plugx | 65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a

Analysis

max time kernel
155s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe
Size

355KB
MD5

abd4c7bda60dc5c1fb301a9fa92cf3d8
SHA1

6966c2e9f5b3b3584c1c360f2a2d7df586c87483
SHA256

65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a
SHA512

588807d84852ec3b0706086faf7e74ed38d7dd6244eed927fea3674370c1954175011cbbc562fc66cdef4438eb2cae71df5f3e09a1410728d30fb704d43ab927

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4160-140-0x00000000021E0000-0x0000000002211000-memory.dmp	family_plugx
behavioral2/memory/3140-144-0x0000000000910000-0x0000000000941000-memory.dmp	family_plugx
behavioral2/memory/1172-145-0x0000000000E00000-0x0000000000E31000-memory.dmp	family_plugx
behavioral2/memory/3240-147-0x0000000002040000-0x0000000002071000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

mcvsmap.exemcvsmap.exe

pid process

4160 mcvsmap.exe
3140 mcvsmap.exe

pid	process
4160	mcvsmap.exe
3140	mcvsmap.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe

Loads dropped DLL 2 IoCs

Processes:

mcvsmap.exemcvsmap.exe

pid process

4160 mcvsmap.exe
3140 mcvsmap.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4160	mcvsmap.exe
3140	mcvsmap.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45003300420036003100420042004100420038004400430033003400350032000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
1172	svchost.exe
1172	svchost.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
1172	svchost.exe
1172	svchost.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
1172	svchost.exe
1172	svchost.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
1172	svchost.exe
1172	svchost.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

1172 svchost.exe
3240 msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

mcvsmap.exemcvsmap.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4160	mcvsmap.exe
Token: SeTcbPrivilege	4160	mcvsmap.exe
Token: SeDebugPrivilege	3140	mcvsmap.exe
Token: SeTcbPrivilege	3140	mcvsmap.exe
Token: SeDebugPrivilege	1172	svchost.exe
Token: SeTcbPrivilege	1172	svchost.exe
Token: SeDebugPrivilege	3240	msiexec.exe
Token: SeTcbPrivilege	3240	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exemcvsmap.exesvchost.exe

description	pid	process	target process
PID 3976 wrote to memory of 4160	3976	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe	mcvsmap.exe
PID 3976 wrote to memory of 4160	3976	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe	mcvsmap.exe
PID 3976 wrote to memory of 4160	3976	65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe	mcvsmap.exe
PID 3140 wrote to memory of 1172	3140	mcvsmap.exe	svchost.exe
PID 3140 wrote to memory of 1172	3140	mcvsmap.exe	svchost.exe
PID 3140 wrote to memory of 1172	3140	mcvsmap.exe	svchost.exe
PID 3140 wrote to memory of 1172	3140	mcvsmap.exe	svchost.exe
PID 3140 wrote to memory of 1172	3140	mcvsmap.exe	svchost.exe
PID 3140 wrote to memory of 1172	3140	mcvsmap.exe	svchost.exe
PID 3140 wrote to memory of 1172	3140	mcvsmap.exe	svchost.exe
PID 3140 wrote to memory of 1172	3140	mcvsmap.exe	svchost.exe
PID 1172 wrote to memory of 3240	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 3240	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 3240	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 3240	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 3240	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 3240	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 3240	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 3240	1172	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe
"C:\Users\Admin\AppData\Local\Temp\65c0caba12186bf9b667549cc71f2cf0e3af2c9b86cd24361d3dfdc5e89d7b7a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\ProgramData\VirusMap\mcvsmap.exe
C:\ProgramData\VirusMap\mcvsmap.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1172
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VirusMap\McUtil.DLL
Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\ProgramData\VirusMap\McUtil.dll
Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\ProgramData\VirusMap\McUtil.dll.PPT
Filesize
121KB

MD5
a260e0d8d8bbad23514af3d93aa73280

SHA1
397093ba8d6a1f16b7e61db7395614ea84aa89e4

SHA256
c38c6d3033b25d5cb72998f27101d50015a0796a7c068b46c18d55d317b06a17

SHA512
643b1162ee3622891ad9584aff20bf3bc28e6d989525d61ac2876d18e2a4d7c206fca216af3201596efaace066640e1c6ad2f39d0225418a0b42890cb14d9a92

Download Submit
C:\ProgramData\VirusMap\mcvsmap.exe
Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
C:\ProgramData\VirusMap\mcvsmap.exe
Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.DLL
Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll
Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll.PPT
Filesize
121KB

MD5
a260e0d8d8bbad23514af3d93aa73280

SHA1
397093ba8d6a1f16b7e61db7395614ea84aa89e4

SHA256
c38c6d3033b25d5cb72998f27101d50015a0796a7c068b46c18d55d317b06a17

SHA512
643b1162ee3622891ad9584aff20bf3bc28e6d989525d61ac2876d18e2a4d7c206fca216af3201596efaace066640e1c6ad2f39d0225418a0b42890cb14d9a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
memory/1172-143-0x0000000000000000-mapping.dmp

Download
memory/1172-145-0x0000000000E00000-0x0000000000E31000-memory.dmp

Filesize
196KB

Download
memory/3140-144-0x0000000000910000-0x0000000000941000-memory.dmp

Filesize
196KB

Download
memory/3240-146-0x0000000000000000-mapping.dmp

Download
memory/3240-147-0x0000000002040000-0x0000000002071000-memory.dmp

Filesize
196KB

Download
memory/4160-139-0x00000000020E0000-0x00000000021E0000-memory.dmp

Filesize
1024KB

Download
memory/4160-140-0x00000000021E0000-0x0000000002211000-memory.dmp

Filesize
196KB

Download
memory/4160-130-0x0000000000000000-mapping.dmp

Download