plugx | hxxps://download[.]nutanix[.]com/Foundation/5[.]1[.]1/foundation-5[.]1[.]1-windows[.]msi?Expires=1647317017618&Key-Pair-Id=APKAJTTNCWPEI42QKMSA&Signature=G-MEsjjAR8ynl~LpkXPKS3R0s4kj0q1Owu7DO~Jq2QashOc5n1M0pP883g8mGTNkRA7uIbpCaom1RKSYk0R4xlkD-Pm6MFdjnZbXwQskCcynegYCq7SQV3TYC7~jXRqYbwpQhY4Uox7wUC2pA6zRPFnrCQoyXlnp0Jqyn8M-lNpsdSp2bdTMKDCn4l03LH5nsiZdBmXesNx6bKgmDhZRbxpYWbo56i-8VvSgmkk0DaY21GAs2~oujB~41gFVe-~rfuu4bDVWTqrGNGD--Uz~oLp8A7k4sLm3QM8h0iSHbvclBTmTRdQhc71Wjv3sm8HXxrSeuObaPzmR06wpEjJoFQ__

General

Target

https://download.nutanix.com/Foundation/5.1.1/foundation-5.1.1-windows.msi?Expires=1647317017618&Key-Pair-Id=APKAJTTNCWPEI42QKMSA&Signature=G-MEsjjAR8ynl~LpkXPKS3R0s4kj0q1Owu7DO~Jq2QashOc5n1M0pP883g8mGTNkRA7uIbpCaom1RKSYk0R4xlkD-Pm6MFdjnZbXwQskCcynegYCq7SQV3TYC7~jXRqYbwpQhY4Uox7wUC2pA6zRPFnrCQoyXlnp0Jqyn8M-lNpsdSp2bdTMKDCn4l03LH5nsiZdBmXesNx6bKgmDhZRbxpYWbo56i-8VvSgmkk0DaY21GAs2~oujB~41gFVe-~rfuu4bDVWTqrGNGD--Uz~oLp8A7k4sLm3QM8h0iSHbvclBTmTRdQhc71Wjv3sm8HXxrSeuObaPzmR06wpEjJoFQ__

Score

10^/10

plugx link pdf trojan

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

PlugX Rat Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi.6d0mdht.partial	PlugX

Detect jar appended to MSI 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi.6d0mdht.partial	jar_in_msi

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi.6d0mdht.partial	patched_upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi.6d0mdht.partial	pdf_with_link_action

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a0cc1546ed38d801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "354169443"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{80EC5421-A4E0-11EC-BBED-DA40BCC881D4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msiexec.exe

description pid process

Token: SeShutdownPrivilege 1576 msiexec.exe
Token: SeIncreaseQuotaPrivilege 1576 msiexec.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exemsiexec.exe

pid process

1996 iexplore.exe
1996 iexplore.exe
1576 msiexec.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1996 iexplore.exe
1996 iexplore.exe
1724 IEXPLORE.EXE
1724 IEXPLORE.EXE

description	pid	process
Token: SeShutdownPrivilege	1576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1576	msiexec.exe

pid	process
1996	iexplore.exe
1996	iexplore.exe
1576	msiexec.exe

pid	process
1996	iexplore.exe
1996	iexplore.exe
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1996 wrote to memory of 1724	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1724	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1724	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1724	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1576	1996	iexplore.exe	msiexec.exe
PID 1996 wrote to memory of 1576	1996	iexplore.exe	msiexec.exe
PID 1996 wrote to memory of 1576	1996	iexplore.exe	msiexec.exe
PID 1996 wrote to memory of 1576	1996	iexplore.exe	msiexec.exe
PID 1996 wrote to memory of 1576	1996	iexplore.exe	msiexec.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://download.nutanix.com/Foundation/5.1.1/foundation-5.1.1-windows.msi?Expires=1647317017618&Key-Pair-Id=APKAJTTNCWPEI42QKMSA&Signature=G-MEsjjAR8ynl~LpkXPKS3R0s4kj0q1Owu7DO~Jq2QashOc5n1M0pP883g8mGTNkRA7uIbpCaom1RKSYk0R4xlkD-Pm6MFdjnZbXwQskCcynegYCq7SQV3TYC7~jXRqYbwpQhY4Uox7wUC2pA6zRPFnrCQoyXlnp0Jqyn8M-lNpsdSp2bdTMKDCn4l03LH5nsiZdBmXesNx6bKgmDhZRbxpYWbo56i-8VvSgmkk0DaY21GAs2~oujB~41gFVe-~rfuu4bDVWTqrGNGD--Uz~oLp8A7k4sLm3QM8h0iSHbvclBTmTRdQhc71Wjv3sm8HXxrSeuObaPzmR06wpEjJoFQ__
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
c3204dfa2fe898f26335602b34edc1b9

SHA1
004f492206233f6982f2dffb01481f73399b8e9e

SHA256
7b836166676d3c36ecd0ff2cff355a0340872353dbe900b8c1fde2f2fc62a065

SHA512
96aaa34d44912eff6cd22e88fb4ef753070263a61bf3b7ebe4cffda311cded6394b284fd18c122caa68271fcf721f2864d512cfc946e666012137d83e6dd571a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\foundation-5.1.1-windows.msi.6d0mdht.partial
MD5
54853d2e8bbb9b615114fb921938bbd6

SHA1
a11614837579da81f7d641c4b84d74e06e806de3

SHA256
b8921576aeff21fcea96ffe581b397fe34aa9094bc09e33e75d09ca2aeeba8e0

SHA512
e9362ba4c064b51154c966112b98e4e7c53b0fafcfe5c5d4a8c73e2c1fa5f8fe634e389e59cd5834035d6527e64682e2073921394f73322a6c978bf45de2428d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OFKPF99F.txt
MD5
76e5c920753e7d18954ba8a0063532ea

SHA1
7d752f5889550dac7e7158fba0891d061f188a44

SHA256
440f271123c5f93253f0ce32106482e94f73bf6a2745c4dad3448a4622bfbcd2

SHA512
51f9385bb31bc2d63048f55c0b7ea9adc09ca01c700ba0799606a40451f0cc65d4385b3ebe4d7842df643ae47b74b1ae8bf88d73b54a0f1f0136bdc9ee232395

Download Submit
memory/1576-57-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads