plugx | 006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e

Analysis

max time kernel
66s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
28-03-2022 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe
Size

64.5MB
MD5

25d20fa758f25f8a7152cd20fb1df53d
SHA1

26d29af063ab67b9dabccf174ab8a410c1d17f3a
SHA256

006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e
SHA512

5fa79509e48fa56f5fd77ca9046a3490bd79a3475d32488b9a280e973040805598c6da77370c016555f8a4a6319e34b010e7ee7ad46d19faec53a3b72d5af24c

Score

10^/10

plugx discovery persistence trojan

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

PlugX Rat Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Routes\nw.dll	PlugX
C:\Users\Admin\AppData\Roaming\Routes\nw.dll	PlugX

Executes dropped EXE 1 IoCs

Processes:

Routes.exe

pid process

4180 Routes.exe

pid	process
4180	Routes.exe

Loads dropped DLL 9 IoCs

Processes:

006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exeRoutes.exe

pid	process
4568	006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe
4568	006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe
4568	006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe
4568	006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe
4180	Routes.exe
4568	006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe
4180	Routes.exe
4180	Routes.exe
4568	006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Routes = "C:\\Users\\Admin\\AppData\\Roaming\\Routes\\Routes.exe --oVWJq23b"	006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe

description	pid	process	target process
PID 4568 wrote to memory of 4180	4568	006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe	Routes.exe
PID 4568 wrote to memory of 4180	4568	006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe	Routes.exe

C:\Users\Admin\AppData\Local\Temp\006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe
"C:\Users\Admin\AppData\Local\Temp\006ebd7e4486117e1abda8cfa34ccff0000e848b83f3734cf7eb43df8b41850e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--oVWJq23b"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy6050.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6050.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6050.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6050.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6050.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6050.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
Filesize
11.8MB

MD5
03db282621381f812ab3b7bce00ed0f3

SHA1
32dcc29142b99b4b3f281714519f68b4a7163bab

SHA256
52c1b987b954b124fbd5fe9baa712ccf2a340c32449e29ef3dab7cfa5beccab4

SHA512
b5b06996a517c05ed48e10d32850af3677b7c778dce675338f8bbcc7d43665c711e1fb9dfeb534eb4b35aff37090023ba573c732b6046a29db96073781d1afec

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
Filesize
11.8MB

MD5
03db282621381f812ab3b7bce00ed0f3

SHA1
32dcc29142b99b4b3f281714519f68b4a7163bab

SHA256
52c1b987b954b124fbd5fe9baa712ccf2a340c32449e29ef3dab7cfa5beccab4

SHA512
b5b06996a517c05ed48e10d32850af3677b7c778dce675338f8bbcc7d43665c711e1fb9dfeb534eb4b35aff37090023ba573c732b6046a29db96073781d1afec

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\ffmpeg.dll
Filesize
1.7MB

MD5
0644850e99415a97cab58768d748882a

SHA1
cb499d7e6e63c0486cfdafa7ffe1b8a2335e1f6a

SHA256
935fcb56f2451633061a0418b8f65d966de2d2688788eac1ca8419ae5c5752c0

SHA512
88241c79023583c5baa1f931f14286c25ae583552ab2e881f4ed5c1208679ac11d98c9d4452525289db9ecae4aa663819ce7a923094d5d872bd4a0b2f79ac448

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\ffmpeg.dll
Filesize
1.7MB

MD5
0644850e99415a97cab58768d748882a

SHA1
cb499d7e6e63c0486cfdafa7ffe1b8a2335e1f6a

SHA256
935fcb56f2451633061a0418b8f65d966de2d2688788eac1ca8419ae5c5752c0

SHA512
88241c79023583c5baa1f931f14286c25ae583552ab2e881f4ed5c1208679ac11d98c9d4452525289db9ecae4aa663819ce7a923094d5d872bd4a0b2f79ac448

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\nw.dll
Filesize
141.9MB

MD5
1f05c1781050415f90f28bc960f69a7b

SHA1
3f148269bd26e5b598cbfe4aa50139e67747b282

SHA256
39b11a34a235038b943b043de6dd8ca1d16182f934cff74cd7b2967ae8c7bb19

SHA512
64169f010c9e42c4dba068d5f2da762537cb2094483a55c6de2a304d0dbbff5462ff40afd889571227b8844256999dfb4277d4029b2292d22347641b27ff78dd

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\nw.dll
Filesize
141.9MB

MD5
1f05c1781050415f90f28bc960f69a7b

SHA1
3f148269bd26e5b598cbfe4aa50139e67747b282

SHA256
39b11a34a235038b943b043de6dd8ca1d16182f934cff74cd7b2967ae8c7bb19

SHA512
64169f010c9e42c4dba068d5f2da762537cb2094483a55c6de2a304d0dbbff5462ff40afd889571227b8844256999dfb4277d4029b2292d22347641b27ff78dd

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\nw_elf.dll
Filesize
910KB

MD5
493a0d17daaa2f1a0c2e5723ed748e05

SHA1
316f77ac6e8aea60e76ebd4bbbe4ff5c65a59ae4

SHA256
a0f65b98cf5425335345c736fd026d5cf8984283e402dc746092c1edd7f4ebd7

SHA512
7c87e1cf803dbe785f58be5f633c19e00d0c61f3a7759e5da3a90cc5e97165d833866872c50a0a52e42b80056a98e1020d02cd6c8f81efe4e76452f20a139f84

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\nw_elf.dll
Filesize
910KB

MD5
493a0d17daaa2f1a0c2e5723ed748e05

SHA1
316f77ac6e8aea60e76ebd4bbbe4ff5c65a59ae4

SHA256
a0f65b98cf5425335345c736fd026d5cf8984283e402dc746092c1edd7f4ebd7

SHA512
7c87e1cf803dbe785f58be5f633c19e00d0c61f3a7759e5da3a90cc5e97165d833866872c50a0a52e42b80056a98e1020d02cd6c8f81efe4e76452f20a139f84

Download Submit
memory/4180-133-0x0000000000000000-mapping.dmp

Download