plugx | 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
Size

263KB
MD5

582fb65add01ce95d827b96006a3ff42
SHA1

d8931a791f8ef3d4015aec2bffa47808e28877b5
SHA256

4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01
SHA512

6e2194abfba98c6723040b9d4e801a8d4e75cc8449d408638fa80edfa11865cad9d01b768c21919ed863f3e7f97d258930ccbbf6acbc0e65c730ead79f5c7141

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4564-137-0x0000000001FA0000-0x0000000001FD0000-memory.dmp	family_plugx
behavioral2/memory/4580-148-0x0000000000E40000-0x0000000000E70000-memory.dmp	family_plugx
behavioral2/memory/4476-150-0x00000000006E0000-0x0000000000710000-memory.dmp	family_plugx
behavioral2/memory/488-151-0x0000000000ED0000-0x0000000000F00000-memory.dmp	family_plugx
behavioral2/memory/4760-153-0x0000000000750000-0x0000000000780000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 3 IoCs

Processes:

Nv.exeNv.exeNv.exe

pid process

4564 Nv.exe
4476 Nv.exe
4580 Nv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe

Loads dropped DLL 3 IoCs

Processes:

Nv.exeNv.exeNv.exe

pid process

4564 Nv.exe
4476 Nv.exe
4580 Nv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 17 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31004100420044003000350030003200410032004500350044004600440042000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Nv.exesvchost.exemsiexec.exe

pid	process
4564	Nv.exe
4564	Nv.exe
488	svchost.exe
488	svchost.exe
488	svchost.exe
488	svchost.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
488	svchost.exe
488	svchost.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
488	svchost.exe
488	svchost.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
488	svchost.exe
488	svchost.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
488	svchost.exe
488	svchost.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe
4760	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

488 svchost.exe
4760 msiexec.exe

pid	process
488	svchost.exe
4760	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Nv.exeNv.exeNv.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4564	Nv.exe
Token: SeTcbPrivilege	4564	Nv.exe
Token: SeDebugPrivilege	4476	Nv.exe
Token: SeTcbPrivilege	4476	Nv.exe
Token: SeDebugPrivilege	4580	Nv.exe
Token: SeTcbPrivilege	4580	Nv.exe
Token: SeDebugPrivilege	488	svchost.exe
Token: SeTcbPrivilege	488	svchost.exe
Token: SeDebugPrivilege	4760	msiexec.exe
Token: SeTcbPrivilege	4760	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exeNv.exesvchost.exe

description	pid	process	target process
PID 4628 wrote to memory of 4564	4628	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe	Nv.exe
PID 4628 wrote to memory of 4564	4628	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe	Nv.exe
PID 4628 wrote to memory of 4564	4628	4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe	Nv.exe
PID 4580 wrote to memory of 488	4580	Nv.exe	svchost.exe
PID 4580 wrote to memory of 488	4580	Nv.exe	svchost.exe
PID 4580 wrote to memory of 488	4580	Nv.exe	svchost.exe
PID 4580 wrote to memory of 488	4580	Nv.exe	svchost.exe
PID 4580 wrote to memory of 488	4580	Nv.exe	svchost.exe
PID 4580 wrote to memory of 488	4580	Nv.exe	svchost.exe
PID 4580 wrote to memory of 488	4580	Nv.exe	svchost.exe
PID 4580 wrote to memory of 488	4580	Nv.exe	svchost.exe
PID 488 wrote to memory of 4760	488	svchost.exe	msiexec.exe
PID 488 wrote to memory of 4760	488	svchost.exe	msiexec.exe
PID 488 wrote to memory of 4760	488	svchost.exe	msiexec.exe
PID 488 wrote to memory of 4760	488	svchost.exe	msiexec.exe
PID 488 wrote to memory of 4760	488	svchost.exe	msiexec.exe
PID 488 wrote to memory of 4760	488	svchost.exe	msiexec.exe
PID 488 wrote to memory of 4760	488	svchost.exe	msiexec.exe
PID 488 wrote to memory of 4760	488	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
"C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 100 4564
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 488
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\Nv.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\Nv.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\Nv.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\Nv.mp3
Filesize
120KB

MD5
e1e6d954482a108020c8e471bd0790e4

SHA1
138def3945437e9d81902f00b1119795140ae8bf

SHA256
9f5663bdcd5217b16597a53c763359c63d867202df572f23493d54a1c082c954

SHA512
7573eba59791c978c45e5af1abd70c3a7d454e6fe1de9962f737679e8ddf5e9694d548bb8f0bbc4ffc236921a984f97bc1d11b0b0f239b25bb4253f88e2862e5

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll
Filesize
41KB

MD5
92b5a067fc1866b933eade6ebd4e1564

SHA1
91c38bb2d1993dde1068550e42580c4d2993a5c1

SHA256
632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

SHA512
3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll
Filesize
41KB

MD5
92b5a067fc1866b933eade6ebd4e1564

SHA1
91c38bb2d1993dde1068550e42580c4d2993a5c1

SHA256
632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

SHA512
3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll
Filesize
41KB

MD5
92b5a067fc1866b933eade6ebd4e1564

SHA1
91c38bb2d1993dde1068550e42580c4d2993a5c1

SHA256
632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

SHA512
3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
622B

MD5
ffaabfc118251d40d6ce604accba1287

SHA1
68236c9e83665730a033e5daaff096294b382a7c

SHA256
700c6e09ac4e09fad5c1adaa2416dbdba0ff276e9944cda447e529276e6c838b

SHA512
b7216388b4443c7561f6700b9606fa52261ef196cf1514603b11e50c648d6da19177667e54047df94ea229c245021c0ede331574590717566fe80655b5da5605

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.mp3
Filesize
120KB

MD5
e1e6d954482a108020c8e471bd0790e4

SHA1
138def3945437e9d81902f00b1119795140ae8bf

SHA256
9f5663bdcd5217b16597a53c763359c63d867202df572f23493d54a1c082c954

SHA512
7573eba59791c978c45e5af1abd70c3a7d454e6fe1de9962f737679e8ddf5e9694d548bb8f0bbc4ffc236921a984f97bc1d11b0b0f239b25bb4253f88e2862e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
Filesize
41KB

MD5
92b5a067fc1866b933eade6ebd4e1564

SHA1
91c38bb2d1993dde1068550e42580c4d2993a5c1

SHA256
632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

SHA512
3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
Filesize
41KB

MD5
92b5a067fc1866b933eade6ebd4e1564

SHA1
91c38bb2d1993dde1068550e42580c4d2993a5c1

SHA256
632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

SHA512
3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

Download Submit
memory/488-147-0x0000000000000000-mapping.dmp

Download
memory/488-151-0x0000000000ED0000-0x0000000000F00000-memory.dmp

Filesize
192KB

Download
memory/4476-150-0x00000000006E0000-0x0000000000710000-memory.dmp

Filesize
192KB

Download
memory/4564-137-0x0000000001FA0000-0x0000000001FD0000-memory.dmp

Filesize
192KB

Download
memory/4564-136-0x0000000002110000-0x0000000002210000-memory.dmp

Filesize
1024KB

Download
memory/4564-130-0x0000000000000000-mapping.dmp

Download
memory/4580-148-0x0000000000E40000-0x0000000000E70000-memory.dmp

Filesize
192KB

Download
memory/4760-152-0x0000000000000000-mapping.dmp

Download
memory/4760-153-0x0000000000750000-0x0000000000780000-memory.dmp

Filesize
192KB

Download