plugx | d7081c02c19718ed94ef3154ede0d045c50ba7d9e7653b7b5c589ac1a0b36f81

Resubmissions

05-12-2022 19:46

221205-ygyhfsdd5s 7

18-03-2022 13:00

220318-p8sxlshfg2 10

Analysis

max time kernel
215s
max time network
268s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
18-03-2022 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

software_reporter_tool.exe
Size

13.9MB
MD5

3dcd45838971b3e51d01e62c09d36e08
SHA1

9884fc2f1ed03043d5a6aa5f59625b7a0cad4c2a
SHA256

d7081c02c19718ed94ef3154ede0d045c50ba7d9e7653b7b5c589ac1a0b36f81
SHA512

6e2b5e3b75bd872bd01c6b8feaea76aea733f75320e4b88877ef1aae061d37ac0de82943502c2c575f67dcd77961bba506d5f16489bd33b8aa621e472fe648fa

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

PlugX Rat Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e7c9-140.dat	PlugX
behavioral2/files/0x000400000001e7c9-147.dat	PlugX

Loads dropped DLL 7 IoCs

pid	Process
2376	software_reporter_tool.exe
2376	software_reporter_tool.exe
2376	software_reporter_tool.exe
2376	software_reporter_tool.exe
2376	software_reporter_tool.exe
2376	software_reporter_tool.exe
2376	software_reporter_tool.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3248	2376	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1556	software_reporter_tool.exe
1556	software_reporter_tool.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	1660	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1660	software_reporter_tool.exe
Token: 33	1556	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1556	software_reporter_tool.exe
Token: 33	2376	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2376	software_reporter_tool.exe
Token: 33	3768	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3768	software_reporter_tool.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 1660	1556	software_reporter_tool.exe	79
PID 1556 wrote to memory of 1660	1556	software_reporter_tool.exe	79
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 2376	1556	software_reporter_tool.exe	80
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81
PID 1556 wrote to memory of 3768	1556	software_reporter_tool.exe	81

C:\Users\Admin\AppData\Local\Temp\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Temp\software_reporter_tool.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556
- \??\c:\users\admin\appdata\local\temp\software_reporter_tool.exe
  c:\users\admin\appdata\local\temp\software_reporter_tool.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=99.279.200 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff69f6325a0,0x7ff69f6325b0,0x7ff69f6325c0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- \??\c:\users\admin\appdata\local\temp\software_reporter_tool.exe
  "c:\users\admin\appdata\local\temp\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1556_ENZIMXYSNHWAENXD" --sandboxed-process-id=2 --init-done-notifier=776 --sandbox-mojo-pipe-token=5279705736548596164 --mojo-platform-channel-handle=728 --engine=2
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2376 -s 920
    3⤵
    - Program crash
    PID:3248
- \??\c:\users\admin\appdata\local\temp\software_reporter_tool.exe
  "c:\users\admin\appdata\local\temp\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1556_ENZIMXYSNHWAENXD" --sandboxed-process-id=3 --init-done-notifier=996 --sandbox-mojo-pipe-token=3211349759538745348 --mojo-platform-channel-handle=992
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 2376 -ip 2376
1⤵
PID:2872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2376-132-0x00007FF955970000-0x00007FF955971000-memory.dmp

Filesize
4KB

Download
memory/2376-133-0x00007FF955D50000-0x00007FF955D51000-memory.dmp

Filesize
4KB

Download
memory/2376-155-0x00000249B07B0000-0x00000249B07B1000-memory.dmp

Filesize
4KB

Download
memory/2376-156-0x00000249B06F0000-0x00000249B06F1000-memory.dmp

Filesize
4KB

Download