plugx | 81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-04-2022 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe
Size

430KB
MD5

aeb38328ffe5bd3bf5766a8fad075d08
SHA1

cf96c505059f6c384833250bf813f23d8fc6458f
SHA256

81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9
SHA512

87f3b91a974af59179a483eddc519388aa02634ec586028850cdea4dad749b93ba072208cb94fed81ccd704cec55b309725e91ff96302957c939a5571777a582

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 5 IoCs

resource	yara_rule
behavioral2/memory/2888-137-0x00000000009C0000-0x00000000009F5000-memory.dmp	family_plugx
behavioral2/memory/3584-147-0x0000000000E80000-0x0000000000EB5000-memory.dmp	family_plugx
behavioral2/memory/5064-148-0x00000000011F0000-0x0000000001225000-memory.dmp	family_plugx
behavioral2/memory/4268-150-0x0000000001360000-0x0000000001395000-memory.dmp	family_plugx
behavioral2/memory/2968-152-0x0000000000E80000-0x0000000000EB5000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
2888	wsc_proxy.exe
3584	wsc_proxy.exe
5064	wsc_proxy.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe

Loads dropped DLL 3 IoCs

pid	Process
2888	wsc_proxy.exe
3584	wsc_proxy.exe
5064	wsc_proxy.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	203.86.234.16
Destination IP	203.86.234.16
Destination IP	203.86.234.16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 37003600420035003500460036003100390046003700410037003400390043000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
4268	svchost.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
4268	svchost.exe
4268	svchost.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
4268	svchost.exe
4268	svchost.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
4268	svchost.exe
4268	svchost.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
4268	svchost.exe
4268	svchost.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
2968	msiexec.exe
4268	svchost.exe
4268	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4268	svchost.exe
2968	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	wsc_proxy.exe
Token: SeTcbPrivilege	2888	wsc_proxy.exe
Token: SeDebugPrivilege	3584	wsc_proxy.exe
Token: SeTcbPrivilege	3584	wsc_proxy.exe
Token: SeDebugPrivilege	5064	wsc_proxy.exe
Token: SeTcbPrivilege	5064	wsc_proxy.exe
Token: SeDebugPrivilege	4268	svchost.exe
Token: SeTcbPrivilege	4268	svchost.exe
Token: SeDebugPrivilege	2968	msiexec.exe
Token: SeTcbPrivilege	2968	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 2888	4792	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	79
PID 4792 wrote to memory of 2888	4792	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	79
PID 4792 wrote to memory of 2888	4792	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	79
PID 5064 wrote to memory of 4268	5064	wsc_proxy.exe	84
PID 5064 wrote to memory of 4268	5064	wsc_proxy.exe	84
PID 5064 wrote to memory of 4268	5064	wsc_proxy.exe	84
PID 5064 wrote to memory of 4268	5064	wsc_proxy.exe	84
PID 5064 wrote to memory of 4268	5064	wsc_proxy.exe	84
PID 5064 wrote to memory of 4268	5064	wsc_proxy.exe	84
PID 5064 wrote to memory of 4268	5064	wsc_proxy.exe	84
PID 5064 wrote to memory of 4268	5064	wsc_proxy.exe	84
PID 4268 wrote to memory of 2968	4268	svchost.exe	87
PID 4268 wrote to memory of 2968	4268	svchost.exe	87
PID 4268 wrote to memory of 2968	4268	svchost.exe	87
PID 4268 wrote to memory of 2968	4268	svchost.exe	87
PID 4268 wrote to memory of 2968	4268	svchost.exe	87
PID 4268 wrote to memory of 2968	4268	svchost.exe	87
PID 4268 wrote to memory of 2968	4268	svchost.exe	87
PID 4268 wrote to memory of 2968	4268	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe
"C:\Users\Admin\AppData\Local\Temp\81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4792
- C:\wsc_proxy.exe
  "C:\wsc_proxy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

C:\ProgramData\Avast Software\Avast\wsc_proxy.exe
"C:\ProgramData\Avast Software\Avast\wsc_proxy.exe" 100 2888
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\ProgramData\Avast Software\Avast\wsc_proxy.exe
"C:\ProgramData\Avast Software\Avast\wsc_proxy.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 4268
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Avast\wsc.dll

Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\ProgramData\Avast Software\Avast\wsc.dll

Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\ProgramData\Avast Software\Avast\wsc.dll

Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\ProgramData\Avast Software\Avast\wsc_proxy.dat

Filesize
148KB

MD5
07a9a4b7068d7a4406a00656a762ca55

SHA1
981ef9b7f98b949d16a3b4e6eefe2575dcf784e1

SHA256
e48af8d3a597b947d145e8a2e8e94eff003a5eb8544918955f65ac5af37cd331

SHA512
ae8c7f5a5c7354a1800c47ca7c124982a354fbe2b2a520f6f8a1968d924ff66dd45e5dbe6f2e4048ee53cc21a25b83ff4639b5d4d35918bd48dd4dc140fd7b4e

Download Submit
C:\ProgramData\Avast Software\Avast\wsc_proxy.exe

Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
C:\ProgramData\Avast Software\Avast\wsc_proxy.exe

Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
C:\ProgramData\Avast Software\Avast\wsc_proxy.exe

Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
C:\wsc.dll

Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\wsc.dll

Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\wsc_proxy.dat

Filesize
148KB

MD5
07a9a4b7068d7a4406a00656a762ca55

SHA1
981ef9b7f98b949d16a3b4e6eefe2575dcf784e1

SHA256
e48af8d3a597b947d145e8a2e8e94eff003a5eb8544918955f65ac5af37cd331

SHA512
ae8c7f5a5c7354a1800c47ca7c124982a354fbe2b2a520f6f8a1968d924ff66dd45e5dbe6f2e4048ee53cc21a25b83ff4639b5d4d35918bd48dd4dc140fd7b4e

Download Submit
C:\wsc_proxy.exe

Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
C:\wsc_proxy.exe

Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
memory/2888-137-0x00000000009C0000-0x00000000009F5000-memory.dmp

Filesize
212KB

Download
memory/2888-136-0x0000000000C30000-0x0000000000D30000-memory.dmp

Filesize
1024KB

Download
memory/2968-152-0x0000000000E80000-0x0000000000EB5000-memory.dmp

Filesize
212KB

Download
memory/3584-147-0x0000000000E80000-0x0000000000EB5000-memory.dmp

Filesize
212KB

Download
memory/4268-150-0x0000000001360000-0x0000000001395000-memory.dmp

Filesize
212KB

Download
memory/5064-148-0x00000000011F0000-0x0000000001225000-memory.dmp

Filesize
212KB

Download