plugx | f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220414-en
submitted
23-05-2022 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe
Size

318KB
MD5

550fc8a8f7696cecdbd07ca25dcd6cfa
SHA1

a4c39e8652379c0c0c380414c646c6a0c8b2bfbd
SHA256

f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7
SHA512

01d389bbf9f7b2dce7062a6f1019575c51236ca79e54579e3ecf0e0dd4abe3a2264292c123c913a62d3e87f97cf5c5b5691cbcd612be18202867263e1108ee4d

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 4 IoCs

resource	yara_rule
behavioral1/memory/2024-76-0x0000000000390000-0x00000000003C1000-memory.dmp	family_plugx
behavioral1/memory/1656-79-0x0000000000840000-0x0000000000871000-memory.dmp	family_plugx
behavioral1/memory/2012-80-0x0000000000200000-0x0000000000231000-memory.dmp	family_plugx
behavioral1/memory/1060-86-0x0000000000350000-0x0000000000381000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
1656	mcinsupd.exe
2024	mcinsupd.exe

Deletes itself 1 IoCs

pid	Process
2012	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1480	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe
1480	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe
1480	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe
1480	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe
1656	mcinsupd.exe
2024	mcinsupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45004300360033003800440033004500320037003700310046004400340030000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	svchost.exe
2012	svchost.exe
2012	svchost.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
2012	svchost.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
2012	svchost.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
2012	svchost.exe
2012	svchost.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
2012	svchost.exe
2012	svchost.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
2012	svchost.exe
2012	svchost.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
2012	svchost.exe
2012	svchost.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
2012	svchost.exe
2012	svchost.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
2012	svchost.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe
1060	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	mcinsupd.exe
Token: SeTcbPrivilege	1656	mcinsupd.exe
Token: SeDebugPrivilege	2024	mcinsupd.exe
Token: SeTcbPrivilege	2024	mcinsupd.exe
Token: SeDebugPrivilege	2012	svchost.exe
Token: SeTcbPrivilege	2012	svchost.exe
Token: SeDebugPrivilege	1060	msiexec.exe
Token: SeTcbPrivilege	1060	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1656	1480	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe	26
PID 1480 wrote to memory of 1656	1480	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe	26
PID 1480 wrote to memory of 1656	1480	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe	26
PID 1480 wrote to memory of 1656	1480	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe	26
PID 1480 wrote to memory of 1656	1480	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe	26
PID 1480 wrote to memory of 1656	1480	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe	26
PID 1480 wrote to memory of 1656	1480	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe	26
PID 2024 wrote to memory of 2012	2024	mcinsupd.exe	28
PID 2024 wrote to memory of 2012	2024	mcinsupd.exe	28
PID 2024 wrote to memory of 2012	2024	mcinsupd.exe	28
PID 2024 wrote to memory of 2012	2024	mcinsupd.exe	28
PID 2024 wrote to memory of 2012	2024	mcinsupd.exe	28
PID 2024 wrote to memory of 2012	2024	mcinsupd.exe	28
PID 2024 wrote to memory of 2012	2024	mcinsupd.exe	28
PID 2024 wrote to memory of 2012	2024	mcinsupd.exe	28
PID 2024 wrote to memory of 2012	2024	mcinsupd.exe	28
PID 2012 wrote to memory of 1060	2012	svchost.exe	29
PID 2012 wrote to memory of 1060	2012	svchost.exe	29
PID 2012 wrote to memory of 1060	2012	svchost.exe	29
PID 2012 wrote to memory of 1060	2012	svchost.exe	29
PID 2012 wrote to memory of 1060	2012	svchost.exe	29
PID 2012 wrote to memory of 1060	2012	svchost.exe	29
PID 2012 wrote to memory of 1060	2012	svchost.exe	29
PID 2012 wrote to memory of 1060	2012	svchost.exe	29
PID 2012 wrote to memory of 1060	2012	svchost.exe	29
PID 2012 wrote to memory of 1060	2012	svchost.exe	29
PID 2012 wrote to memory of 1060	2012	svchost.exe	29
PID 2012 wrote to memory of 1060	2012	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe
"C:\Users\Admin\AppData\Local\Temp\f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1656

C:\ProgramData\AVck\mcinsupd.exe
C:\ProgramData\AVck\mcinsupd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2012
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AVck\mcinsupd.exe

Filesize
187KB

MD5
53c1f090734129fbccc2693d6b4afa04

SHA1
a06110c5b8092581f7aab798eb96d1a0511cf419

SHA256
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091

SHA512
59f264df8fca777056b02aebf5861350050868eb8443f9d7d6c9b26dd6fcd9f42f658885bff3187030b8bcaa3715bf7eed1890301fc50d548cf1dbb58a30636f

Download Submit
C:\ProgramData\AVck\mytilus3.dll

Filesize
52KB

MD5
5ecdc718db6bea5e2faa31eafcd7ac9f

SHA1
f2adb07161b7486d153393d8ecb5c0470de47ce7

SHA256
9b75226a5ef9a0c8686fe40c34786acf16fb78d5bc02e0122a51f93c0c395bbf

SHA512
dc836aaa09a6a745156f27d2ba43d7cc08c9a7b58b37422e34e641b6bb3001f654206ad4a188b1bfb25e4cfdd0991c5d9935ab54bb159fe1801c87abeae0b22f

Download Submit
C:\ProgramData\AVck\mytilus3.dll.obj

Filesize
121KB

MD5
d2b2513b6f223f33691367bfa9e2d09f

SHA1
1f1133ff1edc07347821c3dcc01e67db5d8faad9

SHA256
b6223ac144171d59234061ca54cb5e2fead4b0774df1b111996ea32ee337df7c

SHA512
9d765429b429da80b795998e0301307142cb9654524fa5bdc60f1f3495055902f400fb506601cfe62fd2381af0d73cd6f670bacea94fd63e6183a67c6282e50b

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
456B

MD5
c512960e78727103e247735fe32770a4

SHA1
a635bbab813ca40eb787aff5453a4e6f0f5f5ce5

SHA256
f1b487c246915170734a142ed78c54af18b083aa0d1b3acfa74d45d140ce9be5

SHA512
22067e94c0882ce3024e56dee283f7eed1cca0c841b61cfbf7e07e60a30fb82e42278f0c0c944316246a981818b289a3b94d1f7c7b724576429766200e4b1dbe

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
618B

MD5
8b56f9e427edec303039ed01ad2b352f

SHA1
4245967ffa8ae50a04dc274cabc90e7441e23bc8

SHA256
5ef9c5476118c7d8f7e94954dc33248388e02c788380e750258cb77cb20ed24c

SHA512
d132390418d8e6e40b6b3e6317b589d5f0eb211fd6191ac1c35a336d424af0bc5f5cd7f73d440a9ac58f195d462e7fb02ae0a140859e1001c08ff08834ad240a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe

Filesize
187KB

MD5
53c1f090734129fbccc2693d6b4afa04

SHA1
a06110c5b8092581f7aab798eb96d1a0511cf419

SHA256
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091

SHA512
59f264df8fca777056b02aebf5861350050868eb8443f9d7d6c9b26dd6fcd9f42f658885bff3187030b8bcaa3715bf7eed1890301fc50d548cf1dbb58a30636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe

Filesize
187KB

MD5
53c1f090734129fbccc2693d6b4afa04

SHA1
a06110c5b8092581f7aab798eb96d1a0511cf419

SHA256
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091

SHA512
59f264df8fca777056b02aebf5861350050868eb8443f9d7d6c9b26dd6fcd9f42f658885bff3187030b8bcaa3715bf7eed1890301fc50d548cf1dbb58a30636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mytilus3.dll

Filesize
52KB

MD5
5ecdc718db6bea5e2faa31eafcd7ac9f

SHA1
f2adb07161b7486d153393d8ecb5c0470de47ce7

SHA256
9b75226a5ef9a0c8686fe40c34786acf16fb78d5bc02e0122a51f93c0c395bbf

SHA512
dc836aaa09a6a745156f27d2ba43d7cc08c9a7b58b37422e34e641b6bb3001f654206ad4a188b1bfb25e4cfdd0991c5d9935ab54bb159fe1801c87abeae0b22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mytilus3.dll.obj

Filesize
121KB

MD5
d2b2513b6f223f33691367bfa9e2d09f

SHA1
1f1133ff1edc07347821c3dcc01e67db5d8faad9

SHA256
b6223ac144171d59234061ca54cb5e2fead4b0774df1b111996ea32ee337df7c

SHA512
9d765429b429da80b795998e0301307142cb9654524fa5bdc60f1f3495055902f400fb506601cfe62fd2381af0d73cd6f670bacea94fd63e6183a67c6282e50b

Download Submit
\ProgramData\AVck\mytilus3.dll

Filesize
52KB

MD5
5ecdc718db6bea5e2faa31eafcd7ac9f

SHA1
f2adb07161b7486d153393d8ecb5c0470de47ce7

SHA256
9b75226a5ef9a0c8686fe40c34786acf16fb78d5bc02e0122a51f93c0c395bbf

SHA512
dc836aaa09a6a745156f27d2ba43d7cc08c9a7b58b37422e34e641b6bb3001f654206ad4a188b1bfb25e4cfdd0991c5d9935ab54bb159fe1801c87abeae0b22f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe

Filesize
187KB

MD5
53c1f090734129fbccc2693d6b4afa04

SHA1
a06110c5b8092581f7aab798eb96d1a0511cf419

SHA256
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091

SHA512
59f264df8fca777056b02aebf5861350050868eb8443f9d7d6c9b26dd6fcd9f42f658885bff3187030b8bcaa3715bf7eed1890301fc50d548cf1dbb58a30636f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe

Filesize
187KB

MD5
53c1f090734129fbccc2693d6b4afa04

SHA1
a06110c5b8092581f7aab798eb96d1a0511cf419

SHA256
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091

SHA512
59f264df8fca777056b02aebf5861350050868eb8443f9d7d6c9b26dd6fcd9f42f658885bff3187030b8bcaa3715bf7eed1890301fc50d548cf1dbb58a30636f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe

Filesize
187KB

MD5
53c1f090734129fbccc2693d6b4afa04

SHA1
a06110c5b8092581f7aab798eb96d1a0511cf419

SHA256
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091

SHA512
59f264df8fca777056b02aebf5861350050868eb8443f9d7d6c9b26dd6fcd9f42f658885bff3187030b8bcaa3715bf7eed1890301fc50d548cf1dbb58a30636f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe

Filesize
187KB

MD5
53c1f090734129fbccc2693d6b4afa04

SHA1
a06110c5b8092581f7aab798eb96d1a0511cf419

SHA256
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091

SHA512
59f264df8fca777056b02aebf5861350050868eb8443f9d7d6c9b26dd6fcd9f42f658885bff3187030b8bcaa3715bf7eed1890301fc50d548cf1dbb58a30636f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mytilus3.dll

Filesize
52KB

MD5
5ecdc718db6bea5e2faa31eafcd7ac9f

SHA1
f2adb07161b7486d153393d8ecb5c0470de47ce7

SHA256
9b75226a5ef9a0c8686fe40c34786acf16fb78d5bc02e0122a51f93c0c395bbf

SHA512
dc836aaa09a6a745156f27d2ba43d7cc08c9a7b58b37422e34e641b6bb3001f654206ad4a188b1bfb25e4cfdd0991c5d9935ab54bb159fe1801c87abeae0b22f

Download Submit
memory/1060-86-0x0000000000350000-0x0000000000381000-memory.dmp

Filesize
196KB

Download
memory/1480-54-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/1656-79-0x0000000000840000-0x0000000000871000-memory.dmp

Filesize
196KB

Download
memory/1656-78-0x00000000008E0000-0x0000000000980000-memory.dmp

Filesize
640KB

Download
memory/2012-80-0x0000000000200000-0x0000000000231000-memory.dmp

Filesize
196KB

Download
memory/2012-71-0x00000000000E0000-0x00000000000FD000-memory.dmp

Filesize
116KB

Download
memory/2024-76-0x0000000000390000-0x00000000003C1000-memory.dmp

Filesize
196KB

Download
memory/2024-75-0x0000000000440000-0x0000000000540000-memory.dmp

Filesize
1024KB

Download