plugx | 250a21ecc7d5c701aa1548cd2dfc9965db6b2354d46ea992f4a3f99402e50f34

General

Target

250a21ecc7d5c701aa1548cd2dfc9965db6b2354d46ea992f4a3f99402e50f34.exe
Size

429KB
MD5

a0ec347f377fa596496dd88becf2d37f
SHA1

6d75e533ce42095871b5a280f52b1d8e84ef2b49
SHA256

250a21ecc7d5c701aa1548cd2dfc9965db6b2354d46ea992f4a3f99402e50f34
SHA512

64523f3a3843e9e80ec124fe46104124e157c4eca6cc7fbe2bbffffeeb5c9911f4c62b5173735cf031d7873126cbc3c768a444203067adcf7917a598def5e577

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1844-137-0x00000000005F0000-0x0000000000620000-memory.dmp	family_plugx
behavioral2/memory/4360-139-0x0000000001180000-0x00000000011B0000-memory.dmp	family_plugx
behavioral2/memory/4360-140-0x0000000001180000-0x00000000011B0000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 1 IoCs

Processes:

hkcmd.exe

pid process

1844 hkcmd.exe

pid	process
1844	hkcmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

250a21ecc7d5c701aa1548cd2dfc9965db6b2354d46ea992f4a3f99402e50f34.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	250a21ecc7d5c701aa1548cd2dfc9965db6b2354d46ea992f4a3f99402e50f34.exe

Loads dropped DLL 1 IoCs

Processes:

hkcmd.exe

pid process

1844 hkcmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1844	hkcmd.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42003500390043004500390043003400420045003400350035004500440033000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

4360 svchost.exe
4360 svchost.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

4360 svchost.exe

pid	process
4360	svchost.exe
4360	svchost.exe

pid	process
4360	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

hkcmd.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1844	hkcmd.exe
Token: SeTcbPrivilege	1844	hkcmd.exe
Token: SeDebugPrivilege	4360	svchost.exe
Token: SeTcbPrivilege	4360	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

250a21ecc7d5c701aa1548cd2dfc9965db6b2354d46ea992f4a3f99402e50f34.exehkcmd.exe

description	pid	process	target process
PID 1436 wrote to memory of 1844	1436	250a21ecc7d5c701aa1548cd2dfc9965db6b2354d46ea992f4a3f99402e50f34.exe	hkcmd.exe
PID 1436 wrote to memory of 1844	1436	250a21ecc7d5c701aa1548cd2dfc9965db6b2354d46ea992f4a3f99402e50f34.exe	hkcmd.exe
PID 1436 wrote to memory of 1844	1436	250a21ecc7d5c701aa1548cd2dfc9965db6b2354d46ea992f4a3f99402e50f34.exe	hkcmd.exe
PID 1844 wrote to memory of 4360	1844	hkcmd.exe	svchost.exe
PID 1844 wrote to memory of 4360	1844	hkcmd.exe	svchost.exe
PID 1844 wrote to memory of 4360	1844	hkcmd.exe	svchost.exe
PID 1844 wrote to memory of 4360	1844	hkcmd.exe	svchost.exe
PID 1844 wrote to memory of 4360	1844	hkcmd.exe	svchost.exe
PID 1844 wrote to memory of 4360	1844	hkcmd.exe	svchost.exe
PID 1844 wrote to memory of 4360	1844	hkcmd.exe	svchost.exe
PID 1844 wrote to memory of 4360	1844	hkcmd.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\250a21ecc7d5c701aa1548cd2dfc9965db6b2354d46ea992f4a3f99402e50f34.exe
"C:\Users\Admin\AppData\Local\Temp\250a21ecc7d5c701aa1548cd2dfc9965db6b2354d46ea992f4a3f99402e50f34.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL
Filesize
2KB

MD5
db31bf1c16ec180be2cf421b724a3105

SHA1
2d9092d17f358dbfb68a369f7a682e0af9f3e6bb

SHA256
bc652e5897164e2d987471125aa606a70f9a42912b6287a5538ae5c03818107e

SHA512
bb49b05a99664306168773530b029c78461675b80745e4a51ddb76cf7f1e28b1a87574b596b6709d09cc4c8eed67721b7a995ee316080d783a12f85458ea9873

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL.hcc
Filesize
119KB

MD5
f4de872c49db564ca7aa065d01cde5f2

SHA1
59c121b89abcd5a7a1395fa0ca2511ed3afc929e

SHA256
0e44ca27eb46a8a4a2c78a68f83a24086e87c70c3f05b3ed2d027e95fc8c7137

SHA512
0951af3c252c66a426a038557f214cc541802f5b66ba111bdf3032a7d752f828b5a8f39a97198877c7596fe299dfb296188f1c2b06068f8053035615b2a6e643

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.dll
Filesize
2KB

MD5
db31bf1c16ec180be2cf421b724a3105

SHA1
2d9092d17f358dbfb68a369f7a682e0af9f3e6bb

SHA256
bc652e5897164e2d987471125aa606a70f9a42912b6287a5538ae5c03818107e

SHA512
bb49b05a99664306168773530b029c78461675b80745e4a51ddb76cf7f1e28b1a87574b596b6709d09cc4c8eed67721b7a995ee316080d783a12f85458ea9873

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
memory/1844-130-0x0000000000000000-mapping.dmp

Download
memory/1844-136-0x0000000002100000-0x0000000002200000-memory.dmp

Filesize
1024KB

Download
memory/1844-137-0x00000000005F0000-0x0000000000620000-memory.dmp

Filesize
192KB

Download
memory/4360-138-0x0000000000000000-mapping.dmp

Download
memory/4360-139-0x0000000001180000-0x00000000011B0000-memory.dmp

Filesize
192KB

Download
memory/4360-140-0x0000000001180000-0x00000000011B0000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads