plugx | 099f63ed88e191e9222b5cc93f4b43b07414ad82662d3de8184a5707e91e40c8

General

Target

msvvcs/msvvcs.exe
Size

36KB
MD5

5ad9c956883633298c8e435d90d8394c
SHA1

d666343073acf7b97884bff37b2a902a78901b07
SHA256

b364c54bb671c0979964e13bf429ba4b128f0d3534d0b9c8de4958f2f37b93d4
SHA512

9def3c08808addcc232aabe6594297ddf25953e3002c44170387fcda942c26e83de87bda509d85dd4bdf6fc741172c0d27789a55efa5c41d171ab9205ba70882

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects Talisman variant of PlugX 2 IoCs

resource	yara_rule
behavioral2/memory/2124-130-0x00000000001C0000-0x00000000001F4000-memory.dmp	family_plugx_talisman
behavioral2/memory/2124-131-0x0000000010000000-0x0000000010038000-memory.dmp	family_plugx_talisman

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 1 IoCs

pid	Process
4604	msvvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3104	schtasks.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	msvvcs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	msvvcs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	msvvcs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	msvvcs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	msvvcs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	msvvcs.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MPLS	msvvcs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPLS\CLSID = 34004400370046004600450042003500380044003600360030004200410041000000	msvvcs.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4604	msvvcs.exe
4604	msvvcs.exe
4604	msvvcs.exe
4604	msvvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	msvvcs.exe
Token: SeTcbPrivilege	2124	msvvcs.exe
Token: SeDebugPrivilege	4604	msvvcs.exe
Token: SeTcbPrivilege	4604	msvvcs.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3216	2124	msvvcs.exe	82
PID 2124 wrote to memory of 3216	2124	msvvcs.exe	82
PID 2124 wrote to memory of 3216	2124	msvvcs.exe	82
PID 3216 wrote to memory of 3104	3216	cmd.exe	84
PID 3216 wrote to memory of 3104	3216	cmd.exe	84
PID 3216 wrote to memory of 3104	3216	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\msvvcs\msvvcs.exe
"C:\Users\Admin\AppData\Local\Temp\msvvcs\msvvcs.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c schtasks /create /sc minute /mo 2 /tn "msvvcs" /tr "\"C:\ProgramData\msvvcs\msvvcs.exe\"" /ru "system"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 2 /tn "msvvcs" /tr "\"C:\ProgramData\msvvcs\msvvcs.exe\"" /ru "system"
    3⤵
    - Creates scheduled task(s)
    PID:3104

C:\ProgramData\msvvcs\msvvcs.exe
C:\ProgramData\msvvcs\msvvcs.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\msvvcs\msvvcs.dat

Filesize
205KB

MD5
95056f4bbd695d9b871799748b1da85d

SHA1
739e0a4d7e890f7a0e83aa7cd82fb35cf2f8a85c

SHA256
683cc375477485a47ceb6940b08b6844f58bd02eed03ad29ab89428bfb38884f

SHA512
37285f29cc97b63092e067d7c7b58031f1324c5ee2c57cff55a1345d9b923969d7257eaf2804dafd73c8c43799a16fc0b1dfafef017a637d2115da14572b0af8

Download Submit
C:\ProgramData\msvvcs\msvvcs.exe

Filesize
36KB

MD5
5ad9c956883633298c8e435d90d8394c

SHA1
d666343073acf7b97884bff37b2a902a78901b07

SHA256
b364c54bb671c0979964e13bf429ba4b128f0d3534d0b9c8de4958f2f37b93d4

SHA512
9def3c08808addcc232aabe6594297ddf25953e3002c44170387fcda942c26e83de87bda509d85dd4bdf6fc741172c0d27789a55efa5c41d171ab9205ba70882

Download Submit
C:\ProgramData\msvvcs\msvvcs.exe

Filesize
36KB

MD5
5ad9c956883633298c8e435d90d8394c

SHA1
d666343073acf7b97884bff37b2a902a78901b07

SHA256
b364c54bb671c0979964e13bf429ba4b128f0d3534d0b9c8de4958f2f37b93d4

SHA512
9def3c08808addcc232aabe6594297ddf25953e3002c44170387fcda942c26e83de87bda509d85dd4bdf6fc741172c0d27789a55efa5c41d171ab9205ba70882

Download Submit
memory/2124-130-0x00000000001C0000-0x00000000001F4000-memory.dmp

Filesize
208KB

Download
memory/2124-131-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads