plugx | a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe
Size

278KB
MD5

84c87e1d260183863c6508c704e15042
SHA1

369b215c41f93f61d6b70046a89fe88da0c400ba
SHA256

a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132
SHA512

6d8d82fb82e3bc314da88cac44401cc0a193101b613d4b38f04eedbf8315ca97f71f303051d19d4773b74af5011bbed9320c8d213fc91c2e91e5b2cd016d3c31

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1944-143-0x0000000001470000-0x00000000014A1000-memory.dmp	family_plugx
behavioral2/memory/4920-146-0x00000000023E0000-0x0000000002411000-memory.dmp	family_plugx
behavioral2/memory/3356-147-0x0000000000A90000-0x0000000000AC1000-memory.dmp	family_plugx
behavioral2/memory/2956-150-0x0000000002250000-0x0000000002281000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

popwndexe.exepopwndexe.exe

pid process

4920 popwndexe.exe
1944 popwndexe.exe

pid	process
4920	popwndexe.exe
1944	popwndexe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe

Loads dropped DLL 2 IoCs

Processes:

popwndexe.exepopwndexe.exe

pid process

4920 popwndexe.exe
1944 popwndexe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4920	popwndexe.exe
1944	popwndexe.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39003600350033004600300039003100410042003800460035003000300038000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
3356	svchost.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
3356	svchost.exe
3356	svchost.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
3356	svchost.exe
3356	svchost.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
3356	svchost.exe
3356	svchost.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
3356	svchost.exe
3356	svchost.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe
2956	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

3356 svchost.exe
2956 msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

popwndexe.exepopwndexe.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4920	popwndexe.exe
Token: SeTcbPrivilege	4920	popwndexe.exe
Token: SeDebugPrivilege	1944	popwndexe.exe
Token: SeTcbPrivilege	1944	popwndexe.exe
Token: SeDebugPrivilege	3356	svchost.exe
Token: SeTcbPrivilege	3356	svchost.exe
Token: SeDebugPrivilege	2956	msiexec.exe
Token: SeTcbPrivilege	2956	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exepopwndexe.exesvchost.exe

description	pid	process	target process
PID 452 wrote to memory of 4920	452	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe	popwndexe.exe
PID 452 wrote to memory of 4920	452	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe	popwndexe.exe
PID 452 wrote to memory of 4920	452	a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe	popwndexe.exe
PID 1944 wrote to memory of 3356	1944	popwndexe.exe	svchost.exe
PID 1944 wrote to memory of 3356	1944	popwndexe.exe	svchost.exe
PID 1944 wrote to memory of 3356	1944	popwndexe.exe	svchost.exe
PID 1944 wrote to memory of 3356	1944	popwndexe.exe	svchost.exe
PID 1944 wrote to memory of 3356	1944	popwndexe.exe	svchost.exe
PID 1944 wrote to memory of 3356	1944	popwndexe.exe	svchost.exe
PID 1944 wrote to memory of 3356	1944	popwndexe.exe	svchost.exe
PID 1944 wrote to memory of 3356	1944	popwndexe.exe	svchost.exe
PID 3356 wrote to memory of 2956	3356	svchost.exe	msiexec.exe
PID 3356 wrote to memory of 2956	3356	svchost.exe	msiexec.exe
PID 3356 wrote to memory of 2956	3356	svchost.exe	msiexec.exe
PID 3356 wrote to memory of 2956	3356	svchost.exe	msiexec.exe
PID 3356 wrote to memory of 2956	3356	svchost.exe	msiexec.exe
PID 3356 wrote to memory of 2956	3356	svchost.exe	msiexec.exe
PID 3356 wrote to memory of 2956	3356	svchost.exe	msiexec.exe
PID 3356 wrote to memory of 2956	3356	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe
"C:\Users\Admin\AppData\Local\Temp\a42366527d1f0dca2613d2b7c2782b93bf45a1a4f050eb0c0d223f6234c4d132.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\ProgramData\AVck\popwndexe.exe
C:\ProgramData\AVck\popwndexe.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 3356
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AVck\popwndexe.exe
Filesize
120KB

MD5
967b7e1b6a3d2e90884e29f375b39580

SHA1
924a0c4b2fbff028fc134bafdf54dea269bccde2

SHA256
170ddd93d568563d24dad661e372cfd5d40f1d187c4e0456e194dfa229a2b695

SHA512
0cb14fd960a2cfb60da12371d56905e1f604fa98988dd0a5fd36bddd564ec6bdcfc2eebe4a05e15ffa82a7a8449ed413b49f51f4a4bf3d1b115b6b31dfb2cd95

Download Submit
C:\ProgramData\AVck\popwndexe.exe
Filesize
120KB

MD5
967b7e1b6a3d2e90884e29f375b39580

SHA1
924a0c4b2fbff028fc134bafdf54dea269bccde2

SHA256
170ddd93d568563d24dad661e372cfd5d40f1d187c4e0456e194dfa229a2b695

SHA512
0cb14fd960a2cfb60da12371d56905e1f604fa98988dd0a5fd36bddd564ec6bdcfc2eebe4a05e15ffa82a7a8449ed413b49f51f4a4bf3d1b115b6b31dfb2cd95

Download Submit
C:\ProgramData\AVck\rsdk.dll
Filesize
41KB

MD5
d408c852f4d7c684c4d2ad17676464e9

SHA1
3767704bbeb33019071d514bdf7c5ab6773aec65

SHA256
e91b3e9906754898b543f9c60adbb70fc80915823f9e56b5c79edb8e7fb7fd9f

SHA512
c2be1e2cf84e4bcd7157e8f8bdf0aaebb3962d661ba7360f93f5475199385106e7e8bc5c5a8dd5e162d30b0f45417ea72a924370fa9d0720581ccbcf5757bc5d

Download Submit
C:\ProgramData\AVck\rsdk.dll
Filesize
41KB

MD5
d408c852f4d7c684c4d2ad17676464e9

SHA1
3767704bbeb33019071d514bdf7c5ab6773aec65

SHA256
e91b3e9906754898b543f9c60adbb70fc80915823f9e56b5c79edb8e7fb7fd9f

SHA512
c2be1e2cf84e4bcd7157e8f8bdf0aaebb3962d661ba7360f93f5475199385106e7e8bc5c5a8dd5e162d30b0f45417ea72a924370fa9d0720581ccbcf5757bc5d

Download Submit
C:\ProgramData\AVck\rsdk.dll.cvs
Filesize
121KB

MD5
b809f1191c6c4bb26e522c31f52be30f

SHA1
dfda72fa903dd0162f9263dd686af55665605927

SHA256
4698be4c08f904f4966e90124e92f7e1018475355adb4fc0822c126f9e07fb45

SHA512
1e0799b920d95bb56e0ecd8cff29058cec8f0bfaf69049f8c4f8e57dfcdfbee5507df45764b3c85d6a709ef1c38f6a6694b4c0ad11938d61da6c96008e2ff5d0

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
620B

MD5
cb61740d646791d518819295816fad2f

SHA1
8336331b2fbcc2b92bf40d02b184381af10841c9

SHA256
0c13f2d35a781e52302662f928d24a103b76c5485cd817a8d16cdc480e9cf8c7

SHA512
3a04835f355e0b757c5fe3ff6ac5786c355b5ac73665ca09c757c376d5d531984e2ebee9e0d347f690a6c9e8085863ac51f42e4f31e51d94362d886685594717

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
782B

MD5
66c811491025eca6679e5084b827f7be

SHA1
df3468d724cf1164a35d034be1ecc881f00a5229

SHA256
7cae2d7cde2de6c22e70eb4aa19ad06dd97cc77152705b70aad8665378adec70

SHA512
2dd8c2b0246d433e4adcf04cd29e34ca71bb53af8172eddf2e1f6f288713d083f7e162bbd9567c715eb36f7d0d3b436d987dfbb12869ea100c4d3ad3612564f5

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
1KB

MD5
78f2781045adf7c2c63234de231ced0e

SHA1
5a3f45c11693d6470794601efd5df31aae02db41

SHA256
a90406d4456672c476e3d921e30e603f6766a79f72d892a33197d675c60e229b

SHA512
dd5b8aff94e30b208d75af4130215091068176995911d35f2c22337be0df845e8df473e862d388089345e40c2ca4c41bdaf2130f4367ef25b89c93034ab8daf3

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
1KB

MD5
b06c14450f18d8c89325780388c6b383

SHA1
e28c8d696d776eaf4094e2e3d7317fe0651e681c

SHA256
8acc1206399b3a6b4f7c64423dd562df6b93a3b9d3b4e7bbff0e0db5d05adee3

SHA512
528dee42e24a62b8623ed480b3e43a91b622ec3a9cdb48eea0b5cade108a1a5e00dfd28ac169d367f76dc9c4674ddfb1b412999fdc9c00048b4aa243118859bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe
Filesize
120KB

MD5
967b7e1b6a3d2e90884e29f375b39580

SHA1
924a0c4b2fbff028fc134bafdf54dea269bccde2

SHA256
170ddd93d568563d24dad661e372cfd5d40f1d187c4e0456e194dfa229a2b695

SHA512
0cb14fd960a2cfb60da12371d56905e1f604fa98988dd0a5fd36bddd564ec6bdcfc2eebe4a05e15ffa82a7a8449ed413b49f51f4a4bf3d1b115b6b31dfb2cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\popwndexe.exe
Filesize
120KB

MD5
967b7e1b6a3d2e90884e29f375b39580

SHA1
924a0c4b2fbff028fc134bafdf54dea269bccde2

SHA256
170ddd93d568563d24dad661e372cfd5d40f1d187c4e0456e194dfa229a2b695

SHA512
0cb14fd960a2cfb60da12371d56905e1f604fa98988dd0a5fd36bddd564ec6bdcfc2eebe4a05e15ffa82a7a8449ed413b49f51f4a4bf3d1b115b6b31dfb2cd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rsdk.dll
Filesize
41KB

MD5
d408c852f4d7c684c4d2ad17676464e9

SHA1
3767704bbeb33019071d514bdf7c5ab6773aec65

SHA256
e91b3e9906754898b543f9c60adbb70fc80915823f9e56b5c79edb8e7fb7fd9f

SHA512
c2be1e2cf84e4bcd7157e8f8bdf0aaebb3962d661ba7360f93f5475199385106e7e8bc5c5a8dd5e162d30b0f45417ea72a924370fa9d0720581ccbcf5757bc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rsdk.dll
Filesize
41KB

MD5
d408c852f4d7c684c4d2ad17676464e9

SHA1
3767704bbeb33019071d514bdf7c5ab6773aec65

SHA256
e91b3e9906754898b543f9c60adbb70fc80915823f9e56b5c79edb8e7fb7fd9f

SHA512
c2be1e2cf84e4bcd7157e8f8bdf0aaebb3962d661ba7360f93f5475199385106e7e8bc5c5a8dd5e162d30b0f45417ea72a924370fa9d0720581ccbcf5757bc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rsdk.dll.cvs
Filesize
121KB

MD5
b809f1191c6c4bb26e522c31f52be30f

SHA1
dfda72fa903dd0162f9263dd686af55665605927

SHA256
4698be4c08f904f4966e90124e92f7e1018475355adb4fc0822c126f9e07fb45

SHA512
1e0799b920d95bb56e0ecd8cff29058cec8f0bfaf69049f8c4f8e57dfcdfbee5507df45764b3c85d6a709ef1c38f6a6694b4c0ad11938d61da6c96008e2ff5d0

Download Submit
memory/1944-143-0x0000000001470000-0x00000000014A1000-memory.dmp

Filesize
196KB

Download
memory/1944-142-0x00000000015C0000-0x00000000016C0000-memory.dmp

Filesize
1024KB

Download
memory/2956-150-0x0000000002250000-0x0000000002281000-memory.dmp

Filesize
196KB

Download
memory/2956-148-0x0000000000000000-mapping.dmp

Download
memory/3356-147-0x0000000000A90000-0x0000000000AC1000-memory.dmp

Filesize
196KB

Download
memory/3356-141-0x0000000000000000-mapping.dmp

Download
memory/4920-130-0x0000000000000000-mapping.dmp

Download
memory/4920-146-0x00000000023E0000-0x0000000002411000-memory.dmp

Filesize
196KB

Download