plugx | 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20220414-en
submitted
28-05-2022 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe
Size

225KB
MD5

c116cd083284cc599c024c3479ca9b70
SHA1

bf831962162a0446454e3e32d764cc0e5daafde0
SHA256

90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
SHA512

d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral1/memory/1672-63-0x0000000000280000-0x00000000002B0000-memory.dmp	family_plugx
behavioral1/memory/2016-69-0x0000000000280000-0x00000000002B0000-memory.dmp	family_plugx
behavioral1/memory/1952-74-0x0000000000230000-0x0000000000260000-memory.dmp	family_plugx
behavioral1/memory/1092-79-0x00000000001E0000-0x0000000000210000-memory.dmp	family_plugx
behavioral1/memory/1952-80-0x0000000000230000-0x0000000000260000-memory.dmp	family_plugx
behavioral1/memory/1092-81-0x00000000001E0000-0x0000000000210000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
1672	Gadget.exe
2016	Gadget.exe

Deletes itself 1 IoCs

pid	Process
1952	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
1120	90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe
1672	Gadget.exe
2016	Gadget.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b6-c0-c8-b0-28\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b6-c0-c8-b0-28\WpadDecisionTime = a02c5c816372d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9092A2B3-0F44-457C-B506-B80E858A3180}\WpadDecisionTime = 40c7059d6372d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b6-c0-c8-b0-28\WpadDecisionTime = 40c7059d6372d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9092A2B3-0F44-457C-B506-B80E858A3180}\WpadDecisionTime = 60f18a736372d801	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9092A2B3-0F44-457C-B506-B80E858A3180}\WpadNetworkName = "Network 3"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b6-c0-c8-b0-28\WpadDetectedUrl	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9092A2B3-0F44-457C-B506-B80E858A3180}\WpadDecisionTime = 60ee4b886372d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9092A2B3-0F44-457C-B506-B80E858A3180}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9092A2B3-0F44-457C-B506-B80E858A3180}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9092A2B3-0F44-457C-B506-B80E858A3180}\ae-b6-c0-c8-b0-28	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b6-c0-c8-b0-28\WpadDecisionTime = 60ee4b886372d801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9092A2B3-0F44-457C-B506-B80E858A3180}\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b6-c0-c8-b0-28\WpadDecisionTime = 60f18a736372d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9092A2B3-0F44-457C-B506-B80E858A3180}\WpadDecisionTime = a02c5c816372d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b6-c0-c8-b0-28	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-b6-c0-c8-b0-28\WpadDecisionReason = "1"	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45003800360034003300380030004100390044004500380034003400390043000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	svchost.exe
1952	svchost.exe
1952	svchost.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1952	svchost.exe
1952	svchost.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1952	svchost.exe
1952	svchost.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1952	svchost.exe
1952	svchost.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1952	svchost.exe
1952	svchost.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1952	svchost.exe
1952	svchost.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1952	svchost.exe
1952	svchost.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1092	msiexec.exe
1952	svchost.exe
1952	svchost.exe
1092	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	Gadget.exe
Token: SeTcbPrivilege	1672	Gadget.exe
Token: SeDebugPrivilege	2016	Gadget.exe
Token: SeTcbPrivilege	2016	Gadget.exe
Token: SeDebugPrivilege	1952	svchost.exe
Token: SeTcbPrivilege	1952	svchost.exe
Token: SeDebugPrivilege	1092	msiexec.exe
Token: SeTcbPrivilege	1092	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1672	1120	90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe	27
PID 1120 wrote to memory of 1672	1120	90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe	27
PID 1120 wrote to memory of 1672	1120	90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe	27
PID 1120 wrote to memory of 1672	1120	90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe	27
PID 2016 wrote to memory of 1952	2016	Gadget.exe	29
PID 2016 wrote to memory of 1952	2016	Gadget.exe	29
PID 2016 wrote to memory of 1952	2016	Gadget.exe	29
PID 2016 wrote to memory of 1952	2016	Gadget.exe	29
PID 2016 wrote to memory of 1952	2016	Gadget.exe	29
PID 2016 wrote to memory of 1952	2016	Gadget.exe	29
PID 2016 wrote to memory of 1952	2016	Gadget.exe	29
PID 2016 wrote to memory of 1952	2016	Gadget.exe	29
PID 2016 wrote to memory of 1952	2016	Gadget.exe	29
PID 1952 wrote to memory of 1092	1952	svchost.exe	30
PID 1952 wrote to memory of 1092	1952	svchost.exe	30
PID 1952 wrote to memory of 1092	1952	svchost.exe	30
PID 1952 wrote to memory of 1092	1952	svchost.exe	30
PID 1952 wrote to memory of 1092	1952	svchost.exe	30
PID 1952 wrote to memory of 1092	1952	svchost.exe	30
PID 1952 wrote to memory of 1092	1952	svchost.exe	30
PID 1952 wrote to memory of 1092	1952	svchost.exe	30
PID 1952 wrote to memory of 1092	1952	svchost.exe	30
PID 1952 wrote to memory of 1092	1952	svchost.exe	30
PID 1952 wrote to memory of 1092	1952	svchost.exe	30
PID 1952 wrote to memory of 1092	1952	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe
"C:\Users\Admin\AppData\Local\Temp\90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\Gadget.exe
  C:\Users\Admin\AppData\Local\Temp\\Gadget.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1672

C:\ProgramData\WS\Gadget.exe
C:\ProgramData\WS\Gadget.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Deletes itself
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1952
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WS\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\ProgramData\WS\SideBar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
C:\ProgramData\WS\SideBar.dll.doc

Filesize
121KB

MD5
97c11e7d6b1926cd4be13804b36239ac

SHA1
b388b86a782ae14fee2a31bc7626a816c3eabc5a

SHA256
a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a

SHA512
8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\SideBar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\SideBar.dll.doc

Filesize
121KB

MD5
97c11e7d6b1926cd4be13804b36239ac

SHA1
b388b86a782ae14fee2a31bc7626a816c3eabc5a

SHA256
a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a

SHA512
8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

Download Submit
\ProgramData\WS\SideBar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
\Users\Admin\AppData\Local\Temp\Sidebar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
memory/1092-81-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/1092-79-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/1672-60-0x00000000759E1000-0x00000000759E3000-memory.dmp

Filesize
8KB

Download
memory/1672-63-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/1672-62-0x0000000000410000-0x0000000000510000-memory.dmp

Filesize
1024KB

Download
memory/1952-70-0x00000000000E0000-0x00000000000FD000-memory.dmp

Filesize
116KB

Download
memory/1952-74-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1952-80-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2016-69-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download