plugx | d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e

General

Target

d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe
Size

579KB
MD5

0bc6098d03c4faeb17dcf633f5de4652
SHA1

4c7912cfcab3fd03413110e7d428981aca5e0331
SHA256

d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e
SHA512

03a25ce05b3d112c2c3fcd5a67bd65b7f02c1a4abc2bf7203a8ea44d6fe5d1703b08da87ddde1ab7ca3f3283e31fd870d7a8dcace03ffb0067c99272bd1374be

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects Talisman variant of PlugX 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1104-71-0x0000000000390000-0x00000000003D1000-memory.dmp	family_plugx_talisman

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 1 IoCs

Processes:

msiexece.exe

pid process

1104 msiexece.exe
Deletes itself 1 IoCs

Processes:

Wscript.exe

pid process

1612 Wscript.exe
Loads dropped DLL 2 IoCs

Processes:

Wscript.exemsiexece.exe

pid process

1612 Wscript.exe
1104 msiexece.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1328 schtasks.exe

pid	process
1104	msiexece.exe

pid	process
1612	Wscript.exe

pid	process
1612	Wscript.exe
1104	msiexece.exe

pid	process
1328	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEmsiexece.exe

description	pid	process
Token: 33	1780	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1780	AUDIODG.EXE
Token: 33	1780	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1780	AUDIODG.EXE
Token: SeDebugPrivilege	1104	msiexece.exe
Token: SeTcbPrivilege	1104	msiexece.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe

pid	process
748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe
748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exeWscript.exemsiexece.execmd.execmd.exe

description	pid	process	target process
PID 748 wrote to memory of 1612	748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe	Wscript.exe
PID 748 wrote to memory of 1612	748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe	Wscript.exe
PID 748 wrote to memory of 1612	748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe	Wscript.exe
PID 748 wrote to memory of 1612	748	d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe	Wscript.exe
PID 1612 wrote to memory of 1104	1612	Wscript.exe	msiexece.exe
PID 1612 wrote to memory of 1104	1612	Wscript.exe	msiexece.exe
PID 1612 wrote to memory of 1104	1612	Wscript.exe	msiexece.exe
PID 1612 wrote to memory of 1104	1612	Wscript.exe	msiexece.exe
PID 1104 wrote to memory of 1464	1104	msiexece.exe	cmd.exe
PID 1104 wrote to memory of 1464	1104	msiexece.exe	cmd.exe
PID 1104 wrote to memory of 1464	1104	msiexece.exe	cmd.exe
PID 1104 wrote to memory of 1464	1104	msiexece.exe	cmd.exe
PID 1464 wrote to memory of 544	1464	cmd.exe	schtasks.exe
PID 1464 wrote to memory of 544	1464	cmd.exe	schtasks.exe
PID 1464 wrote to memory of 544	1464	cmd.exe	schtasks.exe
PID 1464 wrote to memory of 544	1464	cmd.exe	schtasks.exe
PID 1104 wrote to memory of 588	1104	msiexece.exe	cmd.exe
PID 1104 wrote to memory of 588	1104	msiexece.exe	cmd.exe
PID 1104 wrote to memory of 588	1104	msiexece.exe	cmd.exe
PID 1104 wrote to memory of 588	1104	msiexece.exe	cmd.exe
PID 1104 wrote to memory of 1004	1104	msiexece.exe	cmd.exe
PID 1104 wrote to memory of 1004	1104	msiexece.exe	cmd.exe
PID 1104 wrote to memory of 1004	1104	msiexece.exe	cmd.exe
PID 1104 wrote to memory of 1004	1104	msiexece.exe	cmd.exe
PID 1004 wrote to memory of 1328	1004	cmd.exe	schtasks.exe
PID 1004 wrote to memory of 1328	1004	cmd.exe	schtasks.exe
PID 1004 wrote to memory of 1328	1004	cmd.exe	schtasks.exe
PID 1004 wrote to memory of 1328	1004	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe
"C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\Wscript.exe
Wscript.exe msiexece.vbs "C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe" msiexece.exe TmDbgLog.dll TmDbgLog.dll.html
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\msiexece.exe
"C:\Users\Admin\AppData\Local\Temp\msiexece.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

\??\c:\windows\SysWOW64\cmd.exe
c:\windows\system32\cmd.exe /c c:\windows\system32\schtasks.exe /delete /tn "msvvcss" /F
4⤵
- Suspicious use of WriteProcessMemory
PID:1464

\??\c:\windows\SysWOW64\schtasks.exe
c:\windows\system32\schtasks.exe /delete /tn "msvvcss" /F
5⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\msiexece.exe >> NUL
4⤵
PID:588

\??\c:\windows\SysWOW64\cmd.exe
c:\windows\system32\cmd.exe /c c:\windows\system32\schtasks.exe /create /sc minute /mo 2 /tn "msvvcss" /tr "\"C:\ProgramData\msiexece.exe\"" /ru "system"
4⤵
- Suspicious use of WriteProcessMemory
PID:1004

\??\c:\windows\SysWOW64\schtasks.exe
c:\windows\system32\schtasks.exe /create /sc minute /mo 2 /tn "msvvcss" /tr "\"C:\ProgramData\msiexece.exe\"" /ru "system"
5⤵
- Creates scheduled task(s)
PID:1328

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x144
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1300

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TmDbgLog.dll
Filesize
3KB

MD5
c14bcdab18670eff2fa21445fe98ecf7

SHA1
8a6d58bc3809a2482075f6c768cb35e44e0bf36c

SHA256
e69f34005da6a59d437d2076233c3c0b4de42e3959a821498a5fc4303db6ed63

SHA512
926eea98fdb38d2bad6c18b96c556ec4de91cf83cfc84c18db784a3882c87fa41222a159e2306e1538dff234e010e2930001ee37bfaea7b916666da93704164b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmDbgLog.dll.html
Filesize
156KB

MD5
4e6d4ba0f6a23939592039bdfc804248

SHA1
14cb62db5d0861c9a0b0f091546a068df0cde0a6

SHA256
c02aed5f18961634b9e63d8c9c30feeab7c828632262c943a123ad8e2a271a0d

SHA512
51a46e9702b3d90e82e6eb3cae44c171fd89258978656404c9955f8ddee224e37b8ec7beab824ca4268d5f0d0bef434e0fc9fb5c6eadbaabcd0559a6fcf94165

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiexece.exe
Filesize
382KB

MD5
86452f7f72e219adee8a21e9b512c090

SHA1
449497e2f7a247a236b4c22ff0cf71c4e7396bc9

SHA256
4ae061506627e7e7416d8f1e59161188106abe345606108143e773e9a82c8eef

SHA512
063f538d4cf1bf3c217271326e54c29c9f7e293489c236d721cc2f250a155ddabaf87fdc3b0a1bb352c2ccabbcac000275b0ced0938b497e9d214905809b4ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiexece.exe
Filesize
382KB

MD5
86452f7f72e219adee8a21e9b512c090

SHA1
449497e2f7a247a236b4c22ff0cf71c4e7396bc9

SHA256
4ae061506627e7e7416d8f1e59161188106abe345606108143e773e9a82c8eef

SHA512
063f538d4cf1bf3c217271326e54c29c9f7e293489c236d721cc2f250a155ddabaf87fdc3b0a1bb352c2ccabbcac000275b0ced0938b497e9d214905809b4ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiexece.vbs
Filesize
1KB

MD5
32728f66e363230d40416ab546a35302

SHA1
0ea80036ebfc245002e0cbe88a1d30404595d87c

SHA256
bae4131ff753c0d5c015c863c8af26669f274ab45a1b55e50778c03981040cb9

SHA512
0a7da994276397942b1e5a3d28b7234eb366cb5af1478eee7bea53d3f7762711b77113fdc1c23ec1d92c8ca0050803e6dbfbc93005671f5449bf4cc7304dbc8c

Download Submit
\Users\Admin\AppData\Local\Temp\TmDbgLog.dll
Filesize
3KB

MD5
c14bcdab18670eff2fa21445fe98ecf7

SHA1
8a6d58bc3809a2482075f6c768cb35e44e0bf36c

SHA256
e69f34005da6a59d437d2076233c3c0b4de42e3959a821498a5fc4303db6ed63

SHA512
926eea98fdb38d2bad6c18b96c556ec4de91cf83cfc84c18db784a3882c87fa41222a159e2306e1538dff234e010e2930001ee37bfaea7b916666da93704164b

Download Submit
\Users\Admin\AppData\Local\Temp\msiexece.exe
Filesize
382KB

MD5
86452f7f72e219adee8a21e9b512c090

SHA1
449497e2f7a247a236b4c22ff0cf71c4e7396bc9

SHA256
4ae061506627e7e7416d8f1e59161188106abe345606108143e773e9a82c8eef

SHA512
063f538d4cf1bf3c217271326e54c29c9f7e293489c236d721cc2f250a155ddabaf87fdc3b0a1bb352c2ccabbcac000275b0ced0938b497e9d214905809b4ac8

Download Submit
memory/544-68-0x0000000000000000-mapping.dmp

Download
memory/588-69-0x0000000000000000-mapping.dmp

Download
memory/1004-70-0x0000000000000000-mapping.dmp

Download
memory/1104-64-0x00000000000F0000-0x0000000000118000-memory.dmp

Filesize
160KB

Download
memory/1104-58-0x0000000000000000-mapping.dmp

Download
memory/1104-71-0x0000000000390000-0x00000000003D1000-memory.dmp

Filesize
260KB

Download
memory/1328-72-0x0000000000000000-mapping.dmp

Download
memory/1464-66-0x0000000000000000-mapping.dmp

Download
memory/1612-56-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/1612-54-0x0000000000000000-mapping.dmp

Download
memory/2040-65-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads