Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4b71451551...01.exe

windows7-x64

10

4b71451551...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2025, 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe

  • Size

    263KB

  • MD5

    582fb65add01ce95d827b96006a3ff42

  • SHA1

    d8931a791f8ef3d4015aec2bffa47808e28877b5

  • SHA256

    4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01

  • SHA512

    6e2194abfba98c6723040b9d4e801a8d4e75cc8449d408638fa80edfa11865cad9d01b768c21919ed863f3e7f97d258930ccbbf6acbc0e65c730ead79f5c7141

  • SSDEEP

    6144:iz+92mhAMJ/cPl3i+eLba0WZj+ufaZef6IMLWKH1cLb1UyOr0Sg3:iK2mhAMJ/cPlQIFXfaZefAyb1FOB2

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 22 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Plugx family
    plugx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
    "C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1888
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 100 1888
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3016
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 3744
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SxS\bug.log
    Filesize

    622B

    MD5

    1474198ff70b99a8c583921401d33e01

    SHA1

    cc9011d46afc339f45f0a5b36014efc9565cfbb2

    SHA256

    f92210fe1c06f4ff8f76344273621d6744a6d48890e85c4da2cada1b2d7ab4ae

    SHA512

    dbe25a3fe20e2ad6d4772f1c33491a8c8efdb05027a68cf64294590f165b34b35d4fb1aadb779a2d04f0c08ad6de08c397e90e6e860ead78d53435d0483b16d0

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    764B

    MD5

    8f9d348c083719004101cefe57e8445d

    SHA1

    4359c722b9a09cd15365c12d0cef47ff9182aad2

    SHA256

    7f03bca3715743b8cccba09d06b6867f7ce7e46baee92e7a3e7f5ed0589678a6

    SHA512

    512d835e113786cb28300c3c16e47971c2b8c898436ae74ed2329f093320d686ad617978d47f483209861bbf7d147eac068e449cb7ba0d55a806eae8feadeff3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.mp3
    Filesize

    120KB

    MD5

    e1e6d954482a108020c8e471bd0790e4

    SHA1

    138def3945437e9d81902f00b1119795140ae8bf

    SHA256

    9f5663bdcd5217b16597a53c763359c63d867202df572f23493d54a1c082c954

    SHA512

    7573eba59791c978c45e5af1abd70c3a7d454e6fe1de9962f737679e8ddf5e9694d548bb8f0bbc4ffc236921a984f97bc1d11b0b0f239b25bb4253f88e2862e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    41KB

    MD5

    92b5a067fc1866b933eade6ebd4e1564

    SHA1

    91c38bb2d1993dde1068550e42580c4d2993a5c1

    SHA256

    632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

    SHA512

    3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

    Download Submit

  • memory/1888-19-0x0000000002210000-0x0000000002310000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1888-20-0x00000000005D0000-0x0000000000600000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1888-21-0x00000000005D0000-0x0000000000600000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1888-73-0x00000000005D0000-0x0000000000600000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3016-40-0x00000000006F0000-0x0000000000720000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3016-41-0x00000000006F0000-0x0000000000720000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3016-74-0x00000000006F0000-0x0000000000720000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3744-61-0x00000000009D0000-0x0000000000A00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3744-60-0x00000000009D0000-0x0000000000A00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3744-62-0x00000000009D0000-0x0000000000A00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3744-65-0x00000000009D0000-0x0000000000A00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3744-79-0x00000000009D0000-0x0000000000A00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3744-67-0x00000000009D0000-0x0000000000A00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3744-66-0x00000000009D0000-0x0000000000A00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3744-82-0x00000000009D0000-0x0000000000A00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3744-47-0x00000000009D0000-0x0000000000A00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3744-59-0x00000000009C0000-0x00000000009C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3744-48-0x00000000009D0000-0x0000000000A00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4696-46-0x0000000000D00000-0x0000000000D30000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4696-45-0x0000000000D00000-0x0000000000D30000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4696-70-0x0000000000D00000-0x0000000000D30000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4820-76-0x0000000000B40000-0x0000000000B41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4820-78-0x0000000001030000-0x0000000001060000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4820-77-0x0000000001030000-0x0000000001060000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4820-75-0x0000000001030000-0x0000000001060000-memory.dmp

    Filesize

    192KB

    Download