Overview

overview

10

Static

static

3

2d06415cf8...64.exe

windows7-x64

10

2d06415cf8...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe

  • Size

    218KB

  • MD5

    046bb16fd2d9749e07fa07aeffd044d6

  • SHA1

    692d905801968e4736e0a3ded2152d77b6a38088

  • SHA256

    2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064

  • SHA512

    78edaf9c5d326e73198343ee9126317f44325bbf29f255907a409dfbe1b5d301c97ecfb3b07f97ba7ba18fd40a1a977fb8bbb66118e5b65962ff00a957df295d

  • SSDEEP

    6144:KLDyFXg3/QownR9XhQNnrJ0p4ELFvST08ku1tbn:K/F3YoqR9xWrJc4ERvS48/Tz

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 19 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Plugx family
    plugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe
    "C:\Users\Admin\AppData\Local\Temp\2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmart.exe
      "C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmart.exe" 100 3980
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4132
  • C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmart.exe
    "C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmart.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3752
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 448
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmartMax.dll
    Filesize

    40KB

    MD5

    532bcd7258d35fabbfeca5910de8a96f

    SHA1

    5cf9fbb7afacd602f0df46b64782aae62beaf8fd

    SHA256

    8d5749552fa4698178ee46c09e8d1fc9c30322583a8301c3d092135d027d7019

    SHA512

    414c2e57e0b59c320ca53551021824b1eb507067c0c6a6f3d27683699f0a2977dd3a21211a1a16e8d5639f81028dce30c4ca7ec5420346f92de0cf53695f9f3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmartMax.dll.xml
    Filesize

    113KB

    MD5

    6a6ace55c125a82ce2515f11c263fa0f

    SHA1

    cd9752a4d0aa883ded211e6765d7b11d48e864a3

    SHA256

    e116af18781cc79d61bfff8db9ae7f67366b72260d858fbbfb898ac81877d4b2

    SHA512

    44a05ecab291740c7e374f8c5239f27a96caaae47be5489d85cf41f3249e2608b8e37edf66b0aa9b3fa7ce256ed8a9746508ebff9488311fe4252bbef5291889

    Download Submit

  • memory/448-19-0x0000000000670000-0x0000000000671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/448-51-0x0000000000670000-0x0000000000671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/448-52-0x0000000000C90000-0x0000000000CBD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/448-43-0x0000000000C90000-0x0000000000CBD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/448-42-0x0000000000C90000-0x0000000000CBD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/448-33-0x0000000000C90000-0x0000000000CBD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/448-20-0x0000000000C90000-0x0000000000CBD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/448-21-0x0000000000C90000-0x0000000000CBD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/448-32-0x0000000000C90000-0x0000000000CBD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/448-31-0x0000000000C80000-0x0000000000C81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/448-35-0x0000000000C90000-0x0000000000CBD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/448-36-0x0000000000C90000-0x0000000000CBD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/448-34-0x0000000000C90000-0x0000000000CBD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2956-44-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2956-49-0x0000000001050000-0x000000000107D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2956-53-0x0000000001050000-0x000000000107D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2956-47-0x0000000001050000-0x000000000107D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2956-50-0x0000000001050000-0x000000000107D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2956-48-0x0000000000B70000-0x0000000000B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2956-46-0x0000000001050000-0x000000000107D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3752-17-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3752-18-0x00000000005B0000-0x00000000005DD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/3752-40-0x00000000005B0000-0x00000000005DD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4132-14-0x00000000022A0000-0x00000000022CD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/4132-13-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4132-11-0x0000000000401000-0x0000000000402000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4132-41-0x00000000022A0000-0x00000000022CD000-memory.dmp

    Filesize

    180KB

    Download