Overview

overview

10

Static

static

3

4b71451551...01.exe

windows7-x64

10

4b71451551...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe

  • Size

    263KB

  • MD5

    582fb65add01ce95d827b96006a3ff42

  • SHA1

    d8931a791f8ef3d4015aec2bffa47808e28877b5

  • SHA256

    4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01

  • SHA512

    6e2194abfba98c6723040b9d4e801a8d4e75cc8449d408638fa80edfa11865cad9d01b768c21919ed863f3e7f97d258930ccbbf6acbc0e65c730ead79f5c7141

  • SSDEEP

    6144:iz+92mhAMJ/cPl3i+eLba0WZj+ufaZef6IMLWKH1cLb1UyOr0Sg3:iK2mhAMJ/cPlQIFXfaZefAyb1FOB2

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 20 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Plugx family
    plugx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
    "C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3984
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 100 3984
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:220
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 3916
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SxS\bug.log
    Filesize

    622B

    MD5

    e90b6da2d29bc362d8fed7d911f9630e

    SHA1

    cc1745ef9044f3a8e705ec429e556896a064a538

    SHA256

    d92fb64594fab7bd5b79fa0be74530b71f9064537ee7fe520e0b982a32c0b92e

    SHA512

    dbd883bb97ace802ab536121467a41c9c21418645fee722ef3d6ffe4ab513890ce8613b0cf85096298e3d89c75827f0b4a23f21cc5d6a16ab92696112488cb1d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.mp3
    Filesize

    120KB

    MD5

    e1e6d954482a108020c8e471bd0790e4

    SHA1

    138def3945437e9d81902f00b1119795140ae8bf

    SHA256

    9f5663bdcd5217b16597a53c763359c63d867202df572f23493d54a1c082c954

    SHA512

    7573eba59791c978c45e5af1abd70c3a7d454e6fe1de9962f737679e8ddf5e9694d548bb8f0bbc4ffc236921a984f97bc1d11b0b0f239b25bb4253f88e2862e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    41KB

    MD5

    92b5a067fc1866b933eade6ebd4e1564

    SHA1

    91c38bb2d1993dde1068550e42580c4d2993a5c1

    SHA256

    632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

    SHA512

    3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

    Download Submit

  • memory/220-74-0x00000000021A0000-0x00000000021D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/220-40-0x00000000021A0000-0x00000000021D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/512-75-0x00000000021C0000-0x00000000021F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/512-77-0x00000000021C0000-0x00000000021F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/512-78-0x00000000021C0000-0x00000000021F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/512-76-0x0000000000360000-0x0000000000361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1900-44-0x0000000000E30000-0x0000000000E60000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1900-45-0x0000000000E30000-0x0000000000E60000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1900-62-0x0000000000E30000-0x0000000000E60000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3916-69-0x0000000001600000-0x0000000001630000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3916-79-0x0000000001600000-0x0000000001630000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3916-70-0x0000000001600000-0x0000000001630000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3916-63-0x0000000001600000-0x0000000001630000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3916-61-0x0000000001600000-0x0000000001630000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3916-60-0x0000000001600000-0x0000000001630000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3916-48-0x0000000001600000-0x0000000001630000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3916-71-0x0000000001600000-0x0000000001630000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3916-59-0x0000000000D60000-0x0000000000D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3916-46-0x0000000001600000-0x0000000001630000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3916-82-0x0000000001600000-0x0000000001630000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3984-65-0x0000000002090000-0x00000000020C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3984-19-0x0000000002160000-0x0000000002260000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3984-20-0x0000000002090000-0x00000000020C0000-memory.dmp

    Filesize

    192KB

    Download