plugx | 354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379

Analysis

max time kernel
149s
max time network
144s
platform
windows10_x64
resource
win10-20220414-en
submitted
04-05-2022 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe
Size

697KB
MD5

3523aba425931e1afbe4864ae714beb1
SHA1

38e49f28a2f36eb1346eec18083c6a6b3e7ab4d7
SHA256

354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379
SHA512

973a8a551c38d7efc5f3d21ae0d34b053f8330cec858814d06384b9a7bc12ef1e97fb3d4ce0bd638ab79e0c1f297af61a430c5f1ab81666127abd8d331c069dc

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 4 IoCs

resource	yara_rule
behavioral1/memory/3616-124-0x0000000000A40000-0x0000000000A75000-memory.dmp	family_plugx
behavioral1/memory/5040-135-0x0000000000880000-0x00000000008B5000-memory.dmp	family_plugx
behavioral1/memory/4156-137-0x0000000003500000-0x0000000003535000-memory.dmp	family_plugx
behavioral1/memory/2436-141-0x0000000000AA0000-0x0000000000AD5000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
3616	adb.exe
2320	adb.exe
5040	adb.exe

Loads dropped DLL 3 IoCs

pid	Process
3616	adb.exe
2320	adb.exe
5040	adb.exe

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	203.86.234.16
Destination IP	203.86.234.16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 34003600380038003500330031003300340043004300430035003100460046000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4156	svchost.exe
4156	svchost.exe
4156	svchost.exe
4156	svchost.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
4156	svchost.exe
4156	svchost.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
4156	svchost.exe
4156	svchost.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
4156	svchost.exe
4156	svchost.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
4156	svchost.exe
4156	svchost.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
2436	msiexec.exe
4156	svchost.exe
4156	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4156	svchost.exe
2436	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	adb.exe
Token: SeTcbPrivilege	3616	adb.exe
Token: SeDebugPrivilege	2320	adb.exe
Token: SeTcbPrivilege	2320	adb.exe
Token: SeDebugPrivilege	5040	adb.exe
Token: SeTcbPrivilege	5040	adb.exe
Token: SeDebugPrivilege	4156	svchost.exe
Token: SeTcbPrivilege	4156	svchost.exe
Token: SeDebugPrivilege	2436	msiexec.exe
Token: SeTcbPrivilege	2436	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 3616	2788	354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe	67
PID 2788 wrote to memory of 3616	2788	354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe	67
PID 2788 wrote to memory of 3616	2788	354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe	67
PID 5040 wrote to memory of 4156	5040	adb.exe	74
PID 5040 wrote to memory of 4156	5040	adb.exe	74
PID 5040 wrote to memory of 4156	5040	adb.exe	74
PID 5040 wrote to memory of 4156	5040	adb.exe	74
PID 5040 wrote to memory of 4156	5040	adb.exe	74
PID 5040 wrote to memory of 4156	5040	adb.exe	74
PID 5040 wrote to memory of 4156	5040	adb.exe	74
PID 5040 wrote to memory of 4156	5040	adb.exe	74
PID 4156 wrote to memory of 2436	4156	svchost.exe	75
PID 4156 wrote to memory of 2436	4156	svchost.exe	75
PID 4156 wrote to memory of 2436	4156	svchost.exe	75
PID 4156 wrote to memory of 2436	4156	svchost.exe	75
PID 4156 wrote to memory of 2436	4156	svchost.exe	75
PID 4156 wrote to memory of 2436	4156	svchost.exe	75
PID 4156 wrote to memory of 2436	4156	svchost.exe	75
PID 4156 wrote to memory of 2436	4156	svchost.exe	75

C:\Users\Admin\AppData\Local\Temp\354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe
"C:\Users\Admin\AppData\Local\Temp\354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\adb.exe
  "C:\Users\Admin\AppData\Local\Temp\adb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3616

C:\ProgramData\adb\adb.exe
"C:\ProgramData\adb\adb.exe" 100 3616
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\ProgramData\adb\adb.exe
"C:\ProgramData\adb\adb.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 4156
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\adb\AdbWinApi.dat

Filesize
148KB

MD5
cbcc0845497ddd773399e0f095539a4c

SHA1
6c878e4ee18d14b94a3214bdd283b221a1981877

SHA256
88045766007380b99fa7874c633d66bcb17d3314b6145ad5f8d8216e8e24b375

SHA512
e9a237e1ed9a53ce52c52ed40c43073430bc54b36996c53a90ab7524c0e3a3c9d8fa403b4f0ee52997f19d4d720f7d9db8efa7e988ca53efc221573a05a8e38f

Download Submit
C:\ProgramData\adb\AdbWinApi.dll

Filesize
33KB

MD5
114d0cdadcbdec8c6baa9af0a869700a

SHA1
a794329bac18d02b891b0e24ec73d88da4fe3404

SHA256
9217518710b77766d9dc3397c3ce9bd88734c71c8b80a2dd1e9ed1312efacd9c

SHA512
edab7b4ee16d7e8797d297c6e3add9b2b685b732d51a9c1b3994f8cf21c285fb3a2198d02536168d2153711eb4ed925ad602459c70def4c5c7cbff5ec12d6a3f

Download Submit
C:\ProgramData\adb\adb.exe

Filesize
804KB

MD5
790fb1184a3ed8e475263daa54f98469

SHA1
37a60f670a4f3c68a4872ec2e95c0be2bd130dae

SHA256
ef4c7f4c417c18cd3394dd81ccd94381af252e0af81b0ad89b7e6d81412f4706

SHA512
66a2325c59a7fdacd049f43b528224682245c2705f10c50a907b6454d5755522b9d9d07046426d42db8c324ba95adbde1de087e31a0fb21b635c1dc4ca25a4f8

Download Submit
C:\ProgramData\adb\adb.exe

Filesize
804KB

MD5
790fb1184a3ed8e475263daa54f98469

SHA1
37a60f670a4f3c68a4872ec2e95c0be2bd130dae

SHA256
ef4c7f4c417c18cd3394dd81ccd94381af252e0af81b0ad89b7e6d81412f4706

SHA512
66a2325c59a7fdacd049f43b528224682245c2705f10c50a907b6454d5755522b9d9d07046426d42db8c324ba95adbde1de087e31a0fb21b635c1dc4ca25a4f8

Download Submit
C:\ProgramData\adb\adb.exe

Filesize
804KB

MD5
790fb1184a3ed8e475263daa54f98469

SHA1
37a60f670a4f3c68a4872ec2e95c0be2bd130dae

SHA256
ef4c7f4c417c18cd3394dd81ccd94381af252e0af81b0ad89b7e6d81412f4706

SHA512
66a2325c59a7fdacd049f43b528224682245c2705f10c50a907b6454d5755522b9d9d07046426d42db8c324ba95adbde1de087e31a0fb21b635c1dc4ca25a4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdbWinApi.dat

Filesize
148KB

MD5
cbcc0845497ddd773399e0f095539a4c

SHA1
6c878e4ee18d14b94a3214bdd283b221a1981877

SHA256
88045766007380b99fa7874c633d66bcb17d3314b6145ad5f8d8216e8e24b375

SHA512
e9a237e1ed9a53ce52c52ed40c43073430bc54b36996c53a90ab7524c0e3a3c9d8fa403b4f0ee52997f19d4d720f7d9db8efa7e988ca53efc221573a05a8e38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdbWinApi.dll

Filesize
33KB

MD5
114d0cdadcbdec8c6baa9af0a869700a

SHA1
a794329bac18d02b891b0e24ec73d88da4fe3404

SHA256
9217518710b77766d9dc3397c3ce9bd88734c71c8b80a2dd1e9ed1312efacd9c

SHA512
edab7b4ee16d7e8797d297c6e3add9b2b685b732d51a9c1b3994f8cf21c285fb3a2198d02536168d2153711eb4ed925ad602459c70def4c5c7cbff5ec12d6a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\adb.exe

Filesize
804KB

MD5
790fb1184a3ed8e475263daa54f98469

SHA1
37a60f670a4f3c68a4872ec2e95c0be2bd130dae

SHA256
ef4c7f4c417c18cd3394dd81ccd94381af252e0af81b0ad89b7e6d81412f4706

SHA512
66a2325c59a7fdacd049f43b528224682245c2705f10c50a907b6454d5755522b9d9d07046426d42db8c324ba95adbde1de087e31a0fb21b635c1dc4ca25a4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\adb.exe

Filesize
804KB

MD5
790fb1184a3ed8e475263daa54f98469

SHA1
37a60f670a4f3c68a4872ec2e95c0be2bd130dae

SHA256
ef4c7f4c417c18cd3394dd81ccd94381af252e0af81b0ad89b7e6d81412f4706

SHA512
66a2325c59a7fdacd049f43b528224682245c2705f10c50a907b6454d5755522b9d9d07046426d42db8c324ba95adbde1de087e31a0fb21b635c1dc4ca25a4f8

Download Submit
\ProgramData\adb\AdbWinApi.dll

Filesize
33KB

MD5
114d0cdadcbdec8c6baa9af0a869700a

SHA1
a794329bac18d02b891b0e24ec73d88da4fe3404

SHA256
9217518710b77766d9dc3397c3ce9bd88734c71c8b80a2dd1e9ed1312efacd9c

SHA512
edab7b4ee16d7e8797d297c6e3add9b2b685b732d51a9c1b3994f8cf21c285fb3a2198d02536168d2153711eb4ed925ad602459c70def4c5c7cbff5ec12d6a3f

Download Submit
\ProgramData\adb\AdbWinApi.dll

Filesize
33KB

MD5
114d0cdadcbdec8c6baa9af0a869700a

SHA1
a794329bac18d02b891b0e24ec73d88da4fe3404

SHA256
9217518710b77766d9dc3397c3ce9bd88734c71c8b80a2dd1e9ed1312efacd9c

SHA512
edab7b4ee16d7e8797d297c6e3add9b2b685b732d51a9c1b3994f8cf21c285fb3a2198d02536168d2153711eb4ed925ad602459c70def4c5c7cbff5ec12d6a3f

Download Submit
\Users\Admin\AppData\Local\Temp\AdbWinApi.dll

Filesize
33KB

MD5
114d0cdadcbdec8c6baa9af0a869700a

SHA1
a794329bac18d02b891b0e24ec73d88da4fe3404

SHA256
9217518710b77766d9dc3397c3ce9bd88734c71c8b80a2dd1e9ed1312efacd9c

SHA512
edab7b4ee16d7e8797d297c6e3add9b2b685b732d51a9c1b3994f8cf21c285fb3a2198d02536168d2153711eb4ed925ad602459c70def4c5c7cbff5ec12d6a3f

Download Submit
memory/2320-136-0x00000000006F0000-0x000000000083A000-memory.dmp

Filesize
1.3MB

Download
memory/2436-141-0x0000000000AA0000-0x0000000000AD5000-memory.dmp

Filesize
212KB

Download
memory/3616-123-0x0000000002580000-0x0000000002680000-memory.dmp

Filesize
1024KB

Download
memory/3616-124-0x0000000000A40000-0x0000000000A75000-memory.dmp

Filesize
212KB

Download
memory/4156-137-0x0000000003500000-0x0000000003535000-memory.dmp

Filesize
212KB

Download
memory/5040-135-0x0000000000880000-0x00000000008B5000-memory.dmp

Filesize
212KB

Download