plugx | 65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe
Size

355KB
MD5

abd4c7bda60dc5c1fb301a9fa92cf3d8
SHA1

6966c2e9f5b3b3584c1c360f2a2d7df586c87483
SHA256

65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a
SHA512

588807d84852ec3b0706086faf7e74ed38d7dd6244eed927fea3674370c1954175011cbbc562fc66cdef4438eb2cae71df5f3e09a1410728d30fb704d43ab927

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/972-71-0x0000000000330000-0x0000000000361000-memory.dmp	family_plugx
behavioral1/memory/1744-77-0x00000000002A0000-0x00000000002D1000-memory.dmp	family_plugx
behavioral1/memory/1316-79-0x0000000000230000-0x0000000000261000-memory.dmp	family_plugx
behavioral1/memory/1632-85-0x00000000002C0000-0x00000000002F1000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

mcvsmap.exemcvsmap.exe

pid process

972 mcvsmap.exe
1744 mcvsmap.exe
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1316 svchost.exe

pid	process
972	mcvsmap.exe
1744	mcvsmap.exe

Loads dropped DLL 6 IoCs

Processes:

65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exemcvsmap.exemcvsmap.exe

pid	process
1956	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe
1956	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe
1956	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe
1956	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe
972	mcvsmap.exe
1744	mcvsmap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 14 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DAB59-8895-4277-AF97-B4B0CF2764BD}\WpadDecisionTime = d02977ec216fd801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-7e-bd-7c-2f-46\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DAB59-8895-4277-AF97-B4B0CF2764BD}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DAB59-8895-4277-AF97-B4B0CF2764BD}\WpadNetworkName = "Network 3"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-7e-bd-7c-2f-46	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-7e-bd-7c-2f-46\WpadDecisionTime = f014dfd3216fd801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DAB59-8895-4277-AF97-B4B0CF2764BD}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DAB59-8895-4277-AF97-B4B0CF2764BD}\WpadDecisionTime = f014dfd3216fd801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-7e-bd-7c-2f-46\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-7e-bd-7c-2f-46\WpadDetectedUrl	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-7e-bd-7c-2f-46\WpadDecisionTime = d02977ec216fd801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DAB59-8895-4277-AF97-B4B0CF2764BD}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DAB59-8895-4277-AF97-B4B0CF2764BD}\4e-7e-bd-7c-2f-46	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38003400460030004200370043003700330035004200390032003400350043000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
1316	svchost.exe
1316	svchost.exe
1316	svchost.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1316	svchost.exe
1316	svchost.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1316	svchost.exe
1316	svchost.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1316	svchost.exe
1316	svchost.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1316	svchost.exe
1316	svchost.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1316	svchost.exe
1316	svchost.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1316	svchost.exe
1316	svchost.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1632	msiexec.exe
1316	svchost.exe
1316	svchost.exe
1632	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

mcvsmap.exemcvsmap.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	972	mcvsmap.exe
Token: SeTcbPrivilege	972	mcvsmap.exe
Token: SeDebugPrivilege	1744	mcvsmap.exe
Token: SeTcbPrivilege	1744	mcvsmap.exe
Token: SeDebugPrivilege	1316	svchost.exe
Token: SeTcbPrivilege	1316	svchost.exe
Token: SeDebugPrivilege	1632	msiexec.exe
Token: SeTcbPrivilege	1632	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exemcvsmap.exesvchost.exe

description	pid	process	target process
PID 1956 wrote to memory of 972	1956	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe	mcvsmap.exe
PID 1956 wrote to memory of 972	1956	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe	mcvsmap.exe
PID 1956 wrote to memory of 972	1956	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe	mcvsmap.exe
PID 1956 wrote to memory of 972	1956	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe	mcvsmap.exe
PID 1956 wrote to memory of 972	1956	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe	mcvsmap.exe
PID 1956 wrote to memory of 972	1956	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe	mcvsmap.exe
PID 1956 wrote to memory of 972	1956	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe	mcvsmap.exe
PID 1744 wrote to memory of 1316	1744	mcvsmap.exe	svchost.exe
PID 1744 wrote to memory of 1316	1744	mcvsmap.exe	svchost.exe
PID 1744 wrote to memory of 1316	1744	mcvsmap.exe	svchost.exe
PID 1744 wrote to memory of 1316	1744	mcvsmap.exe	svchost.exe
PID 1744 wrote to memory of 1316	1744	mcvsmap.exe	svchost.exe
PID 1744 wrote to memory of 1316	1744	mcvsmap.exe	svchost.exe
PID 1744 wrote to memory of 1316	1744	mcvsmap.exe	svchost.exe
PID 1744 wrote to memory of 1316	1744	mcvsmap.exe	svchost.exe
PID 1744 wrote to memory of 1316	1744	mcvsmap.exe	svchost.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe
PID 1316 wrote to memory of 1632	1316	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe
"C:\Users\Admin\AppData\Local\Temp\65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\ProgramData\VirusMap\mcvsmap.exe
C:\ProgramData\VirusMap\mcvsmap.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Deletes itself
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1316
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log
Filesize
456B

MD5
e9b1536ddb99e2027e67d571d171a139

SHA1
9c6668ffc0ce84f7d86c2fa967c18cd8a8b8c247

SHA256
721aa45799304c810732ceaa5c849d6f8a97305dccc8a429843f960103251c98

SHA512
1967ecd38451b85f4156501c7fee10ef2576e37a48c70f275c48fc3c924ee069e67cfd05705b4d6ffa8588a6d965cc2555227552c53c70e0bafe89026d8baad6

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
618B

MD5
5d5acca0b5e9203a08918455e0e8f19d

SHA1
acd8e26d42ef95121514be1debfebb42fe9e8a1e

SHA256
f6a019d2b626b3179b103bc656e7cb435a643159a86c59fd1628fee44ac9798e

SHA512
a0510fb5fb43988d4811862b2ab205ed00a7716f90a5efe625aed413b69497aada36145a7465b24527ddc7caaadbcdabfa9e3be697fee43e30514427825315f9

Download Submit
C:\ProgramData\VirusMap\McUtil.dll
Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\ProgramData\VirusMap\McUtil.dll.PPT
Filesize
121KB

MD5
a260e0d8d8bbad23514af3d93aa73280

SHA1
397093ba8d6a1f16b7e61db7395614ea84aa89e4

SHA256
c38c6d3033b25d5cb72998f27101d50015a0796a7c068b46c18d55d317b06a17

SHA512
643b1162ee3622891ad9584aff20bf3bc28e6d989525d61ac2876d18e2a4d7c206fca216af3201596efaace066640e1c6ad2f39d0225418a0b42890cb14d9a92

Download Submit
C:\ProgramData\VirusMap\mcvsmap.exe
Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll
Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll.PPT
Filesize
121KB

MD5
a260e0d8d8bbad23514af3d93aa73280

SHA1
397093ba8d6a1f16b7e61db7395614ea84aa89e4

SHA256
c38c6d3033b25d5cb72998f27101d50015a0796a7c068b46c18d55d317b06a17

SHA512
643b1162ee3622891ad9584aff20bf3bc28e6d989525d61ac2876d18e2a4d7c206fca216af3201596efaace066640e1c6ad2f39d0225418a0b42890cb14d9a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
\ProgramData\VirusMap\McUtil.DLL
Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.DLL
Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
memory/972-70-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/972-71-0x0000000000330000-0x0000000000361000-memory.dmp

Filesize
196KB

Download
memory/972-59-0x0000000000000000-mapping.dmp

Download
memory/1316-73-0x00000000000E0000-0x00000000000FD000-memory.dmp

Filesize
116KB

Download
memory/1316-75-0x0000000000000000-mapping.dmp

Download
memory/1316-79-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/1632-83-0x0000000000000000-mapping.dmp

Download
memory/1632-85-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/1744-77-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/1956-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download