plugx | f949b78b040cbfc95aafb50ef30ac3e8c16771c6b926b6f8f1efe44a1f437d51

General

Target

AcroRd32DQe.bin.exe
Size

293KB
MD5

187a89cf24890c3af628219d0d9ae881
SHA1

5b1ba0821ca5461ced123cc646dd5823504075f5
SHA256

f949b78b040cbfc95aafb50ef30ac3e8c16771c6b926b6f8f1efe44a1f437d51
SHA512

aaf9203cda730018988f38c4734b144d0f83e61e3a342c6c26f3668b2e6860d95558da39bc11d3a7d4683f74059e144fc0c98ebe05acde501012caf3609263ef

Score

10^/10

plugx persistence trojan

Malware Config

Extracted

Family

plugx

C2

45.134.83.41:443

45.134.83.41:8080

45.134.83.41:80

Mutex

jqcdxvOfUAlRGUCUknxZ

Attributes

folder
AcroRd32DQe

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
320	AcroRd32.exe
576	AcroRd32.exe
1640	acrotrays.exe

Loads dropped DLL 6 IoCs

pid	Process
1824	AcroRd32DQe.bin.exe
320	AcroRd32.exe
320	AcroRd32.exe
576	AcroRd32.exe
576	AcroRd32.exe
1640	acrotrays.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	AcroRd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AcroRd32DQe = "\"C:\\ProgramData\\AcroRd32DQe\\AcroRd32.exe\" 444"	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\AcroRd32DQe = "\"C:\\ProgramData\\AcroRd32DQe\\AcroRd32.exe\" 444"	AcroRd32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	AcroRd32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	AcroRd32DQe.bin.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY	AcroRd32.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\ms-pu	AcroRd32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 43004200380032003300460037003400450035003600430046003800420045000000	AcroRd32.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AcroRd32.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	acrotrays.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
576	AcroRd32.exe
576	AcroRd32.exe
576	AcroRd32.exe
576	AcroRd32.exe
576	AcroRd32.exe
576	AcroRd32.exe
1640	acrotrays.exe
1640	acrotrays.exe
1640	acrotrays.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	AcroRd32.exe
Token: SeDebugPrivilege	576	AcroRd32.exe
Token: SeTcbPrivilege	576	AcroRd32.exe
Token: SeDebugPrivilege	1640	acrotrays.exe
Token: SeDebugPrivilege	1640	acrotrays.exe
Token: SeDebugPrivilege	1640	acrotrays.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1824	AcroRd32DQe.bin.exe
1824	AcroRd32DQe.bin.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 320	1824	AcroRd32DQe.bin.exe	30
PID 1824 wrote to memory of 320	1824	AcroRd32DQe.bin.exe	30
PID 1824 wrote to memory of 320	1824	AcroRd32DQe.bin.exe	30
PID 1824 wrote to memory of 320	1824	AcroRd32DQe.bin.exe	30
PID 1824 wrote to memory of 320	1824	AcroRd32DQe.bin.exe	30
PID 1824 wrote to memory of 320	1824	AcroRd32DQe.bin.exe	30
PID 1824 wrote to memory of 320	1824	AcroRd32DQe.bin.exe	30
PID 320 wrote to memory of 576	320	AcroRd32.exe	31
PID 320 wrote to memory of 576	320	AcroRd32.exe	31
PID 320 wrote to memory of 576	320	AcroRd32.exe	31
PID 320 wrote to memory of 576	320	AcroRd32.exe	31
PID 320 wrote to memory of 576	320	AcroRd32.exe	31
PID 320 wrote to memory of 576	320	AcroRd32.exe	31
PID 320 wrote to memory of 576	320	AcroRd32.exe	31
PID 576 wrote to memory of 1640	576	AcroRd32.exe	32
PID 576 wrote to memory of 1640	576	AcroRd32.exe	32
PID 576 wrote to memory of 1640	576	AcroRd32.exe	32
PID 576 wrote to memory of 1640	576	AcroRd32.exe	32
PID 576 wrote to memory of 1640	576	AcroRd32.exe	32
PID 576 wrote to memory of 1640	576	AcroRd32.exe	32
PID 576 wrote to memory of 1640	576	AcroRd32.exe	32

C:\Users\Admin\AppData\Local\Temp\AcroRd32DQe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\AcroRd32DQe.bin.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\AcroRd32.exe
  "C:\Users\Admin\AppData\Local\Temp\AcroRd32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\ProgramData\AcroRd32DQe\AcroRd32.exe
    C:\ProgramData\AcroRd32DQe\AcroRd32.exe 444
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\ProgramData\back\acrotrays.exe
      C:\ProgramData\back\acrotrays.exe -d AAA
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-78-0x0000000000A50000-0x0000000000B50000-memory.dmp

Filesize
1024KB

Download
memory/320-68-0x0000000002410000-0x0000000006049000-memory.dmp

Filesize
60.2MB

Download
memory/576-77-0x0000000001F20000-0x0000000005B59000-memory.dmp

Filesize
60.2MB

Download
memory/1640-87-0x0000000001EB0000-0x0000000005AE9000-memory.dmp

Filesize
60.2MB

Download
memory/1824-60-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads