plugx | 2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a

Analysis

max time kernel
176s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11-06-2022 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe
Size

290KB
MD5

e64c67b5d78a53909bfadfbf781162e9
SHA1

aa5582e0420bd0e5905537233b94f145e039a2c6
SHA256

2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a
SHA512

8ede7ecbaa13b99276ee46fa2beeb1fa06ee2f3a5a86b3a4b8ff16f99d4e2904f035914a4b091fbe87beab72645c35cd0ae76a65757045e87f27122e2e633a77

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3112-140-0x00000000020D0000-0x000000000210F000-memory.dmp	family_plugx
behavioral2/memory/4912-143-0x0000000000640000-0x000000000067F000-memory.dmp	family_plugx
behavioral2/memory/3824-145-0x00000000008B0000-0x00000000008EF000-memory.dmp	family_plugx
behavioral2/memory/3824-146-0x00000000008B0000-0x00000000008EF000-memory.dmp	family_plugx
behavioral2/memory/1448-148-0x0000000002A20000-0x0000000002A5F000-memory.dmp	family_plugx
behavioral2/memory/1448-149-0x0000000002A20000-0x0000000002A5F000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

TPLCDCLR.EXETPLCDCLR.EXE

pid process

3112 TPLCDCLR.EXE
4912 TPLCDCLR.EXE

pid	process
3112	TPLCDCLR.EXE
4912	TPLCDCLR.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe

Loads dropped DLL 2 IoCs

Processes:

TPLCDCLR.EXETPLCDCLR.EXE

pid process

3112 TPLCDCLR.EXE
4912 TPLCDCLR.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3112	TPLCDCLR.EXE
4912	TPLCDCLR.EXE

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 32003300450045004400420041003100340035003600440034003100350034000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
3824	svchost.exe
3824	svchost.exe
3824	svchost.exe
3824	svchost.exe
3824	svchost.exe
3824	svchost.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
3824	svchost.exe
3824	svchost.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
3824	svchost.exe
3824	svchost.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
3824	svchost.exe
3824	svchost.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
3824	svchost.exe
3824	svchost.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe
1448	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

3824 svchost.exe
1448 msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

TPLCDCLR.EXETPLCDCLR.EXEsvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3112	TPLCDCLR.EXE
Token: SeTcbPrivilege	3112	TPLCDCLR.EXE
Token: SeDebugPrivilege	4912	TPLCDCLR.EXE
Token: SeTcbPrivilege	4912	TPLCDCLR.EXE
Token: SeDebugPrivilege	3824	svchost.exe
Token: SeTcbPrivilege	3824	svchost.exe
Token: SeDebugPrivilege	1448	msiexec.exe
Token: SeTcbPrivilege	1448	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exeTPLCDCLR.EXEsvchost.exe

description	pid	process	target process
PID 2616 wrote to memory of 3112	2616	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe	TPLCDCLR.EXE
PID 2616 wrote to memory of 3112	2616	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe	TPLCDCLR.EXE
PID 2616 wrote to memory of 3112	2616	2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe	TPLCDCLR.EXE
PID 4912 wrote to memory of 3824	4912	TPLCDCLR.EXE	svchost.exe
PID 4912 wrote to memory of 3824	4912	TPLCDCLR.EXE	svchost.exe
PID 4912 wrote to memory of 3824	4912	TPLCDCLR.EXE	svchost.exe
PID 4912 wrote to memory of 3824	4912	TPLCDCLR.EXE	svchost.exe
PID 4912 wrote to memory of 3824	4912	TPLCDCLR.EXE	svchost.exe
PID 4912 wrote to memory of 3824	4912	TPLCDCLR.EXE	svchost.exe
PID 4912 wrote to memory of 3824	4912	TPLCDCLR.EXE	svchost.exe
PID 4912 wrote to memory of 3824	4912	TPLCDCLR.EXE	svchost.exe
PID 3824 wrote to memory of 1448	3824	svchost.exe	msiexec.exe
PID 3824 wrote to memory of 1448	3824	svchost.exe	msiexec.exe
PID 3824 wrote to memory of 1448	3824	svchost.exe	msiexec.exe
PID 3824 wrote to memory of 1448	3824	svchost.exe	msiexec.exe
PID 3824 wrote to memory of 1448	3824	svchost.exe	msiexec.exe
PID 3824 wrote to memory of 1448	3824	svchost.exe	msiexec.exe
PID 3824 wrote to memory of 1448	3824	svchost.exe	msiexec.exe
PID 3824 wrote to memory of 1448	3824	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe
"C:\Users\Admin\AppData\Local\Temp\2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\TPLCDCLR.EXE
"C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\TPLCDCLR.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 3824
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\TPLCDCLR.EXE
Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\TPLCDCLR.EXE
Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\WTS.CHM
Filesize
147KB

MD5
5ce1c050fb6370e5cf997313abba9947

SHA1
6751978299e9b956da914a5110438b6b262dcb75

SHA256
ab927653e27e3374aa97eb9bfdacb011a7664d930e6f356512c5ae9582c2cfe5

SHA512
e6ce9bf2392fb9610efdfa0abb460b8031cef020ffed2b4cae9b609631f0fba5ae18ea311dc8f94aa5f46a4dbac9064186b5a0648459504256a7fb17ad8c3061

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\WTSAPI32.dll
Filesize
78KB

MD5
be59ff05b96b7bb251dd77932b71bbc1

SHA1
28a4a3be8606aea4f46761238d99fa4d7a96354e

SHA256
c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251

SHA512
2e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\WTSAPI32.dll
Filesize
78KB

MD5
be59ff05b96b7bb251dd77932b71bbc1

SHA1
28a4a3be8606aea4f46761238d99fa4d7a96354e

SHA256
c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251

SHA512
2e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE
Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE
Filesize
37KB

MD5
d9978f95ce30e85943efb52c9c7d731b

SHA1
a64bb28c87c4e41be56a9bb3b887c53051eb1db5

SHA256
69c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45

SHA512
766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WTS.CHM
Filesize
147KB

MD5
5ce1c050fb6370e5cf997313abba9947

SHA1
6751978299e9b956da914a5110438b6b262dcb75

SHA256
ab927653e27e3374aa97eb9bfdacb011a7664d930e6f356512c5ae9582c2cfe5

SHA512
e6ce9bf2392fb9610efdfa0abb460b8031cef020ffed2b4cae9b609631f0fba5ae18ea311dc8f94aa5f46a4dbac9064186b5a0648459504256a7fb17ad8c3061

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WTSAPI32.dll
Filesize
78KB

MD5
be59ff05b96b7bb251dd77932b71bbc1

SHA1
28a4a3be8606aea4f46761238d99fa4d7a96354e

SHA256
c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251

SHA512
2e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WTSAPI32.dll
Filesize
78KB

MD5
be59ff05b96b7bb251dd77932b71bbc1

SHA1
28a4a3be8606aea4f46761238d99fa4d7a96354e

SHA256
c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251

SHA512
2e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050

Download Submit
memory/1448-147-0x0000000000000000-mapping.dmp

Download
memory/1448-148-0x0000000002A20000-0x0000000002A5F000-memory.dmp

Filesize
252KB

Download
memory/1448-149-0x0000000002A20000-0x0000000002A5F000-memory.dmp

Filesize
252KB

Download
memory/3112-136-0x0000000000680000-0x00000000006A5000-memory.dmp

Filesize
148KB

Download
memory/3112-140-0x00000000020D0000-0x000000000210F000-memory.dmp

Filesize
252KB

Download
memory/3112-130-0x0000000000000000-mapping.dmp

Download
memory/3824-144-0x0000000000000000-mapping.dmp

Download
memory/3824-145-0x00000000008B0000-0x00000000008EF000-memory.dmp

Filesize
252KB

Download
memory/3824-146-0x00000000008B0000-0x00000000008EF000-memory.dmp

Filesize
252KB

Download
memory/4912-143-0x0000000000640000-0x000000000067F000-memory.dmp

Filesize
252KB

Download