plugx | 81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9

Analysis

max time kernel
300s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06-05-2022 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe
Size

430KB
MD5

aeb38328ffe5bd3bf5766a8fad075d08
SHA1

cf96c505059f6c384833250bf813f23d8fc6458f
SHA256

81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9
SHA512

87f3b91a974af59179a483eddc519388aa02634ec586028850cdea4dad749b93ba072208cb94fed81ccd704cec55b309725e91ff96302957c939a5571777a582

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4360-147-0x0000000001190000-0x00000000011C5000-memory.dmp	family_plugx
behavioral2/memory/3372-148-0x0000000001450000-0x0000000001485000-memory.dmp	family_plugx
behavioral2/memory/3320-149-0x0000000000F10000-0x0000000000F45000-memory.dmp	family_plugx
behavioral2/memory/4280-150-0x0000000001930000-0x0000000001965000-memory.dmp	family_plugx
behavioral2/memory/2804-152-0x0000000000660000-0x0000000000695000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 3 IoCs

Processes:

wsc_proxy.exewsc_proxy.exewsc_proxy.exe

pid process

3372 wsc_proxy.exe
3320 wsc_proxy.exe
4360 wsc_proxy.exe

pid	process
3372	wsc_proxy.exe
3320	wsc_proxy.exe
4360	wsc_proxy.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe

Loads dropped DLL 3 IoCs

Processes:

wsc_proxy.exewsc_proxy.exewsc_proxy.exe

pid process

3372 wsc_proxy.exe
3320 wsc_proxy.exe
4360 wsc_proxy.exe
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 203.86.234.16
Destination IP 203.86.234.16
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3372	wsc_proxy.exe
3320	wsc_proxy.exe
4360	wsc_proxy.exe

description	ioc
Destination IP	203.86.234.16
Destination IP	203.86.234.16

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45004300300033004400390038003800460034003700420042003300310034000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
4280	svchost.exe
4280	svchost.exe
4280	svchost.exe
4280	svchost.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
4280	svchost.exe
4280	svchost.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
4280	svchost.exe
4280	svchost.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
4280	svchost.exe
4280	svchost.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
4280	svchost.exe
4280	svchost.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
2804	msiexec.exe
4280	svchost.exe
4280	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

4280 svchost.exe
2804 msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

wsc_proxy.exewsc_proxy.exewsc_proxy.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3372	wsc_proxy.exe
Token: SeTcbPrivilege	3372	wsc_proxy.exe
Token: SeDebugPrivilege	3320	wsc_proxy.exe
Token: SeTcbPrivilege	3320	wsc_proxy.exe
Token: SeDebugPrivilege	4360	wsc_proxy.exe
Token: SeTcbPrivilege	4360	wsc_proxy.exe
Token: SeDebugPrivilege	4280	svchost.exe
Token: SeTcbPrivilege	4280	svchost.exe
Token: SeDebugPrivilege	2804	msiexec.exe
Token: SeTcbPrivilege	2804	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exewsc_proxy.exesvchost.exe

description	pid	process	target process
PID 3376 wrote to memory of 3372	3376	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	wsc_proxy.exe
PID 3376 wrote to memory of 3372	3376	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	wsc_proxy.exe
PID 3376 wrote to memory of 3372	3376	81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe	wsc_proxy.exe
PID 4360 wrote to memory of 4280	4360	wsc_proxy.exe	svchost.exe
PID 4360 wrote to memory of 4280	4360	wsc_proxy.exe	svchost.exe
PID 4360 wrote to memory of 4280	4360	wsc_proxy.exe	svchost.exe
PID 4360 wrote to memory of 4280	4360	wsc_proxy.exe	svchost.exe
PID 4360 wrote to memory of 4280	4360	wsc_proxy.exe	svchost.exe
PID 4360 wrote to memory of 4280	4360	wsc_proxy.exe	svchost.exe
PID 4360 wrote to memory of 4280	4360	wsc_proxy.exe	svchost.exe
PID 4360 wrote to memory of 4280	4360	wsc_proxy.exe	svchost.exe
PID 4280 wrote to memory of 2804	4280	svchost.exe	msiexec.exe
PID 4280 wrote to memory of 2804	4280	svchost.exe	msiexec.exe
PID 4280 wrote to memory of 2804	4280	svchost.exe	msiexec.exe
PID 4280 wrote to memory of 2804	4280	svchost.exe	msiexec.exe
PID 4280 wrote to memory of 2804	4280	svchost.exe	msiexec.exe
PID 4280 wrote to memory of 2804	4280	svchost.exe	msiexec.exe
PID 4280 wrote to memory of 2804	4280	svchost.exe	msiexec.exe
PID 4280 wrote to memory of 2804	4280	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe
"C:\Users\Admin\AppData\Local\Temp\81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3376

C:\wsc_proxy.exe
"C:\wsc_proxy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\ProgramData\Avast Software\Avast\wsc_proxy.exe
"C:\ProgramData\Avast Software\Avast\wsc_proxy.exe" 100 3372
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\ProgramData\Avast Software\Avast\wsc_proxy.exe
"C:\ProgramData\Avast Software\Avast\wsc_proxy.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 4280
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Avast\wsc.dll
Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\ProgramData\Avast Software\Avast\wsc.dll
Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\ProgramData\Avast Software\Avast\wsc.dll
Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\ProgramData\Avast Software\Avast\wsc_proxy.dat
Filesize
148KB

MD5
07a9a4b7068d7a4406a00656a762ca55

SHA1
981ef9b7f98b949d16a3b4e6eefe2575dcf784e1

SHA256
e48af8d3a597b947d145e8a2e8e94eff003a5eb8544918955f65ac5af37cd331

SHA512
ae8c7f5a5c7354a1800c47ca7c124982a354fbe2b2a520f6f8a1968d924ff66dd45e5dbe6f2e4048ee53cc21a25b83ff4639b5d4d35918bd48dd4dc140fd7b4e

Download Submit
C:\ProgramData\Avast Software\Avast\wsc_proxy.exe
Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
C:\ProgramData\Avast Software\Avast\wsc_proxy.exe
Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
C:\ProgramData\Avast Software\Avast\wsc_proxy.exe
Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
C:\wsc.dll
Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\wsc.dll
Filesize
33KB

MD5
a3be5ee9a505a2fc1260521d150cbb19

SHA1
710617c387500735b8aa44ba7ff001fa43a2a16f

SHA256
c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c

SHA512
ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c

Download Submit
C:\wsc_proxy.dat
Filesize
148KB

MD5
07a9a4b7068d7a4406a00656a762ca55

SHA1
981ef9b7f98b949d16a3b4e6eefe2575dcf784e1

SHA256
e48af8d3a597b947d145e8a2e8e94eff003a5eb8544918955f65ac5af37cd331

SHA512
ae8c7f5a5c7354a1800c47ca7c124982a354fbe2b2a520f6f8a1968d924ff66dd45e5dbe6f2e4048ee53cc21a25b83ff4639b5d4d35918bd48dd4dc140fd7b4e

Download Submit
C:\wsc_proxy.exe
Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
C:\wsc_proxy.exe
Filesize
56KB

MD5
c2902be3472adb3014c2bd07f4d4d034

SHA1
bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7

SHA256
1948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da

SHA512
2ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54

Download Submit
memory/2804-152-0x0000000000660000-0x0000000000695000-memory.dmp

Filesize
212KB

Download
memory/2804-151-0x0000000000000000-mapping.dmp

Download
memory/3320-149-0x0000000000F10000-0x0000000000F45000-memory.dmp

Filesize
212KB

Download
memory/3372-136-0x0000000002D50000-0x0000000002E50000-memory.dmp

Filesize
1024KB

Download
memory/3372-148-0x0000000001450000-0x0000000001485000-memory.dmp

Filesize
212KB

Download
memory/3372-130-0x0000000000000000-mapping.dmp

Download
memory/4280-150-0x0000000001930000-0x0000000001965000-memory.dmp

Filesize
212KB

Download
memory/4280-146-0x0000000000000000-mapping.dmp

Download
memory/4360-147-0x0000000001190000-0x00000000011C5000-memory.dmp

Filesize
212KB

Download