plugx | 6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953

Analysis

max time kernel
35s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
29-03-2022 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe
Size

64.4MB
MD5

028995dd1c2fef9d3d2670d681240a16
SHA1

3d9f44d18412e37ee80a9a392b5192623dd07a8b
SHA256

6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953
SHA512

0aa547dec1fc0e5560db8559ce0f9b7c54dcb4d3a32eabc88c4d4d9168324545cef6730a38d9b1466d3d8b3ee198ddcd8c20c0c8f3490fc096c59fcb7076e574

Score

10^/10

plugx discovery persistence trojan

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

PlugX Rat Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Routes\nw.dll	PlugX
C:\Users\Admin\AppData\Roaming\Routes\nw.dll	PlugX

Executes dropped EXE 1 IoCs

Processes:

Routes.exe

pid process

1852 Routes.exe

pid	process
1852	Routes.exe

Loads dropped DLL 9 IoCs

Processes:

6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exeRoutes.exe

pid	process
5100	6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe
5100	6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe
5100	6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe
5100	6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe
1852	Routes.exe
5100	6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe
1852	Routes.exe
1852	Routes.exe
5100	6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Routes = "C:\\Users\\Admin\\AppData\\Roaming\\Routes\\Routes.exe --oVWJq23b"	6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe

description	pid	process	target process
PID 5100 wrote to memory of 1852	5100	6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe	Routes.exe
PID 5100 wrote to memory of 1852	5100	6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe	Routes.exe

C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe
"C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--oVWJq23b"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll
Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\NsisCrypt.dll
Filesize
15KB

MD5
a3e9024e53c55893b1e4f62a2bd93ca8

SHA1
aa289e93d68bd15bfcdec3bb00cf1ef930074a1e

SHA256
7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad

SHA512
a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
Filesize
11.8MB

MD5
21d576908f453edf021aa530e722b326

SHA1
d88d7ff3db017b86dc0c97120718c9672e12f2da

SHA256
d7e1e0f54ba52510489aaa75b005bc80412989288075f28532229b33fdeb2980

SHA512
5ec7431b87c85d1e5c514ef0f9725fe4bb166d2dcc052f25808a95645c453b4ab3c39745ec396af66c2b84c85bd64c3ef0088aa629010e482f1d7b015951c47e

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
Filesize
11.8MB

MD5
21d576908f453edf021aa530e722b326

SHA1
d88d7ff3db017b86dc0c97120718c9672e12f2da

SHA256
d7e1e0f54ba52510489aaa75b005bc80412989288075f28532229b33fdeb2980

SHA512
5ec7431b87c85d1e5c514ef0f9725fe4bb166d2dcc052f25808a95645c453b4ab3c39745ec396af66c2b84c85bd64c3ef0088aa629010e482f1d7b015951c47e

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\ffmpeg.dll
Filesize
1.7MB

MD5
0644850e99415a97cab58768d748882a

SHA1
cb499d7e6e63c0486cfdafa7ffe1b8a2335e1f6a

SHA256
935fcb56f2451633061a0418b8f65d966de2d2688788eac1ca8419ae5c5752c0

SHA512
88241c79023583c5baa1f931f14286c25ae583552ab2e881f4ed5c1208679ac11d98c9d4452525289db9ecae4aa663819ce7a923094d5d872bd4a0b2f79ac448

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\ffmpeg.dll
Filesize
1.7MB

MD5
0644850e99415a97cab58768d748882a

SHA1
cb499d7e6e63c0486cfdafa7ffe1b8a2335e1f6a

SHA256
935fcb56f2451633061a0418b8f65d966de2d2688788eac1ca8419ae5c5752c0

SHA512
88241c79023583c5baa1f931f14286c25ae583552ab2e881f4ed5c1208679ac11d98c9d4452525289db9ecae4aa663819ce7a923094d5d872bd4a0b2f79ac448

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\nw.dll
Filesize
141.9MB

MD5
1f05c1781050415f90f28bc960f69a7b

SHA1
3f148269bd26e5b598cbfe4aa50139e67747b282

SHA256
39b11a34a235038b943b043de6dd8ca1d16182f934cff74cd7b2967ae8c7bb19

SHA512
64169f010c9e42c4dba068d5f2da762537cb2094483a55c6de2a304d0dbbff5462ff40afd889571227b8844256999dfb4277d4029b2292d22347641b27ff78dd

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\nw.dll
Filesize
141.9MB

MD5
1f05c1781050415f90f28bc960f69a7b

SHA1
3f148269bd26e5b598cbfe4aa50139e67747b282

SHA256
39b11a34a235038b943b043de6dd8ca1d16182f934cff74cd7b2967ae8c7bb19

SHA512
64169f010c9e42c4dba068d5f2da762537cb2094483a55c6de2a304d0dbbff5462ff40afd889571227b8844256999dfb4277d4029b2292d22347641b27ff78dd

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\nw_elf.dll
Filesize
910KB

MD5
493a0d17daaa2f1a0c2e5723ed748e05

SHA1
316f77ac6e8aea60e76ebd4bbbe4ff5c65a59ae4

SHA256
a0f65b98cf5425335345c736fd026d5cf8984283e402dc746092c1edd7f4ebd7

SHA512
7c87e1cf803dbe785f58be5f633c19e00d0c61f3a7759e5da3a90cc5e97165d833866872c50a0a52e42b80056a98e1020d02cd6c8f81efe4e76452f20a139f84

Download Submit
C:\Users\Admin\AppData\Roaming\Routes\nw_elf.dll
Filesize
910KB

MD5
493a0d17daaa2f1a0c2e5723ed748e05

SHA1
316f77ac6e8aea60e76ebd4bbbe4ff5c65a59ae4

SHA256
a0f65b98cf5425335345c736fd026d5cf8984283e402dc746092c1edd7f4ebd7

SHA512
7c87e1cf803dbe785f58be5f633c19e00d0c61f3a7759e5da3a90cc5e97165d833866872c50a0a52e42b80056a98e1020d02cd6c8f81efe4e76452f20a139f84

Download Submit
memory/1852-133-0x0000000000000000-mapping.dmp

Download