plugx | 2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a

Analysis

max time kernel
178s
max time network
182s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-06-2022 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe
Size

290KB
MD5

e64c67b5d78a53909bfadfbf781162e9
SHA1

aa5582e0420bd0e5905537233b94f145e039a2c6
SHA256

2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a
SHA512

8ede7ecbaa13b99276ee46fa2beeb1fa06ee2f3a5a86b3a4b8ff16f99d4e2904f035914a4b091fbe87beab72645c35cd0ae76a65757045e87f27122e2e633a77

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1788-67-0x0000000000840000-0x000000000087F000-memory.dmp	family_plugx
behavioral1/memory/1368-77-0x0000000000360000-0x000000000039F000-memory.dmp	family_plugx
behavioral1/memory/1356-78-0x0000000000260000-0x000000000029F000-memory.dmp	family_plugx
behavioral1/memory/980-83-0x0000000000290000-0x00000000002CF000-memory.dmp	family_plugx
behavioral1/memory/1356-84-0x0000000000260000-0x000000000029F000-memory.dmp	family_plugx
behavioral1/memory/980-85-0x0000000000290000-0x00000000002CF000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

TPLCDCLR.EXETPLCDCLR.EXE

pid process

1788 TPLCDCLR.EXE
1368 TPLCDCLR.EXE
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1356 svchost.exe

pid	process
1788	TPLCDCLR.EXE
1368	TPLCDCLR.EXE

Loads dropped DLL 6 IoCs

Processes:

2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exeTPLCDCLR.EXETPLCDCLR.EXE

pid	process
1292	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe
1292	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe
1292	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe
1292	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe
1788	TPLCDCLR.EXE
1368	TPLCDCLR.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45004400350032003900300036004200360035004100430032004300350043000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe
980	msiexec.exe
980	msiexec.exe
1356	svchost.exe
980	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

TPLCDCLR.EXETPLCDCLR.EXEsvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1788	TPLCDCLR.EXE
Token: SeTcbPrivilege	1788	TPLCDCLR.EXE
Token: SeDebugPrivilege	1368	TPLCDCLR.EXE
Token: SeTcbPrivilege	1368	TPLCDCLR.EXE
Token: SeDebugPrivilege	1356	svchost.exe
Token: SeTcbPrivilege	1356	svchost.exe
Token: SeDebugPrivilege	980	msiexec.exe
Token: SeTcbPrivilege	980	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exeTPLCDCLR.EXEsvchost.exe

description	pid	process	target process
PID 1292 wrote to memory of 1788	1292	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe	TPLCDCLR.EXE
PID 1292 wrote to memory of 1788	1292	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe	TPLCDCLR.EXE
PID 1292 wrote to memory of 1788	1292	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe	TPLCDCLR.EXE
PID 1292 wrote to memory of 1788	1292	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe	TPLCDCLR.EXE
PID 1292 wrote to memory of 1788	1292	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe	TPLCDCLR.EXE
PID 1292 wrote to memory of 1788	1292	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe	TPLCDCLR.EXE
PID 1292 wrote to memory of 1788	1292	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe	TPLCDCLR.EXE
PID 1368 wrote to memory of 1356	1368	TPLCDCLR.EXE	svchost.exe
PID 1368 wrote to memory of 1356	1368	TPLCDCLR.EXE	svchost.exe
PID 1368 wrote to memory of 1356	1368	TPLCDCLR.EXE	svchost.exe
PID 1368 wrote to memory of 1356	1368	TPLCDCLR.EXE	svchost.exe
PID 1368 wrote to memory of 1356	1368	TPLCDCLR.EXE	svchost.exe
PID 1368 wrote to memory of 1356	1368	TPLCDCLR.EXE	svchost.exe
PID 1368 wrote to memory of 1356	1368	TPLCDCLR.EXE	svchost.exe
PID 1368 wrote to memory of 1356	1368	TPLCDCLR.EXE	svchost.exe
PID 1368 wrote to memory of 1356	1368	TPLCDCLR.EXE	svchost.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 980	1356	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe
"C:\Users\Admin\AppData\Local\Temp\2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\TPLCDCLR.EXE
"C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\TPLCDCLR.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1356
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\TPLCDCLR.EXE
Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\WTS.CHM
Filesize
147KB

MD5
5ce1c050fb6370e5cf997313abba9947

SHA1
6751978299e9b956da914a5110438b6b262dcb75

SHA256
ab927653e27e3374aa97eb9bfdacb011a7664d930e6f356512c5ae9582c2cfe5

SHA512
e6ce9bf2392fb9610efdfa0abb460b8031cef020ffed2b4cae9b609631f0fba5ae18ea311dc8f94aa5f46a4dbac9064186b5a0648459504256a7fb17ad8c3061

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\WTSAPI32.dll
Filesize
78KB

MD5
be59ff05b96b7bb251dd77932b71bbc1

SHA1
28a4a3be8606aea4f46761238d99fa4d7a96354e

SHA256
c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251

SHA512
2e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE
Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE
Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WTS.CHM
Filesize
147KB

MD5
5ce1c050fb6370e5cf997313abba9947

SHA1
6751978299e9b956da914a5110438b6b262dcb75

SHA256
ab927653e27e3374aa97eb9bfdacb011a7664d930e6f356512c5ae9582c2cfe5

SHA512
e6ce9bf2392fb9610efdfa0abb460b8031cef020ffed2b4cae9b609631f0fba5ae18ea311dc8f94aa5f46a4dbac9064186b5a0648459504256a7fb17ad8c3061

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WTSAPI32.dll
Filesize
78KB

MD5
be59ff05b96b7bb251dd77932b71bbc1

SHA1
28a4a3be8606aea4f46761238d99fa4d7a96354e

SHA256
c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251

SHA512
2e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050

Download Submit
\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\WTSAPI32.dll
Filesize
78KB

MD5
be59ff05b96b7bb251dd77932b71bbc1

SHA1
28a4a3be8606aea4f46761238d99fa4d7a96354e

SHA256
c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251

SHA512
2e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE
Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE
Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE
Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE
Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\WTSAPI32.dll
Filesize
78KB

MD5
be59ff05b96b7bb251dd77932b71bbc1

SHA1
28a4a3be8606aea4f46761238d99fa4d7a96354e

SHA256
c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251

SHA512
2e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050

Download Submit
memory/980-81-0x0000000000000000-mapping.dmp

Download
memory/980-83-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/980-85-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/1292-54-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1356-75-0x0000000000000000-mapping.dmp

Download
memory/1356-73-0x00000000000A0000-0x00000000000C3000-memory.dmp

Filesize
140KB

Download
memory/1356-78-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1356-84-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/1368-77-0x0000000000360000-0x000000000039F000-memory.dmp

Filesize
252KB

Download
memory/1788-67-0x0000000000840000-0x000000000087F000-memory.dmp

Filesize
252KB

Download
memory/1788-66-0x0000000000270000-0x0000000000295000-memory.dmp

Filesize
148KB

Download
memory/1788-59-0x0000000000000000-mapping.dmp

Download