plugx | 80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967

Resubmissions

26-04-2022 23:36

220426-3lkvdaegb6 10

28-02-2022 15:52

220228-tbeqyagaar 10

24-02-2022 11:16

220224-ndfs5aebfn 9

27-07-2021 22:10

210727-kkvgchhhls 10

Analysis

max time kernel
276s
max time network
277s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
26-04-2022 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe
Size

426KB
MD5

048271f7f2f8d900485dd020cdea2dd9
SHA1

fc48ae44addc9e1d00238f5ba798f3876e69c561
SHA256

80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967
SHA512

aa21ba3fde629857934140fb96737189602242222f4f26d7a9b28f28c52a4bc91c046eaaaf11472c2f73ff126697d6e57a2b3d36bf84ed17d3c80e9c629ea5df

Score

10^/10

plugx trojan upx

Malware Config

Signatures

Detects PlugX Payload 4 IoCs

resource	yara_rule
behavioral3/memory/1148-143-0x0000000000DC0000-0x0000000000DFF000-memory.dmp	family_plugx
behavioral3/memory/1560-144-0x0000000002110000-0x000000000214F000-memory.dmp	family_plugx
behavioral3/memory/2672-145-0x0000000001670000-0x00000000016AF000-memory.dmp	family_plugx
behavioral3/memory/4908-147-0x0000000000DC0000-0x0000000000DFF000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral3/files/0x00060000000231b0-133.dat	acprotect
behavioral3/files/0x00060000000231b0-134.dat	acprotect
behavioral3/files/0x00060000000231b6-138.dat	acprotect
behavioral3/files/0x00060000000231b6-139.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
1560	AROTutorial.exe
1148	AROTutorial.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x00060000000231b0-133.dat	upx
behavioral3/files/0x00060000000231b0-134.dat	upx
behavioral3/files/0x00060000000231b6-138.dat	upx
behavioral3/files/0x00060000000231b6-139.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1560	AROTutorial.exe
1148	AROTutorial.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	108.61.182.34
Destination IP	108.61.182.34
Destination IP	108.61.182.34

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\KET.FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 34004100360035003700410039003000420034004500430031003400320037000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
2672	svchost.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
2672	svchost.exe
2672	svchost.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
2672	svchost.exe
2672	svchost.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
2672	svchost.exe
2672	svchost.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
2672	svchost.exe
2672	svchost.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe
4908	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2672	svchost.exe
4908	userinit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	AROTutorial.exe
Token: SeTcbPrivilege	1560	AROTutorial.exe
Token: SeDebugPrivilege	1148	AROTutorial.exe
Token: SeTcbPrivilege	1148	AROTutorial.exe
Token: SeDebugPrivilege	2672	svchost.exe
Token: SeTcbPrivilege	2672	svchost.exe
Token: SeDebugPrivilege	4908	userinit.exe
Token: SeTcbPrivilege	4908	userinit.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 1560	4796	80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe	81
PID 4796 wrote to memory of 1560	4796	80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe	81
PID 4796 wrote to memory of 1560	4796	80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe	81
PID 1148 wrote to memory of 2672	1148	AROTutorial.exe	83
PID 1148 wrote to memory of 2672	1148	AROTutorial.exe	83
PID 1148 wrote to memory of 2672	1148	AROTutorial.exe	83
PID 1148 wrote to memory of 2672	1148	AROTutorial.exe	83
PID 1148 wrote to memory of 2672	1148	AROTutorial.exe	83
PID 1148 wrote to memory of 2672	1148	AROTutorial.exe	83
PID 1148 wrote to memory of 2672	1148	AROTutorial.exe	83
PID 2672 wrote to memory of 4908	2672	svchost.exe	87
PID 2672 wrote to memory of 4908	2672	svchost.exe	87
PID 2672 wrote to memory of 4908	2672	svchost.exe	87
PID 2672 wrote to memory of 4908	2672	svchost.exe	87
PID 2672 wrote to memory of 4908	2672	svchost.exe	87
PID 2672 wrote to memory of 4908	2672	svchost.exe	87
PID 2672 wrote to memory of 4908	2672	svchost.exe	87

C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe
"C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- \??\c:\windows\temp\AROTutorial.exe
  c:\windows\temp\AROTutorial.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1560

C:\ProgramData\ARO\AROTutorial.exe
"C:\ProgramData\ARO\AROTutorial.exe" 600 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 601 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe 609 2672
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ARO\AROTutorial.exe

Filesize
69KB

MD5
64ff0a8730472e36e62ce29a20f61529

SHA1
6e8165999acf896e27db0da266a96189efd335e8

SHA256
18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c

SHA512
46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

Download Submit
C:\ProgramData\ARO\AROTutorial.exe

Filesize
69KB

MD5
64ff0a8730472e36e62ce29a20f61529

SHA1
6e8165999acf896e27db0da266a96189efd335e8

SHA256
18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c

SHA512
46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

Download Submit
C:\ProgramData\ARO\aross.dat

Filesize
146KB

MD5
60e04d5b3dae8bcd3cfa82d492088869

SHA1
4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b

SHA256
c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4

SHA512
0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb

Download Submit
C:\ProgramData\ARO\aross.dll

Filesize
34KB

MD5
9b05caf01254dbd3389ab74d9932ed37

SHA1
7fe8de80c04124b84b800cd284173d86aabedb5e

SHA256
f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab

SHA512
8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

Download Submit
C:\ProgramData\ARO\aross.dll

Filesize
34KB

MD5
9b05caf01254dbd3389ab74d9932ed37

SHA1
7fe8de80c04124b84b800cd284173d86aabedb5e

SHA256
f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab

SHA512
8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

Download Submit
C:\Windows\Temp\AROTutorial.exe

Filesize
69KB

MD5
64ff0a8730472e36e62ce29a20f61529

SHA1
6e8165999acf896e27db0da266a96189efd335e8

SHA256
18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c

SHA512
46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

Download Submit
C:\Windows\Temp\aross.dll

Filesize
34KB

MD5
9b05caf01254dbd3389ab74d9932ed37

SHA1
7fe8de80c04124b84b800cd284173d86aabedb5e

SHA256
f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab

SHA512
8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

Download Submit
\??\c:\windows\temp\AROTutorial.exe

Filesize
69KB

MD5
64ff0a8730472e36e62ce29a20f61529

SHA1
6e8165999acf896e27db0da266a96189efd335e8

SHA256
18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c

SHA512
46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

Download Submit
\??\c:\windows\temp\aross.dat

Filesize
146KB

MD5
60e04d5b3dae8bcd3cfa82d492088869

SHA1
4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b

SHA256
c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4

SHA512
0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb

Download Submit
\??\c:\windows\temp\aross.dll

Filesize
34KB

MD5
9b05caf01254dbd3389ab74d9932ed37

SHA1
7fe8de80c04124b84b800cd284173d86aabedb5e

SHA256
f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab

SHA512
8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

Download Submit
memory/1148-142-0x0000000000D20000-0x0000000000D45000-memory.dmp

Filesize
148KB

Download
memory/1148-143-0x0000000000DC0000-0x0000000000DFF000-memory.dmp

Filesize
252KB

Download
memory/1560-144-0x0000000002110000-0x000000000214F000-memory.dmp

Filesize
252KB

Download
memory/2672-145-0x0000000001670000-0x00000000016AF000-memory.dmp

Filesize
252KB

Download
memory/4908-147-0x0000000000DC0000-0x0000000000DFF000-memory.dmp

Filesize
252KB

Download