plugx | d7081c02c19718ed94ef3154ede0d045c50ba7d9e7653b7b5c589ac1a0b36f81

Resubmissions

05-12-2022 19:46

221205-ygyhfsdd5s 7

18-03-2022 13:00

220318-p8sxlshfg2 10

Analysis

max time kernel
4294295s
max time network
242s
platform
windows7_x64
resource
win7-20220310-en
submitted
18-03-2022 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

software_reporter_tool.exe
Size

13.9MB
MD5

3dcd45838971b3e51d01e62c09d36e08
SHA1

9884fc2f1ed03043d5a6aa5f59625b7a0cad4c2a
SHA256

d7081c02c19718ed94ef3154ede0d045c50ba7d9e7653b7b5c589ac1a0b36f81
SHA512

6e2b5e3b75bd872bd01c6b8feaea76aea733f75320e4b88877ef1aae061d37ac0de82943502c2c575f67dcd77961bba506d5f16489bd33b8aa621e472fe648fa

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

PlugX Rat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000131ce-89.dat	PlugX
behavioral1/files/0x00070000000131ce-82.dat	PlugX

Loads dropped DLL 7 IoCs

pid	Process
1948	software_reporter_tool.exe
1948	software_reporter_tool.exe
1948	software_reporter_tool.exe
1948	software_reporter_tool.exe
1948	software_reporter_tool.exe
1948	software_reporter_tool.exe
1948	software_reporter_tool.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1712	software_reporter_tool.exe
1712	software_reporter_tool.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	308	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	308	software_reporter_tool.exe
Token: 33	1712	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1712	software_reporter_tool.exe
Token: 33	1948	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1948	software_reporter_tool.exe
Token: 33	1668	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1668	software_reporter_tool.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 308	1712	software_reporter_tool.exe	27
PID 1712 wrote to memory of 308	1712	software_reporter_tool.exe	27
PID 1712 wrote to memory of 308	1712	software_reporter_tool.exe	27
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1948	1712	software_reporter_tool.exe	28
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29
PID 1712 wrote to memory of 1668	1712	software_reporter_tool.exe	29

C:\Users\Admin\AppData\Local\Temp\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Temp\software_reporter_tool.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- \??\c:\users\admin\appdata\local\temp\software_reporter_tool.exe
  c:\users\admin\appdata\local\temp\software_reporter_tool.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=99.279.200 --initial-client-data=0x160,0x164,0x168,0x134,0x16c,0x13ff725a0,0x13ff725b0,0x13ff725c0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:308
- \??\c:\users\admin\appdata\local\temp\software_reporter_tool.exe
  "c:\users\admin\appdata\local\temp\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1712_YEUCCDVMTFECGAPF" --sandboxed-process-id=2 --init-done-notifier=484 --sandbox-mojo-pipe-token=4170110093468989769 --mojo-platform-channel-handle=452 --engine=2
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- \??\c:\users\admin\appdata\local\temp\software_reporter_tool.exe
  "c:\users\admin\appdata\local\temp\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1712_YEUCCDVMTFECGAPF" --sandboxed-process-id=3 --init-done-notifier=636 --sandbox-mojo-pipe-token=17242315781746750151 --mojo-platform-channel-handle=632
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-107-0x000000013FF77000-0x000000013FF78000-memory.dmp

Filesize
4KB

Download
memory/1668-109-0x000000013FF77000-0x000000013FF78000-memory.dmp

Filesize
4KB

Download
memory/1948-72-0x000000013FF77000-0x000000013FF78000-memory.dmp

Filesize
4KB

Download
memory/1948-74-0x000000013FF77000-0x000000013FF78000-memory.dmp

Filesize
4KB

Download
memory/1948-115-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1948-116-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download