plugx | 81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20220414-en
submitted
18-04-2022 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe
Size

430KB
MD5

aeb38328ffe5bd3bf5766a8fad075d08
SHA1

cf96c505059f6c384833250bf813f23d8fc6458f
SHA256

81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9
SHA512

87f3b91a974af59179a483eddc519388aa02634ec586028850cdea4dad749b93ba072208cb94fed81ccd704cec55b309725e91ff96302957c939a5571777a582

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 5 IoCs

resource	yara_rule
behavioral1/memory/1224-72-0x0000000000350000-0x0000000000385000-memory.dmp	family_plugx
behavioral1/memory/1608-74-0x00000000001E0000-0x0000000000215000-memory.dmp	family_plugx
behavioral1/memory/268-73-0x0000000000390000-0x00000000003C5000-memory.dmp	family_plugx
behavioral1/memory/700-79-0x0000000000240000-0x0000000000275000-memory.dmp	family_plugx
behavioral1/memory/1128-84-0x0000000000250000-0x0000000000285000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
1224	wsc_proxy.exe
1608	wsc_proxy.exe
268	wsc_proxy.exe

Loads dropped DLL 2 IoCs

pid	Process
1608	wsc_proxy.exe
268	wsc_proxy.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	203.86.234.16
Destination IP	203.86.234.16
Destination IP	203.86.234.16
Destination IP	203.86.234.16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39003400340044004100440034003100370041004100410042003400300039000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
700	svchost.exe
700	svchost.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
700	svchost.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
700	svchost.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
700	svchost.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
700	svchost.exe
700	svchost.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
700	svchost.exe
700	svchost.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
700	svchost.exe
700	svchost.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
700	svchost.exe
700	svchost.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
700	svchost.exe
700	svchost.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe
1128	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	wsc_proxy.exe
Token: SeTcbPrivilege	1224	wsc_proxy.exe
Token: SeDebugPrivilege	1608	wsc_proxy.exe
Token: SeTcbPrivilege	1608	wsc_proxy.exe
Token: SeDebugPrivilege	268	wsc_proxy.exe
Token: SeTcbPrivilege	268	wsc_proxy.exe
Token: SeDebugPrivilege	700	svchost.exe
Token: SeTcbPrivilege	700	svchost.exe
Token: SeDebugPrivilege	1128	msiexec.exe
Token: SeTcbPrivilege	1128	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1224	2036	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	26
PID 2036 wrote to memory of 1224	2036	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	26
PID 2036 wrote to memory of 1224	2036	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	26
PID 2036 wrote to memory of 1224	2036	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	26
PID 2036 wrote to memory of 1224	2036	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	26
PID 2036 wrote to memory of 1224	2036	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	26
PID 2036 wrote to memory of 1224	2036	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	26
PID 268 wrote to memory of 700	268	wsc_proxy.exe	30
PID 268 wrote to memory of 700	268	wsc_proxy.exe	30
PID 268 wrote to memory of 700	268	wsc_proxy.exe	30
PID 268 wrote to memory of 700	268	wsc_proxy.exe	30
PID 268 wrote to memory of 700	268	wsc_proxy.exe	30
PID 268 wrote to memory of 700	268	wsc_proxy.exe	30
PID 268 wrote to memory of 700	268	wsc_proxy.exe	30
PID 268 wrote to memory of 700	268	wsc_proxy.exe	30
PID 268 wrote to memory of 700	268	wsc_proxy.exe	30
PID 700 wrote to memory of 1128	700	svchost.exe	31
PID 700 wrote to memory of 1128	700	svchost.exe	31
PID 700 wrote to memory of 1128	700	svchost.exe	31
PID 700 wrote to memory of 1128	700	svchost.exe	31
PID 700 wrote to memory of 1128	700	svchost.exe	31
PID 700 wrote to memory of 1128	700	svchost.exe	31
PID 700 wrote to memory of 1128	700	svchost.exe	31
PID 700 wrote to memory of 1128	700	svchost.exe	31
PID 700 wrote to memory of 1128	700	svchost.exe	31
PID 700 wrote to memory of 1128	700	svchost.exe	31
PID 700 wrote to memory of 1128	700	svchost.exe	31
PID 700 wrote to memory of 1128	700	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe
"C:\Users\Admin\AppData\Local\Temp\81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\wsc_proxy.exe
  "C:\wsc_proxy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1224

C:\ProgramData\Avast Software\Avast\wsc_proxy.exe
"C:\ProgramData\Avast Software\Avast\wsc_proxy.exe" 100 1224
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\ProgramData\Avast Software\Avast\wsc_proxy.exe
"C:\ProgramData\Avast Software\Avast\wsc_proxy.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 700
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Avast\wsc.dll

Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\ProgramData\Avast Software\Avast\wsc_proxy.dat

Filesize
148KB

MD5
07a9a4b7068d7a4406a00656a762ca55

SHA1
981ef9b7f98b949d16a3b4e6eefe2575dcf784e1

SHA256
e48af8d3a597b947d145e8a2e8e94eff003a5eb8544918955f65ac5af37cd331

SHA512
ae8c7f5a5c7354a1800c47ca7c124982a354fbe2b2a520f6f8a1968d924ff66dd45e5dbe6f2e4048ee53cc21a25b83ff4639b5d4d35918bd48dd4dc140fd7b4e

Download Submit
C:\ProgramData\Avast Software\Avast\wsc_proxy.exe

Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
C:\ProgramData\Avast Software\Avast\wsc_proxy.exe

Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
C:\wsc.dll

Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\wsc_proxy.dat

Filesize
148KB

MD5
07a9a4b7068d7a4406a00656a762ca55

SHA1
981ef9b7f98b949d16a3b4e6eefe2575dcf784e1

SHA256
e48af8d3a597b947d145e8a2e8e94eff003a5eb8544918955f65ac5af37cd331

SHA512
ae8c7f5a5c7354a1800c47ca7c124982a354fbe2b2a520f6f8a1968d924ff66dd45e5dbe6f2e4048ee53cc21a25b83ff4639b5d4d35918bd48dd4dc140fd7b4e

Download Submit
C:\wsc_proxy.exe

Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
C:\wsc_proxy.exe

Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
\ProgramData\Avast Software\Avast\wsc.dll

Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
\ProgramData\Avast Software\Avast\wsc.dll

Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
memory/268-73-0x0000000000390000-0x00000000003C5000-memory.dmp

Filesize
212KB

Download
memory/700-75-0x00000000000E0000-0x0000000000104000-memory.dmp

Filesize
144KB

Download
memory/700-79-0x0000000000240000-0x0000000000275000-memory.dmp

Filesize
212KB

Download
memory/1128-84-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1224-60-0x0000000000820000-0x0000000000920000-memory.dmp

Filesize
1024KB

Download
memory/1224-72-0x0000000000350000-0x0000000000385000-memory.dmp

Filesize
212KB

Download
memory/1608-74-0x00000000001E0000-0x0000000000215000-memory.dmp

Filesize
212KB

Download
memory/2036-54-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download