plugx | 66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967

Analysis

max time kernel
151s
max time network
182s
platform
windows7_x64
resource
win7-20220414-en
submitted
28-05-2022 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll
Size

228KB
MD5

3c74a85c2cf883bd9d4b9f8b9746030f
SHA1

40541a03e910b21df681bec69cfe59678ebba86c
SHA256

66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967
SHA512

15ab0c68e1dc8f5dc87231942f008228fe658ce221efe0ba90dfbfedea7e9cf401cac37098674a1d7cd489c97d061b847f09b86c24453575e2d46d4d9326e29c

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral1/memory/1336-69-0x0000000000280000-0x00000000002B0000-memory.dmp	family_plugx
behavioral1/memory/2044-80-0x0000000000440000-0x0000000000470000-memory.dmp	family_plugx
behavioral1/memory/568-81-0x0000000000200000-0x0000000000230000-memory.dmp	family_plugx
behavioral1/memory/1980-86-0x00000000008D0000-0x0000000000900000-memory.dmp	family_plugx
behavioral1/memory/568-87-0x0000000000200000-0x0000000000230000-memory.dmp	family_plugx
behavioral1/memory/1980-88-0x00000000008D0000-0x0000000000900000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
904	5BB8.tmp
1336	Gadget.exe
2044	Gadget.exe

Loads dropped DLL 5 IoCs

pid	Process
1008	rundll32.exe
1008	rundll32.exe
904	5BB8.tmp
1336	Gadget.exe
2044	Gadget.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F01AEAEC-EBE0-4244-A339-7F4A81A39B70}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-fa-e1-da-f9-89	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-fa-e1-da-f9-89\WpadDecisionTime = 605fcfb16372d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-fa-e1-da-f9-89\WpadDecisionTime = 4059c2c66372d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F01AEAEC-EBE0-4244-A339-7F4A81A39B70}\aa-fa-e1-da-f9-89	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-fa-e1-da-f9-89\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-fa-e1-da-f9-89\WpadDetectedUrl	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F01AEAEC-EBE0-4244-A339-7F4A81A39B70}\WpadDecisionTime = 605fcfb16372d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F01AEAEC-EBE0-4244-A339-7F4A81A39B70}\WpadDecisionTime = 4059c2c66372d801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F01AEAEC-EBE0-4244-A339-7F4A81A39B70}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F01AEAEC-EBE0-4244-A339-7F4A81A39B70}\WpadDecisionTime = a07ed09c6372d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-fa-e1-da-f9-89\WpadDecisionTime = a07ed09c6372d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F01AEAEC-EBE0-4244-A339-7F4A81A39B70}\WpadDecisionTime = e0cfc7aa6372d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F01AEAEC-EBE0-4244-A339-7F4A81A39B70}\WpadDecisionTime = 2040cec66372d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-fa-e1-da-f9-89\WpadDecisionTime = 2040cec66372d801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F01AEAEC-EBE0-4244-A339-7F4A81A39B70}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F01AEAEC-EBE0-4244-A339-7F4A81A39B70}\WpadNetworkName = "Network 3"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-fa-e1-da-f9-89\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-fa-e1-da-f9-89\WpadDecisionTime = e0cfc7aa6372d801	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42004500340038004100440030004200430032004100340041003600430034000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
568	svchost.exe
568	svchost.exe
568	svchost.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
568	svchost.exe
568	svchost.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
568	svchost.exe
568	svchost.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
568	svchost.exe
568	svchost.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
568	svchost.exe
568	svchost.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
568	svchost.exe
568	svchost.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
568	svchost.exe
568	svchost.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
1980	msiexec.exe
568	svchost.exe
568	svchost.exe
1980	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	Gadget.exe
Token: SeTcbPrivilege	1336	Gadget.exe
Token: SeDebugPrivilege	2044	Gadget.exe
Token: SeTcbPrivilege	2044	Gadget.exe
Token: SeDebugPrivilege	568	svchost.exe
Token: SeTcbPrivilege	568	svchost.exe
Token: SeDebugPrivilege	1980	msiexec.exe
Token: SeTcbPrivilege	1980	msiexec.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1008	1904	rundll32.exe	27
PID 1904 wrote to memory of 1008	1904	rundll32.exe	27
PID 1904 wrote to memory of 1008	1904	rundll32.exe	27
PID 1904 wrote to memory of 1008	1904	rundll32.exe	27
PID 1904 wrote to memory of 1008	1904	rundll32.exe	27
PID 1904 wrote to memory of 1008	1904	rundll32.exe	27
PID 1904 wrote to memory of 1008	1904	rundll32.exe	27
PID 1008 wrote to memory of 904	1008	rundll32.exe	28
PID 1008 wrote to memory of 904	1008	rundll32.exe	28
PID 1008 wrote to memory of 904	1008	rundll32.exe	28
PID 1008 wrote to memory of 904	1008	rundll32.exe	28
PID 904 wrote to memory of 1336	904	5BB8.tmp	29
PID 904 wrote to memory of 1336	904	5BB8.tmp	29
PID 904 wrote to memory of 1336	904	5BB8.tmp	29
PID 904 wrote to memory of 1336	904	5BB8.tmp	29
PID 2044 wrote to memory of 568	2044	Gadget.exe	31
PID 2044 wrote to memory of 568	2044	Gadget.exe	31
PID 2044 wrote to memory of 568	2044	Gadget.exe	31
PID 2044 wrote to memory of 568	2044	Gadget.exe	31
PID 2044 wrote to memory of 568	2044	Gadget.exe	31
PID 2044 wrote to memory of 568	2044	Gadget.exe	31
PID 2044 wrote to memory of 568	2044	Gadget.exe	31
PID 2044 wrote to memory of 568	2044	Gadget.exe	31
PID 2044 wrote to memory of 568	2044	Gadget.exe	31
PID 568 wrote to memory of 1980	568	svchost.exe	32
PID 568 wrote to memory of 1980	568	svchost.exe	32
PID 568 wrote to memory of 1980	568	svchost.exe	32
PID 568 wrote to memory of 1980	568	svchost.exe	32
PID 568 wrote to memory of 1980	568	svchost.exe	32
PID 568 wrote to memory of 1980	568	svchost.exe	32
PID 568 wrote to memory of 1980	568	svchost.exe	32
PID 568 wrote to memory of 1980	568	svchost.exe	32
PID 568 wrote to memory of 1980	568	svchost.exe	32
PID 568 wrote to memory of 1980	568	svchost.exe	32
PID 568 wrote to memory of 1980	568	svchost.exe	32
PID 568 wrote to memory of 1980	568	svchost.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\5BB8.tmp
    C:\Users\Admin\AppData\Local\Temp\5BB8.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Users\Admin\AppData\Local\Temp\Gadget.exe
      C:\Users\Admin\AppData\Local\Temp\\Gadget.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1336

C:\ProgramData\WS\Gadget.exe
C:\ProgramData\WS\Gadget.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 568
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WS\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\ProgramData\WS\SideBar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
C:\ProgramData\WS\SideBar.dll.doc

Filesize
121KB

MD5
97c11e7d6b1926cd4be13804b36239ac

SHA1
b388b86a782ae14fee2a31bc7626a816c3eabc5a

SHA256
a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a

SHA512
8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BB8.tmp

Filesize
225KB

MD5
c116cd083284cc599c024c3479ca9b70

SHA1
bf831962162a0446454e3e32d764cc0e5daafde0

SHA256
90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84

SHA512
d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BB8.tmp

Filesize
225KB

MD5
c116cd083284cc599c024c3479ca9b70

SHA1
bf831962162a0446454e3e32d764cc0e5daafde0

SHA256
90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84

SHA512
d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\SideBar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\SideBar.dll.doc

Filesize
121KB

MD5
97c11e7d6b1926cd4be13804b36239ac

SHA1
b388b86a782ae14fee2a31bc7626a816c3eabc5a

SHA256
a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a

SHA512
8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

Download Submit
\ProgramData\WS\SideBar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
\Users\Admin\AppData\Local\Temp\5BB8.tmp

Filesize
225KB

MD5
c116cd083284cc599c024c3479ca9b70

SHA1
bf831962162a0446454e3e32d764cc0e5daafde0

SHA256
90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84

SHA512
d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

Download Submit
\Users\Admin\AppData\Local\Temp\5BB8.tmp

Filesize
225KB

MD5
c116cd083284cc599c024c3479ca9b70

SHA1
bf831962162a0446454e3e32d764cc0e5daafde0

SHA256
90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84

SHA512
d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

Download Submit
\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
\Users\Admin\AppData\Local\Temp\Sidebar.dll

Filesize
41KB

MD5
901fa02ffd43de5b2d7c8c6b8c2f6a43

SHA1
8bb71adf1c418061510c40240852c3cd61fb214c

SHA256
3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

SHA512
6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

Download Submit
memory/568-81-0x0000000000200000-0x0000000000230000-memory.dmp

Filesize
192KB

Download
memory/568-87-0x0000000000200000-0x0000000000230000-memory.dmp

Filesize
192KB

Download
memory/568-75-0x00000000000A0000-0x00000000000BD000-memory.dmp

Filesize
116KB

Download
memory/1008-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1336-69-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/1336-68-0x0000000000410000-0x0000000000510000-memory.dmp

Filesize
1024KB

Download
memory/1980-86-0x00000000008D0000-0x0000000000900000-memory.dmp

Filesize
192KB

Download
memory/1980-88-0x00000000008D0000-0x0000000000900000-memory.dmp

Filesize
192KB

Download
memory/2044-80-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download