plugx | a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3

Resubmissions

24-02-2022 11:14

220224-nb4r6schd4 10

22-02-2022 08:33

220222-kfyj6sfggn 8

Analysis

max time kernel
132s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
24-02-2022 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe
Size

267KB
MD5

e99b341dfd3147e5bbb385e7cc5e5e17
SHA1

e5d152281a61be6db5f3d8d42d985210c4faf283
SHA256

a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3
SHA512

74d9a6d521dcc6a74c47511185efa3d026d72ee03e4986fb700c1c0555a5511cc7f2c85de9ad2da6373683f3578275c3f7561f664115bfaa054be32b05bcd14c

Score

10^/10

plugx trojan

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

PlugX Rat Payload 2 IoCs

resource	yara_rule
behavioral3/memory/4528-142-0x00000000021C0000-0x00000000021E7000-memory.dmp	PlugX
behavioral3/memory/1348-143-0x0000000000D70000-0x0000000000D97000-memory.dmp	PlugX

Executes dropped EXE 2 IoCs

pid	Process
4528	Mc.exe
1348	Mc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe

Loads dropped DLL 2 IoCs

pid	Process
4528	Mc.exe
1348	Mc.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\McUtil.dll.url	Mc.exe
File opened for modification	C:\Windows\SysWOW64\Mc.exe	Mc.exe
File created	C:\Windows\SysWOW64\Mc.exe	Mc.exe
File opened for modification	C:\Windows\SysWOW64\McUtil.dll	Mc.exe
File created	C:\Windows\SysWOW64\McUtil.dll	Mc.exe
File opened for modification	C:\Windows\SysWOW64\McUtil.dll	Mc.exe
File created	C:\Windows\SysWOW64\McUtil.dll	Mc.exe
File opened for modification	C:\Windows\SysWOW64\McUtil.dll.url	Mc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	Mc.exe
File opened for modification	C:\Windows\SysWOW64	Mc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	Mc.exe
Token: SeTcbPrivilege	4528	Mc.exe
Token: SeDebugPrivilege	1348	Mc.exe
Token: SeTcbPrivilege	1348	Mc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 4528	1872	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe	83
PID 1872 wrote to memory of 4528	1872	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe	83
PID 1872 wrote to memory of 4528	1872	a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe	83

C:\Users\Admin\AppData\Local\Temp\a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe
"C:\Users\Admin\AppData\Local\Temp\a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4528

C:\Windows\SysWOW64\Mc.exe
C:\Windows\SysWOW64\Mc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-143-0x0000000000D70000-0x0000000000D97000-memory.dmp

Filesize
156KB

Download
memory/4528-140-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/4528-141-0x0000000002090000-0x0000000002190000-memory.dmp

Filesize
1024KB

Download
memory/4528-142-0x00000000021C0000-0x00000000021E7000-memory.dmp

Filesize
156KB

Download