plugx | a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe
Size

278KB
MD5

84c87e1d260183863c6508c704e15042
SHA1

369b215c41f93f61d6b70046a89fe88da0c400ba
SHA256

a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132
SHA512

6d8d82fb82e3bc314da88cac44401cc0a193101b613d4b38f04eedbf8315ca97f71f303051d19d4773b74af5011bbed9320c8d213fc91c2e91e5b2cd016d3c31

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1324-67-0x00000000008F0000-0x0000000000921000-memory.dmp	family_plugx
behavioral1/memory/2012-77-0x00000000001F0000-0x0000000000221000-memory.dmp	family_plugx
behavioral1/memory/1984-79-0x0000000000220000-0x0000000000251000-memory.dmp	family_plugx
behavioral1/memory/1392-86-0x0000000000250000-0x0000000000281000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
1324	popwndexe.exe
2012	popwndexe.exe

Deletes itself 1 IoCs

pid	Process
1984	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1880	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe
1880	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe
1880	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe
1880	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe
1324	popwndexe.exe
2012	popwndexe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42004500430038003300450046003900420036003300320043003600320031000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1984	svchost.exe
1984	svchost.exe
1984	svchost.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1984	svchost.exe
1984	svchost.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1984	svchost.exe
1984	svchost.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1984	svchost.exe
1984	svchost.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1984	svchost.exe
1984	svchost.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1984	svchost.exe
1984	svchost.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1984	svchost.exe
1984	svchost.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1984	svchost.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1392	msiexec.exe
1984	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	popwndexe.exe
Token: SeTcbPrivilege	1324	popwndexe.exe
Token: SeDebugPrivilege	2012	popwndexe.exe
Token: SeTcbPrivilege	2012	popwndexe.exe
Token: SeDebugPrivilege	1984	svchost.exe
Token: SeTcbPrivilege	1984	svchost.exe
Token: SeDebugPrivilege	1392	msiexec.exe
Token: SeTcbPrivilege	1392	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1324	1880	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe	27
PID 1880 wrote to memory of 1324	1880	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe	27
PID 1880 wrote to memory of 1324	1880	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe	27
PID 1880 wrote to memory of 1324	1880	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe	27
PID 1880 wrote to memory of 1324	1880	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe	27
PID 1880 wrote to memory of 1324	1880	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe	27
PID 1880 wrote to memory of 1324	1880	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe	27
PID 2012 wrote to memory of 1984	2012	popwndexe.exe	29
PID 2012 wrote to memory of 1984	2012	popwndexe.exe	29
PID 2012 wrote to memory of 1984	2012	popwndexe.exe	29
PID 2012 wrote to memory of 1984	2012	popwndexe.exe	29
PID 2012 wrote to memory of 1984	2012	popwndexe.exe	29
PID 2012 wrote to memory of 1984	2012	popwndexe.exe	29
PID 2012 wrote to memory of 1984	2012	popwndexe.exe	29
PID 2012 wrote to memory of 1984	2012	popwndexe.exe	29
PID 2012 wrote to memory of 1984	2012	popwndexe.exe	29
PID 1984 wrote to memory of 1392	1984	svchost.exe	30
PID 1984 wrote to memory of 1392	1984	svchost.exe	30
PID 1984 wrote to memory of 1392	1984	svchost.exe	30
PID 1984 wrote to memory of 1392	1984	svchost.exe	30
PID 1984 wrote to memory of 1392	1984	svchost.exe	30
PID 1984 wrote to memory of 1392	1984	svchost.exe	30
PID 1984 wrote to memory of 1392	1984	svchost.exe	30
PID 1984 wrote to memory of 1392	1984	svchost.exe	30
PID 1984 wrote to memory of 1392	1984	svchost.exe	30
PID 1984 wrote to memory of 1392	1984	svchost.exe	30
PID 1984 wrote to memory of 1392	1984	svchost.exe	30
PID 1984 wrote to memory of 1392	1984	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe
"C:\Users\Admin\AppData\Local\Temp\a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1324

C:\ProgramData\AVck\popwndexe.exe
C:\ProgramData\AVck\popwndexe.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1984
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AVck\popwndexe.exe

Filesize
120KB

MD5
967b7e1b6a3d2e90884e29f375b39580

SHA1
924a0c4b2fbff028fc134bafdf54dea269bccde2

SHA256
170ddd93d568563d24dad661e372cfd5d40f1d187c4e0456e194dfa229a2b695

SHA512
0cb14fd960a2cfb60da12371d56905e1f604fa98988dd0a5fd36bddd564ec6bdcfc2eebe4a05e15ffa82a7a8449ed413b49f51f4a4bf3d1b115b6b31dfb2cd95

Download Submit
C:\ProgramData\AVck\rsdk.dll

Filesize
41KB

MD5
d408c852f4d7c684c4d2ad17676464e9

SHA1
3767704bbeb33019071d514bdf7c5ab6773aec65

SHA256
e91b3e9906754898b543f9c60adbb70fc80915823f9e56b5c79edb8e7fb7fd9f

SHA512
c2be1e2cf84e4bcd7157e8f8bdf0aaebb3962d661ba7360f93f5475199385106e7e8bc5c5a8dd5e162d30b0f45417ea72a924370fa9d0720581ccbcf5757bc5d

Download Submit
C:\ProgramData\AVck\rsdk.dll.cvs

Filesize
121KB

MD5
b809f1191c6c4bb26e522c31f52be30f

SHA1
dfda72fa903dd0162f9263dd686af55665605927

SHA256
4698be4c08f904f4966e90124e92f7e1018475355adb4fc0822c126f9e07fb45

SHA512
1e0799b920d95bb56e0ecd8cff29058cec8f0bfaf69049f8c4f8e57dfcdfbee5507df45764b3c85d6a709ef1c38f6a6694b4c0ad11938d61da6c96008e2ff5d0

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
620B

MD5
c03ff124565d572d4e602980992aab61

SHA1
c56ccb74e030d8156e767e3cb90dcb2843cf82c3

SHA256
b7fbd87eb5f42f03d74f4e7d00c8354b29e162d55004c28b11ccbdfdd61618cc

SHA512
c7f324c6772e1d1117acea05727362389975e00813fcce32522fa37af93d3463865a3fb44a4c0c1e1b2d1e557e129bc52512ec2b808ab1f5e2f1cf4d70b246aa

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
782B

MD5
6d7be65eb3e681028e4a9a6e21e6c4f7

SHA1
e5235e891a962f70a153252878fff4975902c5b7

SHA256
31eefabeabcb64524fd325ad10c5babff5129178dbdb9f99dd64dcbd3ec33938

SHA512
f96c896688a6c9d03bf46daf3d1694735a24e0360708f08ad59a311fbe4c98f98edcf730e3bfe150f0d35e6e784d67774be27b436281ee9b82bca864379ce4cf

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
6f84d928bbea4b5fa3b1c41e7e3197c9

SHA1
686e2e8dd87a964cfcba438aca16301bfbb9d591

SHA256
7916422980ac8de8650ddbc8e3dbde1b8a521b0b2d9543e161694aba8e425dea

SHA512
d8c534875d3991cb75392608870dee0d4632bda2cb15221cf370635746361ba7298c3dbc733c7ba0c8206090bc671e289d8a550fc3f8d716d591036e7771a022

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
46bc9d9daa3c7d90d97949397731f148

SHA1
bda1d574cbe5c65225dbd6ef3f89ae99888938d9

SHA256
22f6863a400da0681a420b9a09bdb229bc0323a0d00cc20dc762ad76db96f495

SHA512
0063127ec18d8b5693e44f37fa4e3aeabc8d2831945b4a898850c08a5af3bc572508207036e819b405aeefbee7875f7608be935ad0dd8a003c50c9d9b2a7dd4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe

Filesize
120KB

MD5
967b7e1b6a3d2e90884e29f375b39580

SHA1
924a0c4b2fbff028fc134bafdf54dea269bccde2

SHA256
170ddd93d568563d24dad661e372cfd5d40f1d187c4e0456e194dfa229a2b695

SHA512
0cb14fd960a2cfb60da12371d56905e1f604fa98988dd0a5fd36bddd564ec6bdcfc2eebe4a05e15ffa82a7a8449ed413b49f51f4a4bf3d1b115b6b31dfb2cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe

Filesize
120KB

MD5
967b7e1b6a3d2e90884e29f375b39580

SHA1
924a0c4b2fbff028fc134bafdf54dea269bccde2

SHA256
170ddd93d568563d24dad661e372cfd5d40f1d187c4e0456e194dfa229a2b695

SHA512
0cb14fd960a2cfb60da12371d56905e1f604fa98988dd0a5fd36bddd564ec6bdcfc2eebe4a05e15ffa82a7a8449ed413b49f51f4a4bf3d1b115b6b31dfb2cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rsdk.dll

Filesize
41KB

MD5
d408c852f4d7c684c4d2ad17676464e9

SHA1
3767704bbeb33019071d514bdf7c5ab6773aec65

SHA256
e91b3e9906754898b543f9c60adbb70fc80915823f9e56b5c79edb8e7fb7fd9f

SHA512
c2be1e2cf84e4bcd7157e8f8bdf0aaebb3962d661ba7360f93f5475199385106e7e8bc5c5a8dd5e162d30b0f45417ea72a924370fa9d0720581ccbcf5757bc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rsdk.dll.cvs

Filesize
121KB

MD5
b809f1191c6c4bb26e522c31f52be30f

SHA1
dfda72fa903dd0162f9263dd686af55665605927

SHA256
4698be4c08f904f4966e90124e92f7e1018475355adb4fc0822c126f9e07fb45

SHA512
1e0799b920d95bb56e0ecd8cff29058cec8f0bfaf69049f8c4f8e57dfcdfbee5507df45764b3c85d6a709ef1c38f6a6694b4c0ad11938d61da6c96008e2ff5d0

Download Submit
\ProgramData\AVck\rsdk.dll

Filesize
41KB

MD5
d408c852f4d7c684c4d2ad17676464e9

SHA1
3767704bbeb33019071d514bdf7c5ab6773aec65

SHA256
e91b3e9906754898b543f9c60adbb70fc80915823f9e56b5c79edb8e7fb7fd9f

SHA512
c2be1e2cf84e4bcd7157e8f8bdf0aaebb3962d661ba7360f93f5475199385106e7e8bc5c5a8dd5e162d30b0f45417ea72a924370fa9d0720581ccbcf5757bc5d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe

Filesize
120KB

MD5
967b7e1b6a3d2e90884e29f375b39580

SHA1
924a0c4b2fbff028fc134bafdf54dea269bccde2

SHA256
170ddd93d568563d24dad661e372cfd5d40f1d187c4e0456e194dfa229a2b695

SHA512
0cb14fd960a2cfb60da12371d56905e1f604fa98988dd0a5fd36bddd564ec6bdcfc2eebe4a05e15ffa82a7a8449ed413b49f51f4a4bf3d1b115b6b31dfb2cd95

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe

Filesize
120KB

MD5
967b7e1b6a3d2e90884e29f375b39580

SHA1
924a0c4b2fbff028fc134bafdf54dea269bccde2

SHA256
170ddd93d568563d24dad661e372cfd5d40f1d187c4e0456e194dfa229a2b695

SHA512
0cb14fd960a2cfb60da12371d56905e1f604fa98988dd0a5fd36bddd564ec6bdcfc2eebe4a05e15ffa82a7a8449ed413b49f51f4a4bf3d1b115b6b31dfb2cd95

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe

Filesize
120KB

MD5
967b7e1b6a3d2e90884e29f375b39580

SHA1
924a0c4b2fbff028fc134bafdf54dea269bccde2

SHA256
170ddd93d568563d24dad661e372cfd5d40f1d187c4e0456e194dfa229a2b695

SHA512
0cb14fd960a2cfb60da12371d56905e1f604fa98988dd0a5fd36bddd564ec6bdcfc2eebe4a05e15ffa82a7a8449ed413b49f51f4a4bf3d1b115b6b31dfb2cd95

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe

Filesize
120KB

MD5
967b7e1b6a3d2e90884e29f375b39580

SHA1
924a0c4b2fbff028fc134bafdf54dea269bccde2

SHA256
170ddd93d568563d24dad661e372cfd5d40f1d187c4e0456e194dfa229a2b695

SHA512
0cb14fd960a2cfb60da12371d56905e1f604fa98988dd0a5fd36bddd564ec6bdcfc2eebe4a05e15ffa82a7a8449ed413b49f51f4a4bf3d1b115b6b31dfb2cd95

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rsdk.dll

Filesize
41KB

MD5
d408c852f4d7c684c4d2ad17676464e9

SHA1
3767704bbeb33019071d514bdf7c5ab6773aec65

SHA256
e91b3e9906754898b543f9c60adbb70fc80915823f9e56b5c79edb8e7fb7fd9f

SHA512
c2be1e2cf84e4bcd7157e8f8bdf0aaebb3962d661ba7360f93f5475199385106e7e8bc5c5a8dd5e162d30b0f45417ea72a924370fa9d0720581ccbcf5757bc5d

Download Submit
memory/1324-66-0x0000000001DA0000-0x0000000001EA0000-memory.dmp

Filesize
1024KB

Download
memory/1324-67-0x00000000008F0000-0x0000000000921000-memory.dmp

Filesize
196KB

Download
memory/1392-86-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1880-54-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1984-73-0x0000000000120000-0x000000000013D000-memory.dmp

Filesize
116KB

Download
memory/1984-79-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2012-77-0x00000000001F0000-0x0000000000221000-memory.dmp

Filesize
196KB

Download