plugx | a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3

Resubmissions

24-02-2022 11:14

220224-nb4r6schd4 10

22-02-2022 08:33

220222-kfyj6sfggn 8

Analysis

max time kernel
132s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
24-02-2022 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe
Size

267KB
MD5

e99b341dfd3147e5bbb385e7cc5e5e17
SHA1

e5d152281a61be6db5f3d8d42d985210c4faf283
SHA256

a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3
SHA512

74d9a6d521dcc6a74c47511185efa3d026d72ee03e4986fb700c1c0555a5511cc7f2c85de9ad2da6373683f3578275c3f7561f664115bfaa054be32b05bcd14c

Score

10^/10

plugx trojan

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

PlugX Rat Payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4528-142-0x00000000021C0000-0x00000000021E7000-memory.dmp	PlugX
behavioral3/memory/1348-143-0x0000000000D70000-0x0000000000D97000-memory.dmp	PlugX

Executes dropped EXE 2 IoCs

Processes:

Mc.exeMc.exe

pid process

4528 Mc.exe
1348 Mc.exe

pid	process
4528	Mc.exe
1348	Mc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe

Loads dropped DLL 2 IoCs

Processes:

Mc.exeMc.exe

pid process

4528 Mc.exe
1348 Mc.exe

pid	process
4528	Mc.exe
1348	Mc.exe

Drops file in System32 directory 8 IoCs

Processes:

Mc.exeMc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\McUtil.dll.url	Mc.exe
File opened for modification	C:\Windows\SysWOW64\Mc.exe	Mc.exe
File created	C:\Windows\SysWOW64\Mc.exe	Mc.exe
File opened for modification	C:\Windows\SysWOW64\McUtil.dll	Mc.exe
File created	C:\Windows\SysWOW64\McUtil.dll	Mc.exe
File opened for modification	C:\Windows\SysWOW64\McUtil.dll	Mc.exe
File created	C:\Windows\SysWOW64\McUtil.dll	Mc.exe
File opened for modification	C:\Windows\SysWOW64\McUtil.dll.url	Mc.exe

Drops file in Windows directory 2 IoCs

Processes:

Mc.exeMc.exe

description ioc process

File opened for modification C:\Windows\SysWOW64 Mc.exe
File opened for modification C:\Windows\SysWOW64 Mc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64	Mc.exe
File opened for modification	C:\Windows\SysWOW64	Mc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Mc.exeMc.exe

description	pid	process
Token: SeDebugPrivilege	4528	Mc.exe
Token: SeTcbPrivilege	4528	Mc.exe
Token: SeDebugPrivilege	1348	Mc.exe
Token: SeTcbPrivilege	1348	Mc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe

description	pid	process	target process
PID 1872 wrote to memory of 4528	1872	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe	Mc.exe
PID 1872 wrote to memory of 4528	1872	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe	Mc.exe
PID 1872 wrote to memory of 4528	1872	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe	Mc.exe

C:\Users\Admin\AppData\Local\Temp\a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe
"C:\Users\Admin\AppData\Local\Temp\a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4528

C:\Windows\SysWOW64\Mc.exe
C:\Windows\SysWOW64\Mc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll

MD5
ffa5f4b6b580d53bc311d6e5bace3110

SHA1
d599ca575b995d8de971aed8a64762225bde386d

SHA256
9857e40be1fb5b9b6db93dc03f96f6b3ff0ffab85af7944dddcac0e37775ab02

SHA512
20ac2b2508e931d545e952d29afa5ee8ce6600934e56ff8aee169ee2e1cb7c0d7eb1396c947edb45c31a434bd17ceada0cdfd5ea0c11ce7cc7298cbac4c9ca90

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll

MD5
ffa5f4b6b580d53bc311d6e5bace3110

SHA1
d599ca575b995d8de971aed8a64762225bde386d

SHA256
9857e40be1fb5b9b6db93dc03f96f6b3ff0ffab85af7944dddcac0e37775ab02

SHA512
20ac2b2508e931d545e952d29afa5ee8ce6600934e56ff8aee169ee2e1cb7c0d7eb1396c947edb45c31a434bd17ceada0cdfd5ea0c11ce7cc7298cbac4c9ca90

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll.url

MD5
d41dcdad6e032a4bb75ec02ad83f9ade

SHA1
202eeb63af2dbba617cff13e2f1ca8290d5b34b1

SHA256
c7de4513704c0081e828d9986867e2a8758c6b5312004c442043b9a8c053508c

SHA512
73f83c40c9c98cc3c60a47e4e903fbfa59d839afb423bf57d0397c8e3de7000c1b664d51b183c14c3d250570ab6987129b13011420016356f35ac0181d4caadf

Download Submit
C:\Windows\SysWOW64\Mc.exe

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Windows\SysWOW64\Mc.exe

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Windows\SysWOW64\McUtil.dll

MD5
ffa5f4b6b580d53bc311d6e5bace3110

SHA1
d599ca575b995d8de971aed8a64762225bde386d

SHA256
9857e40be1fb5b9b6db93dc03f96f6b3ff0ffab85af7944dddcac0e37775ab02

SHA512
20ac2b2508e931d545e952d29afa5ee8ce6600934e56ff8aee169ee2e1cb7c0d7eb1396c947edb45c31a434bd17ceada0cdfd5ea0c11ce7cc7298cbac4c9ca90

Download Submit
C:\Windows\SysWOW64\McUtil.dll

MD5
ffa5f4b6b580d53bc311d6e5bace3110

SHA1
d599ca575b995d8de971aed8a64762225bde386d

SHA256
9857e40be1fb5b9b6db93dc03f96f6b3ff0ffab85af7944dddcac0e37775ab02

SHA512
20ac2b2508e931d545e952d29afa5ee8ce6600934e56ff8aee169ee2e1cb7c0d7eb1396c947edb45c31a434bd17ceada0cdfd5ea0c11ce7cc7298cbac4c9ca90

Download Submit
C:\Windows\SysWOW64\McUtil.dll.url

MD5
d41dcdad6e032a4bb75ec02ad83f9ade

SHA1
202eeb63af2dbba617cff13e2f1ca8290d5b34b1

SHA256
c7de4513704c0081e828d9986867e2a8758c6b5312004c442043b9a8c053508c

SHA512
73f83c40c9c98cc3c60a47e4e903fbfa59d839afb423bf57d0397c8e3de7000c1b664d51b183c14c3d250570ab6987129b13011420016356f35ac0181d4caadf

Download Submit
memory/1348-143-0x0000000000D70000-0x0000000000D97000-memory.dmp

Filesize
156KB

Download
memory/4528-140-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/4528-141-0x0000000002090000-0x0000000002190000-memory.dmp

Filesize
1024KB

Download
memory/4528-142-0x00000000021C0000-0x00000000021E7000-memory.dmp

Filesize
156KB

Download