plugx | 1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-06-2022 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe
Size

355KB
MD5

702611c935d49388a19d97b107adb082
SHA1

b0583f12e5ac8b8b4563abd80d228a74e0a265e9
SHA256

1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219
SHA512

982efcfd6a19e5d5522e3fcc9c6ad245501262e366f8b078259f3a6465289b58bf9f1b0e3a3d13412798f010423ca510cb03e4d41f7d66beb164cc49423ea573

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral1/memory/984-71-0x00000000002C0000-0x00000000002F1000-memory.dmp	family_plugx
behavioral1/memory/836-77-0x0000000000480000-0x00000000004B1000-memory.dmp	family_plugx
behavioral1/memory/2032-80-0x0000000000230000-0x0000000000261000-memory.dmp	family_plugx
behavioral1/memory/976-85-0x0000000000410000-0x0000000000441000-memory.dmp	family_plugx
behavioral1/memory/2032-86-0x0000000000230000-0x0000000000261000-memory.dmp	family_plugx
behavioral1/memory/976-87-0x0000000000410000-0x0000000000441000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
984	mcvsmap.exe
836	mcvsmap.exe

Deletes itself 1 IoCs

pid	Process
2032	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
892	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe
892	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe
892	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe
892	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe
984	mcvsmap.exe
836	mcvsmap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4566F70F-7701-4F40-9BFD-831C819B1703}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4566F70F-7701-4F40-9BFD-831C819B1703}\WpadNetworkName = "Network 3"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-12-b4-89-5c-7a	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-12-b4-89-5c-7a\WpadDecisionTime = 70c45c03ee7ad801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4566F70F-7701-4F40-9BFD-831C819B1703}\WpadDecisionTime = 9073fc0cee7ad801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-12-b4-89-5c-7a\WpadDecisionTime = 9073fc0cee7ad801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4566F70F-7701-4F40-9BFD-831C819B1703}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4566F70F-7701-4F40-9BFD-831C819B1703}\WpadDecisionTime = 105727f7ed7ad801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4566F70F-7701-4F40-9BFD-831C819B1703}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4566F70F-7701-4F40-9BFD-831C819B1703}\da-12-b4-89-5c-7a	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4566F70F-7701-4F40-9BFD-831C819B1703}\WpadDecisionTime = 70c45c03ee7ad801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-12-b4-89-5c-7a\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-12-b4-89-5c-7a\WpadDecisionTime = 105727f7ed7ad801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-12-b4-89-5c-7a\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-12-b4-89-5c-7a\WpadDetectedUrl	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 34004200300037003700340036003900380035004500360041003900330044000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	svchost.exe
2032	svchost.exe
2032	svchost.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
2032	svchost.exe
2032	svchost.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
2032	svchost.exe
2032	svchost.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
2032	svchost.exe
2032	svchost.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
2032	svchost.exe
2032	svchost.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
2032	svchost.exe
2032	svchost.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
2032	svchost.exe
2032	svchost.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
976	msiexec.exe
2032	svchost.exe
2032	svchost.exe
976	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	984	mcvsmap.exe
Token: SeTcbPrivilege	984	mcvsmap.exe
Token: SeDebugPrivilege	836	mcvsmap.exe
Token: SeTcbPrivilege	836	mcvsmap.exe
Token: SeDebugPrivilege	2032	svchost.exe
Token: SeTcbPrivilege	2032	svchost.exe
Token: SeDebugPrivilege	976	msiexec.exe
Token: SeTcbPrivilege	976	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 984	892	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe	27
PID 892 wrote to memory of 984	892	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe	27
PID 892 wrote to memory of 984	892	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe	27
PID 892 wrote to memory of 984	892	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe	27
PID 892 wrote to memory of 984	892	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe	27
PID 892 wrote to memory of 984	892	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe	27
PID 892 wrote to memory of 984	892	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe	27
PID 836 wrote to memory of 2032	836	mcvsmap.exe	29
PID 836 wrote to memory of 2032	836	mcvsmap.exe	29
PID 836 wrote to memory of 2032	836	mcvsmap.exe	29
PID 836 wrote to memory of 2032	836	mcvsmap.exe	29
PID 836 wrote to memory of 2032	836	mcvsmap.exe	29
PID 836 wrote to memory of 2032	836	mcvsmap.exe	29
PID 836 wrote to memory of 2032	836	mcvsmap.exe	29
PID 836 wrote to memory of 2032	836	mcvsmap.exe	29
PID 836 wrote to memory of 2032	836	mcvsmap.exe	29
PID 2032 wrote to memory of 976	2032	svchost.exe	30
PID 2032 wrote to memory of 976	2032	svchost.exe	30
PID 2032 wrote to memory of 976	2032	svchost.exe	30
PID 2032 wrote to memory of 976	2032	svchost.exe	30
PID 2032 wrote to memory of 976	2032	svchost.exe	30
PID 2032 wrote to memory of 976	2032	svchost.exe	30
PID 2032 wrote to memory of 976	2032	svchost.exe	30
PID 2032 wrote to memory of 976	2032	svchost.exe	30
PID 2032 wrote to memory of 976	2032	svchost.exe	30
PID 2032 wrote to memory of 976	2032	svchost.exe	30
PID 2032 wrote to memory of 976	2032	svchost.exe	30
PID 2032 wrote to memory of 976	2032	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe
"C:\Users\Admin\AppData\Local\Temp\1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:984

C:\ProgramData\VirusMap\mcvsmap.exe
C:\ProgramData\VirusMap\mcvsmap.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Deletes itself
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2032
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
456B

MD5
c7116d4eda259dc13e3a767fa377c17e

SHA1
9cc3e64ac25c01e5e04085741e32a0e47a851dec

SHA256
840d9d3ecb006270665471c7a474756eb79dd8c29a27d1165a18492aba3f83f1

SHA512
7656ff3360d5998313549661b8704d406fe205687e51c123d81d5fcb5302e04f4219c0ecd70c28fb189cb1166a5599a386c3eee5d485ba4d0bfcbc6b60471975

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
618B

MD5
1d3ed3771b6e879dc3684288627301d0

SHA1
7935dd5c5616c6ce08ad27987b61f84483f9e804

SHA256
9c271bddba44e9e26bc94dfebd2d97d0753c7ff6f4d066a1ec0016649b98fddf

SHA512
1209c5f8579ae945ec5c85a572d37d1e62e7ac785af1850a096c528d04020d9ad95808a8b51e4e7c9a07868a2b3dd7c634fdcba4bdfe667cf5871812ff9a604a

Download Submit
C:\ProgramData\VirusMap\McUtil.dll

Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\ProgramData\VirusMap\McUtil.dll.PPT

Filesize
121KB

MD5
bb933a0e0baef0492d8219e1d6dc5946

SHA1
2b414e8b82a8ac32c4e89ef1c1fd2eac0e78f9b2

SHA256
4fc9ffd463c32dff23ec02d52b5fac2f42f23da8d4defbb16e4719ee9dfc0fbb

SHA512
355f8d2868795036167722c03c8a72e8e626cfafee65806a44579fb2f44a8a39e6ea5f865a8926ff0323f1f5321fc0dc78a01d0913529ab8e1f45cbac5bee1b0

Download Submit
C:\ProgramData\VirusMap\mcvsmap.exe

Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll

Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll.PPT

Filesize
121KB

MD5
bb933a0e0baef0492d8219e1d6dc5946

SHA1
2b414e8b82a8ac32c4e89ef1c1fd2eac0e78f9b2

SHA256
4fc9ffd463c32dff23ec02d52b5fac2f42f23da8d4defbb16e4719ee9dfc0fbb

SHA512
355f8d2868795036167722c03c8a72e8e626cfafee65806a44579fb2f44a8a39e6ea5f865a8926ff0323f1f5321fc0dc78a01d0913529ab8e1f45cbac5bee1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe

Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe

Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
\ProgramData\VirusMap\McUtil.DLL

Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.DLL

Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe

Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe

Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe

Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe

Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
memory/836-77-0x0000000000480000-0x00000000004B1000-memory.dmp

Filesize
196KB

Download
memory/892-54-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/976-87-0x0000000000410000-0x0000000000441000-memory.dmp

Filesize
196KB

Download
memory/976-85-0x0000000000410000-0x0000000000441000-memory.dmp

Filesize
196KB

Download
memory/984-71-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/984-70-0x0000000001E00000-0x0000000001F00000-memory.dmp

Filesize
1024KB

Download
memory/2032-80-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/2032-73-0x00000000000E0000-0x00000000000FD000-memory.dmp

Filesize
116KB

Download
memory/2032-86-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download