188b53629d667bdcb4fcdc0c35045e77330bbe209739c86fbe2d7c2ba04b3adeedc6576186e1af20f8eb373a9788ed3b0050f80f61485475dcf23b0a24

    Download Submit

  • C:\ProgramData\Kingsoft\office6\wps.dat
    Filesize

    152KB

    MD5

    a1ed676cf36394b6b4fb449309b91b5b

    SHA1

    4cf7a01b132e4855581e39f5d0da204301fdae98

    SHA256

    8da2085b60e44aa5fa46c8613757e1582df098e27373b2c8916d2725f28b46de

    SHA512

    ce224d2376a7d78777691f9eceb8a48755787b390b73e309d48337b8d097a9370e66780237e2884294c76205f93f27e82744804781abe8eaee255c9e2f0f3f11

    Download Submit

  • \ProgramData\Kingsoft\office6\wps.exe
    Filesize

    177KB

    MD5

    f44992d14033a2b5b1064104658a29e1

    SHA1

    62673aa6e8bde17f218524cbe3bf50cb5b949f3b

    SHA256

    331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4

    SHA512

    9a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b

    Download Submit

  • memory/1056-38-0x0000000001D30000-0x0000000001D6A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1056-34-0x000007FEF7620000-0x000007FEF7664000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1056-52-0x000007FEF7620000-0x000007FEF7664000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1056-39-0x0000000001D30000-0x0000000001D6A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1056-68-0x0000000001D30000-0x0000000001D6A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1056-35-0x000007FEF7620000-0x000007FEF7664000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2324-83-0x0000000000510000-0x000000000054A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2324-86-0x0000000000510000-0x000000000054A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2324-87-0x0000000000510000-0x000000000054A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2324-85-0x0000000000210000-0x0000000000211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2324-88-0x0000000000510000-0x000000000054A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2648-4-0x0000000001CD0000-0x0000000001D0A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2648-0-0x000007FEF7730000-0x000007FEF7774000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2648-37-0x000007FEF7730000-0x000007FEF7774000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2648-2-0x0000000001F60000-0x0000000002060000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2648-50-0x0000000001CD0000-0x0000000001D0A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2648-1-0x000007FEF7730000-0x000007FEF7774000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2648-3-0x0000000076FE0000-0x0000000076FE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2724-51-0x00000000002A0000-0x00000000002DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2724-42-0x0000000000100000-0x0000000000125000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2724-46-0x00000000002A0000-0x00000000002DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2724-71-0x00000000002A0000-0x00000000002DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2724-70-0x00000000002A0000-0x00000000002DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2724-45-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2724-67-0x00000000002A0000-0x00000000002DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2724-65-0x00000000002A0000-0x00000000002DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2724-64-0x00000000002A0000-0x00000000002DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2724-63-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2724-53-0x00000000002A0000-0x00000000002DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2724-66-0x00000000002A0000-0x00000000002DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2724-43-0x0000000000130000-0x0000000000132000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2724-40-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2724-49-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2724-89-0x00000000002A0000-0x00000000002DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2800-76-0x0000000001EE0000-0x0000000001F1A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2800-29-0x0000000001EE0000-0x0000000001F1A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2800-28-0x0000000001EE0000-0x0000000001F1A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2800-27-0x0000000076FE0000-0x0000000076FE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2800-24-0x000007FEF7620000-0x000007FEF7664000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2800-23-0x000007FEF7620000-0x000007FEF7664000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2800-75-0x000007FEF7620000-0x000007FEF7664000-memory.dmp

    Filesize

    272KB

    Download