plugx | 1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-06-2022 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe
Size

355KB
MD5

702611c935d49388a19d97b107adb082
SHA1

b0583f12e5ac8b8b4563abd80d228a74e0a265e9
SHA256

1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219
SHA512

982efcfd6a19e5d5522e3fcc9c6ad245501262e366f8b078259f3a6465289b58bf9f1b0e3a3d13412798f010423ca510cb03e4d41f7d66beb164cc49423ea573

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral2/memory/4468-141-0x0000000000720000-0x0000000000751000-memory.dmp	family_plugx
behavioral2/memory/4748-144-0x0000000000AE0000-0x0000000000B11000-memory.dmp	family_plugx
behavioral2/memory/3388-147-0x0000000000940000-0x0000000000971000-memory.dmp	family_plugx
behavioral2/memory/208-149-0x0000000002D70000-0x0000000002DA1000-memory.dmp	family_plugx
behavioral2/memory/3388-150-0x0000000000940000-0x0000000000971000-memory.dmp	family_plugx
behavioral2/memory/208-151-0x0000000002D70000-0x0000000002DA1000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
4468	mcvsmap.exe
4748	mcvsmap.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe

Loads dropped DLL 2 IoCs

pid	Process
4468	mcvsmap.exe
4748	mcvsmap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35004300360046003000320038003400450034003400340045003000300039000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3388	svchost.exe
3388	svchost.exe
3388	svchost.exe
3388	svchost.exe
3388	svchost.exe
3388	svchost.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
3388	svchost.exe
3388	svchost.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
3388	svchost.exe
3388	svchost.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
3388	svchost.exe
3388	svchost.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
3388	svchost.exe
3388	svchost.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe
208	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3388	svchost.exe
208	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	mcvsmap.exe
Token: SeTcbPrivilege	4468	mcvsmap.exe
Token: SeDebugPrivilege	4748	mcvsmap.exe
Token: SeTcbPrivilege	4748	mcvsmap.exe
Token: SeDebugPrivilege	3388	svchost.exe
Token: SeTcbPrivilege	3388	svchost.exe
Token: SeDebugPrivilege	208	msiexec.exe
Token: SeTcbPrivilege	208	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4468	5100	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe	82
PID 5100 wrote to memory of 4468	5100	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe	82
PID 5100 wrote to memory of 4468	5100	1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe	82
PID 4748 wrote to memory of 3388	4748	mcvsmap.exe	87
PID 4748 wrote to memory of 3388	4748	mcvsmap.exe	87
PID 4748 wrote to memory of 3388	4748	mcvsmap.exe	87
PID 4748 wrote to memory of 3388	4748	mcvsmap.exe	87
PID 4748 wrote to memory of 3388	4748	mcvsmap.exe	87
PID 4748 wrote to memory of 3388	4748	mcvsmap.exe	87
PID 4748 wrote to memory of 3388	4748	mcvsmap.exe	87
PID 4748 wrote to memory of 3388	4748	mcvsmap.exe	87
PID 3388 wrote to memory of 208	3388	svchost.exe	90
PID 3388 wrote to memory of 208	3388	svchost.exe	90
PID 3388 wrote to memory of 208	3388	svchost.exe	90
PID 3388 wrote to memory of 208	3388	svchost.exe	90
PID 3388 wrote to memory of 208	3388	svchost.exe	90
PID 3388 wrote to memory of 208	3388	svchost.exe	90
PID 3388 wrote to memory of 208	3388	svchost.exe	90
PID 3388 wrote to memory of 208	3388	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe
"C:\Users\Admin\AppData\Local\Temp\1a403d2e62daf7a992efba0a8fd2f90f97ed2e822442ba11cb33e8445c5e4219.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4468

C:\ProgramData\VirusMap\mcvsmap.exe
C:\ProgramData\VirusMap\mcvsmap.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 3388
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
456B

MD5
9623e7644acf528dda3d0106d2b982cc

SHA1
66926b24f67e713abb1e9a66f5a74df2be899e08

SHA256
d19a70cae2e2782be5a3ae8571e7ef377bc7d9d2ef11d43951b3ebb3aab18cad

SHA512
dceee9a61e812c15b8213491e327a46a3ffacaab6796e535ba31ce802f412511c9fd9b6a233c0e2a2152bd6cf9c89a8d27ba4acf6b299e123b93ca85fa210c32

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
618B

MD5
89fbbe51a7b1da59ebc7254ee7adfbc9

SHA1
3a5539ff4b867763116521ba3e75cd92d27d8451

SHA256
f02ce6155428ca8ea494ad7242f44f9002738db2a7a0686481a854c45c6e4dbc

SHA512
9810caad835dac87bb095e8554a681bbf3cad099f36bbd816e3e74dc6597eeaed88e7b7c7fe42534ea4799c4e11571788435b76bf1a6c1d7dc5b6c6ac3589bc8

Download Submit
C:\ProgramData\VirusMap\McUtil.DLL

Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\ProgramData\VirusMap\McUtil.dll

Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\ProgramData\VirusMap\McUtil.dll.PPT

Filesize
121KB

MD5
bb933a0e0baef0492d8219e1d6dc5946

SHA1
2b414e8b82a8ac32c4e89ef1c1fd2eac0e78f9b2

SHA256
4fc9ffd463c32dff23ec02d52b5fac2f42f23da8d4defbb16e4719ee9dfc0fbb

SHA512
355f8d2868795036167722c03c8a72e8e626cfafee65806a44579fb2f44a8a39e6ea5f865a8926ff0323f1f5321fc0dc78a01d0913529ab8e1f45cbac5bee1b0

Download Submit
C:\ProgramData\VirusMap\mcvsmap.exe

Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
C:\ProgramData\VirusMap\mcvsmap.exe

Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.DLL

Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll

Filesize
48KB

MD5
3561abca597f919b7419f06a62bf3787

SHA1
fbb80a448742541abe18769f33e25d95941a47e4

SHA256
b179ab672605057178fc323cef448245eabc747a88306a19be7fc17e9bdf1153

SHA512
402589f629e7cb5c560ee77a88f6fda183c2d3ac192dcde4246e8711dc81e63de7865ec025e2bd397e6b1655559df2d753ea5c636136d76755b8b5d0c2a62401

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll.PPT

Filesize
121KB

MD5
bb933a0e0baef0492d8219e1d6dc5946

SHA1
2b414e8b82a8ac32c4e89ef1c1fd2eac0e78f9b2

SHA256
4fc9ffd463c32dff23ec02d52b5fac2f42f23da8d4defbb16e4719ee9dfc0fbb

SHA512
355f8d2868795036167722c03c8a72e8e626cfafee65806a44579fb2f44a8a39e6ea5f865a8926ff0323f1f5321fc0dc78a01d0913529ab8e1f45cbac5bee1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe

Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mcvsmap.exe

Filesize
256KB

MD5
4e1e0b8b0673937415599bf2f24c44ad

SHA1
9224de3af2a246011c6294f64f27206d165317ba

SHA256
ae16e10e621d6610a3f7f2c7122f9d1263700ba02d1b90e42798decb2fe84096

SHA512
87f4407045f2213ecc76fb73e6b717ffc503e0c042be118965a139e7178fdcc2ff02fe0904cde3102679c4a74d09224e24f64dbd9faa609e06a6ce2fcda0ab5d

Download Submit
memory/208-149-0x0000000002D70000-0x0000000002DA1000-memory.dmp

Filesize
196KB

Download
memory/208-151-0x0000000002D70000-0x0000000002DA1000-memory.dmp

Filesize
196KB

Download
memory/3388-147-0x0000000000940000-0x0000000000971000-memory.dmp

Filesize
196KB

Download
memory/3388-150-0x0000000000940000-0x0000000000971000-memory.dmp

Filesize
196KB

Download
memory/4468-141-0x0000000000720000-0x0000000000751000-memory.dmp

Filesize
196KB

Download
memory/4468-140-0x0000000002190000-0x0000000002290000-memory.dmp

Filesize
1024KB

Download
memory/4748-144-0x0000000000AE0000-0x0000000000B11000-memory.dmp

Filesize
196KB

Download