plugx | 2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7

Analysis

max time kernel
4294661s
max time network
366s
platform
windows7_x64
resource
win7-20220310-en
submitted
30-03-2022 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe
Size

106KB
MD5

ef597052379d2cd098641c3c167bdd73
SHA1

22f037904c15335f912e3a0c34050accc6d82ad9
SHA256

2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7
SHA512

fd02c58016173eb4095a4f8b138ad84d934fd4a9c94bf43baf298ff179558c304b822e5bff68427317fc6b5c62728eef738c1d122394de751d2c84833163d06a

Score

10^/10

plugx trojan

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

PlugX Rat Payload 5 IoCs

resource	yara_rule
behavioral1/memory/792-64-0x00000000002C0000-0x00000000002E9000-memory.dmp	PlugX
behavioral1/memory/1964-65-0x0000000000200000-0x0000000000229000-memory.dmp	PlugX
behavioral1/memory/2008-77-0x0000000000150000-0x0000000000179000-memory.dmp	PlugX
behavioral1/memory/980-78-0x0000000000210000-0x0000000000239000-memory.dmp	PlugX
behavioral1/memory/860-87-0x0000000000270000-0x0000000000299000-memory.dmp	PlugX

Executes dropped EXE 1 IoCs

pid	Process
2008	SxS.exe

Deletes itself 1 IoCs

pid	Process
1964	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35004600430034004100320041003800380033003300430037004300310038000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	SxS.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
980	svchost.exe
860	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe
Token: SeTcbPrivilege	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe
Token: SeDebugPrivilege	1964	svchost.exe
Token: SeTcbPrivilege	1964	svchost.exe
Token: SeDebugPrivilege	2008	SxS.exe
Token: SeTcbPrivilege	2008	SxS.exe
Token: SeDebugPrivilege	980	svchost.exe
Token: SeTcbPrivilege	980	svchost.exe
Token: SeDebugPrivilege	860	msiexec.exe
Token: SeTcbPrivilege	860	msiexec.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	27
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	27
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	27
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	27
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	27
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	27
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	27
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	27
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	27
PID 2008 wrote to memory of 980	2008	SxS.exe	29
PID 2008 wrote to memory of 980	2008	SxS.exe	29
PID 2008 wrote to memory of 980	2008	SxS.exe	29
PID 2008 wrote to memory of 980	2008	SxS.exe	29
PID 2008 wrote to memory of 980	2008	SxS.exe	29
PID 2008 wrote to memory of 980	2008	SxS.exe	29
PID 2008 wrote to memory of 980	2008	SxS.exe	29
PID 2008 wrote to memory of 980	2008	SxS.exe	29
PID 2008 wrote to memory of 980	2008	SxS.exe	29
PID 980 wrote to memory of 860	980	svchost.exe	30
PID 980 wrote to memory of 860	980	svchost.exe	30
PID 980 wrote to memory of 860	980	svchost.exe	30
PID 980 wrote to memory of 860	980	svchost.exe	30
PID 980 wrote to memory of 860	980	svchost.exe	30
PID 980 wrote to memory of 860	980	svchost.exe	30
PID 980 wrote to memory of 860	980	svchost.exe	30
PID 980 wrote to memory of 860	980	svchost.exe	30
PID 980 wrote to memory of 860	980	svchost.exe	30
PID 980 wrote to memory of 860	980	svchost.exe	30
PID 980 wrote to memory of 860	980	svchost.exe	30
PID 980 wrote to memory of 860	980	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe
"C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 100 792
  2⤵
  - Deletes itself
  - Suspicious use of AdjustPrivilegeToken
  PID:1964

C:\ProgramData\NVIDIASmart\SxS.exe
"C:\ProgramData\NVIDIASmart\SxS.exe" 200 0
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 980
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NVIDIASmart\SxS.exe

Filesize
106KB

MD5
ef597052379d2cd098641c3c167bdd73

SHA1
22f037904c15335f912e3a0c34050accc6d82ad9

SHA256
2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7

SHA512
fd02c58016173eb4095a4f8b138ad84d934fd4a9c94bf43baf298ff179558c304b822e5bff68427317fc6b5c62728eef738c1d122394de751d2c84833163d06a

Download Submit
memory/792-55-0x00000000758A1000-0x00000000758A3000-memory.dmp

Filesize
8KB

Download
memory/792-64-0x00000000002C0000-0x00000000002E9000-memory.dmp

Filesize
164KB

Download
memory/792-54-0x00000000000E0000-0x00000000000FA000-memory.dmp

Filesize
104KB

Download
memory/860-87-0x0000000000270000-0x0000000000299000-memory.dmp

Filesize
164KB

Download
memory/980-78-0x0000000000210000-0x0000000000239000-memory.dmp

Filesize
164KB

Download
memory/1964-65-0x0000000000200000-0x0000000000229000-memory.dmp

Filesize
164KB

Download
memory/1964-59-0x00000000000E0000-0x00000000000F9000-memory.dmp

Filesize
100KB

Download
memory/1964-56-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2008-77-0x0000000000150000-0x0000000000179000-memory.dmp

Filesize
164KB

Download