plugx | f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe
Size

318KB
MD5

550fc8a8f7696cecdbd07ca25dcd6cfa
SHA1

a4c39e8652379c0c0c380414c646c6a0c8b2bfbd
SHA256

f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7
SHA512

01d389bbf9f7b2dce7062a6f1019575c51236ca79e54579e3ecf0e0dd4abe3a2264292c123c913a62d3e87f97cf5c5b5691cbcd612be18202867263e1108ee4d

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 4 IoCs

resource	yara_rule
behavioral2/memory/4976-143-0x0000000000DC0000-0x0000000000DF1000-memory.dmp	family_plugx
behavioral2/memory/3880-146-0x0000000002210000-0x0000000002241000-memory.dmp	family_plugx
behavioral2/memory/3292-147-0x0000000000570000-0x00000000005A1000-memory.dmp	family_plugx
behavioral2/memory/2836-149-0x00000000008E0000-0x0000000000911000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
3880	mcinsupd.exe
4976	mcinsupd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe

Loads dropped DLL 2 IoCs

pid	Process
3880	mcinsupd.exe
4976	mcinsupd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 46004100370032003200350045003200410033004600430041003100430042000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	svchost.exe
3292	svchost.exe
3292	svchost.exe
3292	svchost.exe
3292	svchost.exe
3292	svchost.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
3292	svchost.exe
3292	svchost.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
3292	svchost.exe
3292	svchost.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
3292	svchost.exe
3292	svchost.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
3292	svchost.exe
3292	svchost.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe
2836	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3292	svchost.exe
2836	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3880	mcinsupd.exe
Token: SeTcbPrivilege	3880	mcinsupd.exe
Token: SeDebugPrivilege	4976	mcinsupd.exe
Token: SeTcbPrivilege	4976	mcinsupd.exe
Token: SeDebugPrivilege	3292	svchost.exe
Token: SeTcbPrivilege	3292	svchost.exe
Token: SeDebugPrivilege	2836	msiexec.exe
Token: SeTcbPrivilege	2836	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3880	1888	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe	80
PID 1888 wrote to memory of 3880	1888	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe	80
PID 1888 wrote to memory of 3880	1888	f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe	80
PID 4976 wrote to memory of 3292	4976	mcinsupd.exe	83
PID 4976 wrote to memory of 3292	4976	mcinsupd.exe	83
PID 4976 wrote to memory of 3292	4976	mcinsupd.exe	83
PID 4976 wrote to memory of 3292	4976	mcinsupd.exe	83
PID 4976 wrote to memory of 3292	4976	mcinsupd.exe	83
PID 4976 wrote to memory of 3292	4976	mcinsupd.exe	83
PID 4976 wrote to memory of 3292	4976	mcinsupd.exe	83
PID 4976 wrote to memory of 3292	4976	mcinsupd.exe	83
PID 3292 wrote to memory of 2836	3292	svchost.exe	84
PID 3292 wrote to memory of 2836	3292	svchost.exe	84
PID 3292 wrote to memory of 2836	3292	svchost.exe	84
PID 3292 wrote to memory of 2836	3292	svchost.exe	84
PID 3292 wrote to memory of 2836	3292	svchost.exe	84
PID 3292 wrote to memory of 2836	3292	svchost.exe	84
PID 3292 wrote to memory of 2836	3292	svchost.exe	84
PID 3292 wrote to memory of 2836	3292	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe
"C:\Users\Admin\AppData\Local\Temp\f54b6b92b5264dc3346c777fcfa1d8d77b5712f4afb6724bb9187c5e570af1d7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3880

C:\ProgramData\AVck\mcinsupd.exe
C:\ProgramData\AVck\mcinsupd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 3292
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AVck\mcinsupd.exe

Filesize
187KB

MD5
53c1f090734129fbccc2693d6b4afa04

SHA1
a06110c5b8092581f7aab798eb96d1a0511cf419

SHA256
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091

SHA512
59f264df8fca777056b02aebf5861350050868eb8443f9d7d6c9b26dd6fcd9f42f658885bff3187030b8bcaa3715bf7eed1890301fc50d548cf1dbb58a30636f

Download Submit
C:\ProgramData\AVck\mcinsupd.exe

Filesize
187KB

MD5
53c1f090734129fbccc2693d6b4afa04

SHA1
a06110c5b8092581f7aab798eb96d1a0511cf419

SHA256
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091

SHA512
59f264df8fca777056b02aebf5861350050868eb8443f9d7d6c9b26dd6fcd9f42f658885bff3187030b8bcaa3715bf7eed1890301fc50d548cf1dbb58a30636f

Download Submit
C:\ProgramData\AVck\mytilus3.dll

Filesize
52KB

MD5
5ecdc718db6bea5e2faa31eafcd7ac9f

SHA1
f2adb07161b7486d153393d8ecb5c0470de47ce7

SHA256
9b75226a5ef9a0c8686fe40c34786acf16fb78d5bc02e0122a51f93c0c395bbf

SHA512
dc836aaa09a6a745156f27d2ba43d7cc08c9a7b58b37422e34e641b6bb3001f654206ad4a188b1bfb25e4cfdd0991c5d9935ab54bb159fe1801c87abeae0b22f

Download Submit
C:\ProgramData\AVck\mytilus3.dll

Filesize
52KB

MD5
5ecdc718db6bea5e2faa31eafcd7ac9f

SHA1
f2adb07161b7486d153393d8ecb5c0470de47ce7

SHA256
9b75226a5ef9a0c8686fe40c34786acf16fb78d5bc02e0122a51f93c0c395bbf

SHA512
dc836aaa09a6a745156f27d2ba43d7cc08c9a7b58b37422e34e641b6bb3001f654206ad4a188b1bfb25e4cfdd0991c5d9935ab54bb159fe1801c87abeae0b22f

Download Submit
C:\ProgramData\AVck\mytilus3.dll.obj

Filesize
121KB

MD5
d2b2513b6f223f33691367bfa9e2d09f

SHA1
1f1133ff1edc07347821c3dcc01e67db5d8faad9

SHA256
b6223ac144171d59234061ca54cb5e2fead4b0774df1b111996ea32ee337df7c

SHA512
9d765429b429da80b795998e0301307142cb9654524fa5bdc60f1f3495055902f400fb506601cfe62fd2381af0d73cd6f670bacea94fd63e6183a67c6282e50b

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
456B

MD5
e11a035e7de16016474a051532eddb88

SHA1
2458fd520ff9e01c0097f339bf046da89f768153

SHA256
dbc697e5300759744d333194beab538a54997126aae30a8ceb7977b6fdaf7f82

SHA512
6b1c779e77c0fcd925d38df9346e7459e0378218b9ec98b1d77fd5e2c27d8e8cddc927bd95db78bcd0876469d2d53f896f0173f712b2925c104bc52d79879ac2

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
618B

MD5
dd61d3281788ccbc04f4f0bd5bb01812

SHA1
92c248a4628cf87c1dea94ca2ffcdd9e012fd636

SHA256
be984811af4fbcbc792debac85407559ba0e2f730a48e10351b0802f9feca4cd

SHA512
57df04e006ce0eec1587083cadd18b7035c5b2854c4cf994c783912be02d1a4eb345b35eda9a0f27cb8355ef9a31e0d0e23df855454b632d727ee2d0fd8f5253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe

Filesize
187KB

MD5
53c1f090734129fbccc2693d6b4afa04

SHA1
a06110c5b8092581f7aab798eb96d1a0511cf419

SHA256
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091

SHA512
59f264df8fca777056b02aebf5861350050868eb8443f9d7d6c9b26dd6fcd9f42f658885bff3187030b8bcaa3715bf7eed1890301fc50d548cf1dbb58a30636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcinsupd.exe

Filesize
187KB

MD5
53c1f090734129fbccc2693d6b4afa04

SHA1
a06110c5b8092581f7aab798eb96d1a0511cf419

SHA256
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091

SHA512
59f264df8fca777056b02aebf5861350050868eb8443f9d7d6c9b26dd6fcd9f42f658885bff3187030b8bcaa3715bf7eed1890301fc50d548cf1dbb58a30636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mytilus3.dll

Filesize
52KB

MD5
5ecdc718db6bea5e2faa31eafcd7ac9f

SHA1
f2adb07161b7486d153393d8ecb5c0470de47ce7

SHA256
9b75226a5ef9a0c8686fe40c34786acf16fb78d5bc02e0122a51f93c0c395bbf

SHA512
dc836aaa09a6a745156f27d2ba43d7cc08c9a7b58b37422e34e641b6bb3001f654206ad4a188b1bfb25e4cfdd0991c5d9935ab54bb159fe1801c87abeae0b22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mytilus3.dll

Filesize
52KB

MD5
5ecdc718db6bea5e2faa31eafcd7ac9f

SHA1
f2adb07161b7486d153393d8ecb5c0470de47ce7

SHA256
9b75226a5ef9a0c8686fe40c34786acf16fb78d5bc02e0122a51f93c0c395bbf

SHA512
dc836aaa09a6a745156f27d2ba43d7cc08c9a7b58b37422e34e641b6bb3001f654206ad4a188b1bfb25e4cfdd0991c5d9935ab54bb159fe1801c87abeae0b22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mytilus3.dll.obj

Filesize
121KB

MD5
d2b2513b6f223f33691367bfa9e2d09f

SHA1
1f1133ff1edc07347821c3dcc01e67db5d8faad9

SHA256
b6223ac144171d59234061ca54cb5e2fead4b0774df1b111996ea32ee337df7c

SHA512
9d765429b429da80b795998e0301307142cb9654524fa5bdc60f1f3495055902f400fb506601cfe62fd2381af0d73cd6f670bacea94fd63e6183a67c6282e50b

Download Submit
memory/2836-149-0x00000000008E0000-0x0000000000911000-memory.dmp

Filesize
196KB

Download
memory/3292-147-0x0000000000570000-0x00000000005A1000-memory.dmp

Filesize
196KB

Download
memory/3880-146-0x0000000002210000-0x0000000002241000-memory.dmp

Filesize
196KB

Download
memory/4976-143-0x0000000000DC0000-0x0000000000DF1000-memory.dmp

Filesize
196KB

Download
memory/4976-142-0x0000000000E50000-0x0000000000F50000-memory.dmp

Filesize
1024KB

Download