plugx | 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
28/05/2022, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe
Size

225KB
MD5

c116cd083284cc599c024c3479ca9b70
SHA1

bf831962162a0446454e3e32d764cc0e5daafde0
SHA256

90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
SHA512

d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral2/memory/5004-141-0x0000000000580000-0x00000000005B0000-memory.dmp	family_plugx
behavioral2/memory/5032-144-0x00000000007A0000-0x00000000007D0000-memory.dmp	family_plugx
behavioral2/memory/1288-145-0x0000000001820000-0x0000000001850000-memory.dmp	family_plugx
behavioral2/memory/4328-147-0x0000000002B40000-0x0000000002B70000-memory.dmp	family_plugx
behavioral2/memory/1288-148-0x0000000001820000-0x0000000001850000-memory.dmp	family_plugx
behavioral2/memory/4328-149-0x0000000002B40000-0x0000000002B70000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
5004	Gadget.exe
5032	Gadget.exe

Loads dropped DLL 2 IoCs

pid	Process
5004	Gadget.exe
5032	Gadget.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 36003300410034003800430034003700410036003200430044003500410038000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1288	svchost.exe
1288	svchost.exe
1288	svchost.exe
1288	svchost.exe
1288	svchost.exe
1288	svchost.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
1288	svchost.exe
1288	svchost.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
1288	svchost.exe
1288	svchost.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
1288	svchost.exe
1288	svchost.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
1288	svchost.exe
1288	svchost.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe
4328	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1288	svchost.exe
4328	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	Gadget.exe
Token: SeTcbPrivilege	5004	Gadget.exe
Token: SeDebugPrivilege	5032	Gadget.exe
Token: SeTcbPrivilege	5032	Gadget.exe
Token: SeDebugPrivilege	1288	svchost.exe
Token: SeTcbPrivilege	1288	svchost.exe
Token: SeDebugPrivilege	4328	msiexec.exe
Token: SeTcbPrivilege	4328	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 5004	936	90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe	79
PID 936 wrote to memory of 5004	936	90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe	79
PID 936 wrote to memory of 5004	936	90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe	79
PID 5032 wrote to memory of 1288	5032	Gadget.exe	81
PID 5032 wrote to memory of 1288	5032	Gadget.exe	81
PID 5032 wrote to memory of 1288	5032	Gadget.exe	81
PID 5032 wrote to memory of 1288	5032	Gadget.exe	81
PID 5032 wrote to memory of 1288	5032	Gadget.exe	81
PID 5032 wrote to memory of 1288	5032	Gadget.exe	81
PID 5032 wrote to memory of 1288	5032	Gadget.exe	81
PID 5032 wrote to memory of 1288	5032	Gadget.exe	81
PID 1288 wrote to memory of 4328	1288	svchost.exe	82
PID 1288 wrote to memory of 4328	1288	svchost.exe	82
PID 1288 wrote to memory of 4328	1288	svchost.exe	82
PID 1288 wrote to memory of 4328	1288	svchost.exe	82
PID 1288 wrote to memory of 4328	1288	svchost.exe	82
PID 1288 wrote to memory of 4328	1288	svchost.exe	82
PID 1288 wrote to memory of 4328	1288	svchost.exe	82
PID 1288 wrote to memory of 4328	1288	svchost.exe	82

C:\Users\Admin\AppData\Local\Temp\90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe
"C:\Users\Admin\AppData\Local\Temp\90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\Gadget.exe
  C:\Users\Admin\AppData\Local\Temp\\Gadget.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:5004

C:\ProgramData\WS\Gadget.exe
C:\ProgramData\WS\Gadget.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1288
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WS\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\ProgramData\WS\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\ProgramData\WS\SideBar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
C:\ProgramData\WS\SideBar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
C:\ProgramData\WS\SideBar.dll.doc

Filesize
121KB

MD5
97c11e7d6b1926cd4be13804b36239ac

SHA1
b388b86a782ae14fee2a31bc7626a816c3eabc5a

SHA256
a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a

SHA512
8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\SideBar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\SideBar.dll.doc

Filesize
121KB

MD5
97c11e7d6b1926cd4be13804b36239ac

SHA1
b388b86a782ae14fee2a31bc7626a816c3eabc5a

SHA256
a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a

SHA512
8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sidebar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
memory/1288-145-0x0000000001820000-0x0000000001850000-memory.dmp

Filesize
192KB

Download
memory/1288-148-0x0000000001820000-0x0000000001850000-memory.dmp

Filesize
192KB

Download
memory/4328-147-0x0000000002B40000-0x0000000002B70000-memory.dmp

Filesize
192KB

Download
memory/4328-149-0x0000000002B40000-0x0000000002B70000-memory.dmp

Filesize
192KB

Download
memory/5004-141-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download
memory/5004-140-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/5032-144-0x00000000007A0000-0x00000000007D0000-memory.dmp

Filesize
192KB

Download