plugx | 80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967

Resubmissions

26-04-2022 23:36

220426-3lkvdaegb6 10

28-02-2022 15:52

220228-tbeqyagaar 10

24-02-2022 11:16

220224-ndfs5aebfn 9

27-07-2021 22:10

210727-kkvgchhhls 10

Analysis

max time kernel
266s
max time network
263s
platform
windows7_x64
resource
win7-20220414-en
submitted
26-04-2022 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe
Size

426KB
MD5

048271f7f2f8d900485dd020cdea2dd9
SHA1

fc48ae44addc9e1d00238f5ba798f3876e69c561
SHA256

80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967
SHA512

aa21ba3fde629857934140fb96737189602242222f4f26d7a9b28f28c52a4bc91c046eaaaf11472c2f73ff126697d6e57a2b3d36bf84ed17d3c80e9c629ea5df

Score

10^/10

plugx trojan upx

Malware Config

Signatures

Detects PlugX Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/328-72-0x0000000000420000-0x000000000045F000-memory.dmp	family_plugx
behavioral1/memory/1064-73-0x0000000000460000-0x000000000049F000-memory.dmp	family_plugx
behavioral1/memory/1728-75-0x0000000000290000-0x00000000002CF000-memory.dmp	family_plugx
behavioral1/memory/584-80-0x0000000000650000-0x000000000068F000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\??\c:\windows\temp\aross.dll	acprotect
\Windows\Temp\aross.dll	acprotect
C:\ProgramData\ARO\aross.dll	acprotect
\ProgramData\ARO\aross.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

AROTutorial.exeAROTutorial.exe

pid process

1064 AROTutorial.exe
328 AROTutorial.exe

pid	process
1064	AROTutorial.exe
328	AROTutorial.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\??\c:\windows\temp\aross.dll	upx
\Windows\Temp\aross.dll	upx
C:\ProgramData\ARO\aross.dll	upx
\ProgramData\ARO\aross.dll	upx

Loads dropped DLL 3 IoCs

Processes:

80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exeAROTutorial.exeAROTutorial.exe

pid process

1052 80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe
1064 AROTutorial.exe
328 AROTutorial.exe

pid	process
1052	80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe
1064	AROTutorial.exe
328	AROTutorial.exe

Modifies data under HKEY_USERS 11 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5}\62-be-27-1e-f8-7a	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-be-27-1e-f8-7a\WpadDecisionTime = 2092b2cbd759d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5}\WpadDecisionTime = 2092b2cbd759d801	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5}\WpadNetworkName = "Network 3"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-be-27-1e-f8-7a	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-be-27-1e-f8-7a\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-be-27-1e-f8-7a\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5}\WpadDecision = "0"	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\KET.FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 33003900380038004100310031003400380033003500360031003900320044000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeuserinit.exe

pid	process
1728	svchost.exe
1728	svchost.exe
1728	svchost.exe
1728	svchost.exe
1728	svchost.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
1728	svchost.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
1728	svchost.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
1728	svchost.exe
1728	svchost.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
1728	svchost.exe
1728	svchost.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
1728	svchost.exe
1728	svchost.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
1728	svchost.exe
1728	svchost.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
1728	svchost.exe
1728	svchost.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe
1728	svchost.exe
1728	svchost.exe
584	userinit.exe
584	userinit.exe
584	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

userinit.exesvchost.exe

pid process

584 userinit.exe
1728 svchost.exe

pid	process
584	userinit.exe
1728	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AROTutorial.exeAROTutorial.exesvchost.exeuserinit.exe

description	pid	process
Token: SeDebugPrivilege	1064	AROTutorial.exe
Token: SeTcbPrivilege	1064	AROTutorial.exe
Token: SeDebugPrivilege	328	AROTutorial.exe
Token: SeTcbPrivilege	328	AROTutorial.exe
Token: SeDebugPrivilege	1728	svchost.exe
Token: SeTcbPrivilege	1728	svchost.exe
Token: SeDebugPrivilege	584	userinit.exe
Token: SeTcbPrivilege	584	userinit.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exeAROTutorial.exesvchost.exe

description	pid	process	target process
PID 1052 wrote to memory of 1064	1052	80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe	AROTutorial.exe
PID 1052 wrote to memory of 1064	1052	80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe	AROTutorial.exe
PID 1052 wrote to memory of 1064	1052	80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe	AROTutorial.exe
PID 1052 wrote to memory of 1064	1052	80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe	AROTutorial.exe
PID 328 wrote to memory of 1728	328	AROTutorial.exe	svchost.exe
PID 328 wrote to memory of 1728	328	AROTutorial.exe	svchost.exe
PID 328 wrote to memory of 1728	328	AROTutorial.exe	svchost.exe
PID 328 wrote to memory of 1728	328	AROTutorial.exe	svchost.exe
PID 328 wrote to memory of 1728	328	AROTutorial.exe	svchost.exe
PID 328 wrote to memory of 1728	328	AROTutorial.exe	svchost.exe
PID 328 wrote to memory of 1728	328	AROTutorial.exe	svchost.exe
PID 328 wrote to memory of 1728	328	AROTutorial.exe	svchost.exe
PID 1728 wrote to memory of 584	1728	svchost.exe	userinit.exe
PID 1728 wrote to memory of 584	1728	svchost.exe	userinit.exe
PID 1728 wrote to memory of 584	1728	svchost.exe	userinit.exe
PID 1728 wrote to memory of 584	1728	svchost.exe	userinit.exe
PID 1728 wrote to memory of 584	1728	svchost.exe	userinit.exe
PID 1728 wrote to memory of 584	1728	svchost.exe	userinit.exe
PID 1728 wrote to memory of 584	1728	svchost.exe	userinit.exe
PID 1728 wrote to memory of 584	1728	svchost.exe	userinit.exe

C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe
"C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052

\??\c:\windows\temp\AROTutorial.exe
c:\windows\temp\AROTutorial.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\ProgramData\ARO\AROTutorial.exe
"C:\ProgramData\ARO\AROTutorial.exe" 600 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 601 0
2⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\userinit.exe
C:\Windows\system32\userinit.exe 609 1728
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ARO\AROTutorial.exe
Filesize
69KB

MD5
64ff0a8730472e36e62ce29a20f61529

SHA1
6e8165999acf896e27db0da266a96189efd335e8

SHA256
18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c

SHA512
46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

Download Submit
C:\ProgramData\ARO\aross.dat
Filesize
146KB

MD5
60e04d5b3dae8bcd3cfa82d492088869

SHA1
4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b

SHA256
c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4

SHA512
0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb

Download Submit
C:\ProgramData\ARO\aross.dll
Filesize
34KB

MD5
9b05caf01254dbd3389ab74d9932ed37

SHA1
7fe8de80c04124b84b800cd284173d86aabedb5e

SHA256
f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab

SHA512
8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

Download Submit
C:\Windows\Temp\AROTutorial.exe
Filesize
69KB

MD5
64ff0a8730472e36e62ce29a20f61529

SHA1
6e8165999acf896e27db0da266a96189efd335e8

SHA256
18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c

SHA512
46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

Download Submit
\??\c:\windows\temp\AROTutorial.exe
Filesize
69KB

MD5
64ff0a8730472e36e62ce29a20f61529

SHA1
6e8165999acf896e27db0da266a96189efd335e8

SHA256
18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c

SHA512
46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

Download Submit
\??\c:\windows\temp\aross.dat
Filesize
146KB

MD5
60e04d5b3dae8bcd3cfa82d492088869

SHA1
4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b

SHA256
c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4

SHA512
0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb

Download Submit
\??\c:\windows\temp\aross.dll
Filesize
34KB

MD5
9b05caf01254dbd3389ab74d9932ed37

SHA1
7fe8de80c04124b84b800cd284173d86aabedb5e

SHA256
f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab

SHA512
8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

Download Submit
\ProgramData\ARO\aross.dll
Filesize
34KB

MD5
9b05caf01254dbd3389ab74d9932ed37

SHA1
7fe8de80c04124b84b800cd284173d86aabedb5e

SHA256
f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab

SHA512
8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

Download Submit
\Windows\Temp\AROTutorial.exe
Filesize
69KB

MD5
64ff0a8730472e36e62ce29a20f61529

SHA1
6e8165999acf896e27db0da266a96189efd335e8

SHA256
18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c

SHA512
46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

Download Submit
\Windows\Temp\aross.dll
Filesize
34KB

MD5
9b05caf01254dbd3389ab74d9932ed37

SHA1
7fe8de80c04124b84b800cd284173d86aabedb5e

SHA256
f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab

SHA512
8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

Download Submit
memory/328-71-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/328-72-0x0000000000420000-0x000000000045F000-memory.dmp

Filesize
252KB

Download
memory/584-78-0x0000000000000000-mapping.dmp

Download
memory/584-80-0x0000000000650000-0x000000000068F000-memory.dmp

Filesize
252KB

Download
memory/1064-55-0x0000000000000000-mapping.dmp

Download
memory/1064-60-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1064-73-0x0000000000460000-0x000000000049F000-memory.dmp

Filesize
252KB

Download
memory/1728-67-0x00000000000A0000-0x00000000000C2000-memory.dmp

Filesize
136KB

Download
memory/1728-69-0x0000000000000000-mapping.dmp

Download
memory/1728-74-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1728-75-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download