plugx | 59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce

General

Target

59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce.exe
Size

699KB
MD5

0d3fbc842a430f5367d480dd1b74449b
SHA1

bd2533005a2eaed203054fd649fdbdcd3e3a860a
SHA256

59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce
SHA512

aa06bebcb55175fb9dd08eb1810d72ef598a85fa8bf548609b5d6c3b7c7ee68e7b660436b29d4b189eae3631bcf0fffa6112989ca99a52d1ada3740ee16289de

Score

10^/10

plugx persistence trojan

Malware Config

Extracted

Family

plugx

C2

www.apple-net.com:80

www.apple-net.com:53

www.apple-net.com:8080

www.apple-net.com:443

Mutex

Attributes

folder
ESET Malware ProtectionOWT

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
3052	NATIONAL SECURITY CONCEPT OF MONGOLIA.exe
2876	unsecapp.exe

Loads dropped DLL 2 IoCs

pid	Process
3052	NATIONAL SECURITY CONCEPT OF MONGOLIA.exe
2876	unsecapp.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	NATIONAL SECURITY CONCEPT OF MONGOLIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionOWT = "\"C:\\ProgramData\\ESET Malware ProtectionOWT\\unsecapp.exe\" -app"	NATIONAL SECURITY CONCEPT OF MONGOLIA.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run	NATIONAL SECURITY CONCEPT OF MONGOLIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\ESET Malware ProtectionOWT = "\"C:\\ProgramData\\ESET Malware ProtectionOWT\\unsecapp.exe\" -app"	NATIONAL SECURITY CONCEPT OF MONGOLIA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\PROXY	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY	unsecapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu	unsecapp.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2912	WINWORD.EXE
2912	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	unsecapp.exe
Token: SeTcbPrivilege	2876	unsecapp.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE
2912	WINWORD.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3484	2780	59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce.exe	71
PID 2780 wrote to memory of 3484	2780	59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce.exe	71
PID 2780 wrote to memory of 3484	2780	59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce.exe	71
PID 2780 wrote to memory of 1304	2780	59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce.exe	72
PID 2780 wrote to memory of 1304	2780	59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce.exe	72
PID 2780 wrote to memory of 1304	2780	59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce.exe	72
PID 1304 wrote to memory of 3052	1304	rundll32.exe	73
PID 1304 wrote to memory of 3052	1304	rundll32.exe	73
PID 1304 wrote to memory of 3052	1304	rundll32.exe	73
PID 3052 wrote to memory of 2876	3052	NATIONAL SECURITY CONCEPT OF MONGOLIA.exe	74
PID 3052 wrote to memory of 2876	3052	NATIONAL SECURITY CONCEPT OF MONGOLIA.exe	74
PID 3052 wrote to memory of 2876	3052	NATIONAL SECURITY CONCEPT OF MONGOLIA.exe	74
PID 3484 wrote to memory of 2912	3484	rundll32.exe	75
PID 3484 wrote to memory of 2912	3484	rundll32.exe	75

C:\Users\Admin\AppData\Local\Temp\59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce.exe
"C:\Users\Admin\AppData\Local\Temp\59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll, FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\NATIONAL SECURITY CONCEPT OF MONGOLIA.docx
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\NATIONAL SECURITY CONCEPT OF MONGOLIA.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2912
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll, FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\NATIONAL SECURITY CONCEPT OF MONGOLIA.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Users\Admin\AppData\Local\Temp\NATIONAL SECURITY CONCEPT OF MONGOLIA.exe
    "C:\Users\Admin\AppData\Local\Temp\NATIONAL SECURITY CONCEPT OF MONGOLIA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\ProgramData\ESET Malware ProtectionOWT\unsecapp.exe
      "C:\ProgramData\ESET Malware ProtectionOWT\unsecapp.exe" -app
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:2876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2876-132-0x0000000001330000-0x000000000135F000-memory.dmp

Filesize
188KB

Download
memory/2912-135-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp

Filesize
64KB

Download
memory/2912-133-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp

Filesize
64KB

Download
memory/2912-134-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp

Filesize
64KB

Download
memory/2912-136-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp

Filesize
64KB

Download
memory/2912-137-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp

Filesize
64KB

Download
memory/2912-140-0x00007FFCAD840000-0x00007FFCAD850000-memory.dmp

Filesize
64KB

Download
memory/2912-143-0x00007FFCAD840000-0x00007FFCAD850000-memory.dmp

Filesize
64KB

Download
memory/3052-124-0x0000000000940000-0x00000000009EE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads