plugx | d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e

Analysis

max time kernel
115s
max time network
116s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-05-2022 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe
Size

579KB
MD5

0bc6098d03c4faeb17dcf633f5de4652
SHA1

4c7912cfcab3fd03413110e7d428981aca5e0331
SHA256

d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e
SHA512

03a25ce05b3d112c2c3fcd5a67bd65b7f02c1a4abc2bf7203a8ea44d6fe5d1703b08da87ddde1ab7ca3f3283e31fd870d7a8dcace03ffb0067c99272bd1374be

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects Talisman variant of PlugX 1 IoCs

resource	yara_rule
behavioral1/memory/1104-71-0x0000000000390000-0x00000000003D1000-memory.dmp	family_plugx_talisman

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 1 IoCs

pid	Process
1104	msiexece.exe

Deletes itself 1 IoCs

pid	Process
1612	Wscript.exe

Loads dropped DLL 2 IoCs

pid	Process
1612	Wscript.exe
1104	msiexece.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1328	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	1780	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1780	AUDIODG.EXE
Token: 33	1780	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1780	AUDIODG.EXE
Token: SeDebugPrivilege	1104	msiexece.exe
Token: SeTcbPrivilege	1104	msiexece.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe
748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1612	748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe	28
PID 748 wrote to memory of 1612	748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe	28
PID 748 wrote to memory of 1612	748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe	28
PID 748 wrote to memory of 1612	748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe	28
PID 1612 wrote to memory of 1104	1612	Wscript.exe	29
PID 1612 wrote to memory of 1104	1612	Wscript.exe	29
PID 1612 wrote to memory of 1104	1612	Wscript.exe	29
PID 1612 wrote to memory of 1104	1612	Wscript.exe	29
PID 1104 wrote to memory of 1464	1104	msiexece.exe	33
PID 1104 wrote to memory of 1464	1104	msiexece.exe	33
PID 1104 wrote to memory of 1464	1104	msiexece.exe	33
PID 1104 wrote to memory of 1464	1104	msiexece.exe	33
PID 1464 wrote to memory of 544	1464	cmd.exe	35
PID 1464 wrote to memory of 544	1464	cmd.exe	35
PID 1464 wrote to memory of 544	1464	cmd.exe	35
PID 1464 wrote to memory of 544	1464	cmd.exe	35
PID 1104 wrote to memory of 588	1104	msiexece.exe	36
PID 1104 wrote to memory of 588	1104	msiexece.exe	36
PID 1104 wrote to memory of 588	1104	msiexece.exe	36
PID 1104 wrote to memory of 588	1104	msiexece.exe	36
PID 1104 wrote to memory of 1004	1104	msiexece.exe	38
PID 1104 wrote to memory of 1004	1104	msiexece.exe	38
PID 1104 wrote to memory of 1004	1104	msiexece.exe	38
PID 1104 wrote to memory of 1004	1104	msiexece.exe	38
PID 1004 wrote to memory of 1328	1004	cmd.exe	40
PID 1004 wrote to memory of 1328	1004	cmd.exe	40
PID 1004 wrote to memory of 1328	1004	cmd.exe	40
PID 1004 wrote to memory of 1328	1004	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe
"C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\Wscript.exe
  Wscript.exe msiexece.vbs "C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe" msiexece.exe TmDbgLog.dll TmDbgLog.dll.html
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\msiexece.exe
    "C:\Users\Admin\AppData\Local\Temp\msiexece.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - \??\c:\windows\SysWOW64\cmd.exe
      c:\windows\system32\cmd.exe /c c:\windows\system32\schtasks.exe /delete /tn "msvvcss" /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1464
    - - \??\c:\windows\SysWOW64\schtasks.exe
        
        c:\windows\system32\schtasks.exe /delete /tn "msvvcss" /F
        5⤵
        
        PID:544
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\msiexece.exe >> NUL
      4⤵
      PID:588
  - - \??\c:\windows\SysWOW64\cmd.exe
      c:\windows\system32\cmd.exe /c c:\windows\system32\schtasks.exe /create /sc minute /mo 2 /tn "msvvcss" /tr "\"C:\ProgramData\msiexece.exe\"" /ru "system"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1004
    - - \??\c:\windows\SysWOW64\schtasks.exe
        
        c:\windows\system32\schtasks.exe /create /sc minute /mo 2 /tn "msvvcss" /tr "\"C:\ProgramData\msiexece.exe\"" /ru "system"
        5⤵
        Creates scheduled task(s)
        
        PID:1328

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x144
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TmDbgLog.dll

Filesize
3KB

MD5
c14bcdab18670eff2fa21445fe98ecf7

SHA1
8a6d58bc3809a2482075f6c768cb35e44e0bf36c

SHA256
e69f34005da6a59d437d2076233c3c0b4de42e3959a821498a5fc4303db6ed63

SHA512
926eea98fdb38d2bad6c18b96c556ec4de91cf83cfc84c18db784a3882c87fa41222a159e2306e1538dff234e010e2930001ee37bfaea7b916666da93704164b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmDbgLog.dll.html

Filesize
156KB

MD5
4e6d4ba0f6a23939592039bdfc804248

SHA1
14cb62db5d0861c9a0b0f091546a068df0cde0a6

SHA256
c02aed5f18961634b9e63d8c9c30feeab7c828632262c943a123ad8e2a271a0d

SHA512
51a46e9702b3d90e82e6eb3cae44c171fd89258978656404c9955f8ddee224e37b8ec7beab824ca4268d5f0d0bef434e0fc9fb5c6eadbaabcd0559a6fcf94165

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiexece.exe

Filesize
382KB

MD5
86452f7f72e219adee8a21e9b512c090

SHA1
449497e2f7a247a236b4c22ff0cf71c4e7396bc9

SHA256
4ae061506627e7e7416d8f1e59161188106abe345606108143e773e9a82c8eef

SHA512
063f538d4cf1bf3c217271326e54c29c9f7e293489c236d721cc2f250a155ddabaf87fdc3b0a1bb352c2ccabbcac000275b0ced0938b497e9d214905809b4ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiexece.exe

Filesize
382KB

MD5
86452f7f72e219adee8a21e9b512c090

SHA1
449497e2f7a247a236b4c22ff0cf71c4e7396bc9

SHA256
4ae061506627e7e7416d8f1e59161188106abe345606108143e773e9a82c8eef

SHA512
063f538d4cf1bf3c217271326e54c29c9f7e293489c236d721cc2f250a155ddabaf87fdc3b0a1bb352c2ccabbcac000275b0ced0938b497e9d214905809b4ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiexece.vbs

Filesize
1KB

MD5
32728f66e363230d40416ab546a35302

SHA1
0ea80036ebfc245002e0cbe88a1d30404595d87c

SHA256
bae4131ff753c0d5c015c863c8af26669f274ab45a1b55e50778c03981040cb9

SHA512
0a7da994276397942b1e5a3d28b7234eb366cb5af1478eee7bea53d3f7762711b77113fdc1c23ec1d92c8ca0050803e6dbfbc93005671f5449bf4cc7304dbc8c

Download Submit
\Users\Admin\AppData\Local\Temp\TmDbgLog.dll

Filesize
3KB

MD5
c14bcdab18670eff2fa21445fe98ecf7

SHA1
8a6d58bc3809a2482075f6c768cb35e44e0bf36c

SHA256
e69f34005da6a59d437d2076233c3c0b4de42e3959a821498a5fc4303db6ed63

SHA512
926eea98fdb38d2bad6c18b96c556ec4de91cf83cfc84c18db784a3882c87fa41222a159e2306e1538dff234e010e2930001ee37bfaea7b916666da93704164b

Download Submit
\Users\Admin\AppData\Local\Temp\msiexece.exe

Filesize
382KB

MD5
86452f7f72e219adee8a21e9b512c090

SHA1
449497e2f7a247a236b4c22ff0cf71c4e7396bc9

SHA256
4ae061506627e7e7416d8f1e59161188106abe345606108143e773e9a82c8eef

SHA512
063f538d4cf1bf3c217271326e54c29c9f7e293489c236d721cc2f250a155ddabaf87fdc3b0a1bb352c2ccabbcac000275b0ced0938b497e9d214905809b4ac8

Download Submit
memory/1104-64-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/1104-71-0x0000000000390000-0x00000000003D1000-memory.dmp

Filesize
260KB

Download
memory/1612-56-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/2040-65-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads