plugx | 2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7

General

Target

2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe
Size

106KB
MD5

ef597052379d2cd098641c3c167bdd73
SHA1

22f037904c15335f912e3a0c34050accc6d82ad9
SHA256

2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7
SHA512

fd02c58016173eb4095a4f8b138ad84d934fd4a9c94bf43baf298ff179558c304b822e5bff68427317fc6b5c62728eef738c1d122394de751d2c84833163d06a

Score

10^/10

plugx trojan

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

PlugX Rat Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/792-64-0x00000000002C0000-0x00000000002E9000-memory.dmp	PlugX
behavioral1/memory/1964-65-0x0000000000200000-0x0000000000229000-memory.dmp	PlugX
behavioral1/memory/2008-77-0x0000000000150000-0x0000000000179000-memory.dmp	PlugX
behavioral1/memory/980-78-0x0000000000210000-0x0000000000239000-memory.dmp	PlugX
behavioral1/memory/860-87-0x0000000000270000-0x0000000000299000-memory.dmp	PlugX

Executes dropped EXE 1 IoCs

Processes:

SxS.exe

pid process

2008 SxS.exe
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1964 svchost.exe

pid	process
1964	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35004600430034004100320041003800380033003300430037004300310038000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SxS.exesvchost.exemsiexec.exe

pid	process
2008	SxS.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
980	svchost.exe
980	svchost.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

980 svchost.exe
860 msiexec.exe

pid	process
980	svchost.exe
860	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exesvchost.exeSxS.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe
Token: SeTcbPrivilege	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe
Token: SeDebugPrivilege	1964	svchost.exe
Token: SeTcbPrivilege	1964	svchost.exe
Token: SeDebugPrivilege	2008	SxS.exe
Token: SeTcbPrivilege	2008	SxS.exe
Token: SeDebugPrivilege	980	svchost.exe
Token: SeTcbPrivilege	980	svchost.exe
Token: SeDebugPrivilege	860	msiexec.exe
Token: SeTcbPrivilege	860	msiexec.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exeSxS.exesvchost.exe

description	pid	process	target process
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	svchost.exe
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	svchost.exe
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	svchost.exe
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	svchost.exe
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	svchost.exe
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	svchost.exe
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	svchost.exe
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	svchost.exe
PID 792 wrote to memory of 1964	792	2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe	svchost.exe
PID 2008 wrote to memory of 980	2008	SxS.exe	svchost.exe
PID 2008 wrote to memory of 980	2008	SxS.exe	svchost.exe
PID 2008 wrote to memory of 980	2008	SxS.exe	svchost.exe
PID 2008 wrote to memory of 980	2008	SxS.exe	svchost.exe
PID 2008 wrote to memory of 980	2008	SxS.exe	svchost.exe
PID 2008 wrote to memory of 980	2008	SxS.exe	svchost.exe
PID 2008 wrote to memory of 980	2008	SxS.exe	svchost.exe
PID 2008 wrote to memory of 980	2008	SxS.exe	svchost.exe
PID 2008 wrote to memory of 980	2008	SxS.exe	svchost.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe
PID 980 wrote to memory of 860	980	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe
"C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 100 792
2⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\ProgramData\NVIDIASmart\SxS.exe
"C:\ProgramData\NVIDIASmart\SxS.exe" 200 0
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 980
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NVIDIASmart\SxS.exe
Filesize
106KB

MD5
ef597052379d2cd098641c3c167bdd73

SHA1
22f037904c15335f912e3a0c34050accc6d82ad9

SHA256
2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7

SHA512
fd02c58016173eb4095a4f8b138ad84d934fd4a9c94bf43baf298ff179558c304b822e5bff68427317fc6b5c62728eef738c1d122394de751d2c84833163d06a

Download Submit
memory/792-55-0x00000000758A1000-0x00000000758A3000-memory.dmp

Filesize
8KB

Download
memory/792-64-0x00000000002C0000-0x00000000002E9000-memory.dmp

Filesize
164KB

Download
memory/792-54-0x00000000000E0000-0x00000000000FA000-memory.dmp

Filesize
104KB

Download
memory/860-87-0x0000000000270000-0x0000000000299000-memory.dmp

Filesize
164KB

Download
memory/860-85-0x0000000000000000-mapping.dmp

Download
memory/980-75-0x0000000000000000-mapping.dmp

Download
memory/980-78-0x0000000000210000-0x0000000000239000-memory.dmp

Filesize
164KB

Download
memory/1964-65-0x0000000000200000-0x0000000000229000-memory.dmp

Filesize
164KB

Download
memory/1964-62-0x0000000000000000-mapping.dmp

Download
memory/1964-59-0x00000000000E0000-0x00000000000F9000-memory.dmp

Filesize
100KB

Download
memory/1964-56-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2008-77-0x0000000000150000-0x0000000000179000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads