plugx | 2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
14-06-2022 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe
Size

337KB
MD5

b39b15e19c999636338d3e131e321a45
SHA1

01b9fe987e2a06f3db812fce719ab1d24cfa354e
SHA256

2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd
SHA512

2f4915deb55156322a32d5c80e4b34fa112fd31e1895eca51cf170951dcafcc3c99ceac05fbfab693c9e60582759d677b6ae31d4c52715bfb41638abe1b3ed72

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/964-67-0x0000000000430000-0x0000000000460000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

start.exexlmin.exe000045packer.exe

pid process

912 start.exe
964 xlmin.exe
1640 000045packer.exe

pid	process
912	start.exe
964	xlmin.exe
1640	000045packer.exe

Loads dropped DLL 13 IoCs

Processes:

2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exexlmin.exeWerFault.exe

pid	process
1560	2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe
1560	2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe
1560	2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe
1560	2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe
964	xlmin.exe
964	xlmin.exe
1412	WerFault.exe
1412	WerFault.exe
1412	WerFault.exe
1412	WerFault.exe
1412	WerFault.exe
1412	WerFault.exe
1412	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1412 1640 WerFault.exe 000045packer.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

start.exe

pid process

912 start.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xlmin.exe

description pid process

Token: SeDebugPrivilege 964 xlmin.exe
Token: SeTcbPrivilege 964 xlmin.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

start.exexlmin.exe

pid process

912 start.exe
964 xlmin.exe
964 xlmin.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

xlmin.exe

pid process

964 xlmin.exe
964 xlmin.exe

pid	pid_target	process	target process
1412	1640	WerFault.exe	000045packer.exe

pid	process
912	start.exe

description	pid	process
Token: SeDebugPrivilege	964	xlmin.exe
Token: SeTcbPrivilege	964	xlmin.exe

pid	process
912	start.exe
964	xlmin.exe
964	xlmin.exe

pid	process
964	xlmin.exe
964	xlmin.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exexlmin.exe000045packer.exe

description	pid	process	target process
PID 1560 wrote to memory of 912	1560	2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe	start.exe
PID 1560 wrote to memory of 912	1560	2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe	start.exe
PID 1560 wrote to memory of 912	1560	2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe	start.exe
PID 1560 wrote to memory of 912	1560	2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe	start.exe
PID 1560 wrote to memory of 912	1560	2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe	start.exe
PID 1560 wrote to memory of 912	1560	2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe	start.exe
PID 1560 wrote to memory of 912	1560	2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe	start.exe
PID 964 wrote to memory of 1640	964	xlmin.exe	000045packer.exe
PID 964 wrote to memory of 1640	964	xlmin.exe	000045packer.exe
PID 964 wrote to memory of 1640	964	xlmin.exe	000045packer.exe
PID 964 wrote to memory of 1640	964	xlmin.exe	000045packer.exe
PID 1640 wrote to memory of 1412	1640	000045packer.exe	WerFault.exe
PID 1640 wrote to memory of 1412	1640	000045packer.exe	WerFault.exe
PID 1640 wrote to memory of 1412	1640	000045packer.exe	WerFault.exe
PID 1640 wrote to memory of 1412	1640	000045packer.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe
"C:\Users\Admin\AppData\Local\Temp\2c49a7c58ebe5473d28a57ce46ba6e7d915405bfbcaf9f61282193f25f2432fd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:912

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xlmin.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\xlmin.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Roaming\XGMiniDownloader\000045packer.exe
"C:\Users\Admin\AppData\Roaming\XGMiniDownloader\000045packer.exe" /minidownloader
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 192
3⤵
- Loads dropped DLL
- Program crash
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\dl_peer_id.db
Filesize
120KB

MD5
6c697836594fa05a74901d1ec0676873

SHA1
d9e378e65d1a50b715c1a6e9ee4b721d21e04a70

SHA256
c94f6c2eaa774eb447b2ee566b5d3f00952e86b6e2f39f9d19c7aff242535217

SHA512
994d29c6766dd3f83a96618960bcf5c9bafd2f0b0e5ffbc66af1c9d8cbb2e8c6c303ac29afb4ba6fe36e5fc5f220865aea628f75691cda9bc26722c09e376d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dl_peer_id.dll
Filesize
40KB

MD5
b3c4f33da415eb7648d71a89312df114

SHA1
8cac341abda25120b89da085dadee72f17b7b356

SHA256
b388009ca8311e82e37b4009054ac21350157299d1240a8070b66a177ffdd3f9

SHA512
03ea98d2ad918593277c5cede06061ef2446f10e74b3c6bcf512094bff9ead911802fb5d24efba4d95b4579ef5c12dcbe3338b556c0c35d249b2703f82367183

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe
Filesize
41KB

MD5
2b736720e2c2674b8037a03266574048

SHA1
b0fccf6893442467f1c8a7f05783d1f1ea27fa74

SHA256
27d22e2fb09e101ec13d9dc16bf743d6a49111c3205ea9127d1733696c3afbe1

SHA512
70c6458db107dc7254abc61508f014fe40f11a733d043cc1388113ef2887dcb666656d65a51d61fa65fff25ede393e4a99bf6a9976a895255f5807e57abfad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xlmin.exe
Filesize
173KB

MD5
e76ee3dd4b09116ccb947a2c063cfe0e

SHA1
6369bb55c284bd373c4be35cdcde36026d8a8a7d

SHA256
e8cbf2de0dcd938d74ae3d8f4c17142b5debca17808f7801d55ecc95feadfb3c

SHA512
171868e5b33885459504bb9c0c82dbf2b54c2ec656050ab1686328dfa69e2a62b15d1d7278f2682902356fd88a6c13001f7cadbd6f9b7afbc37b2613bf8ce2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xlmin.exe
Filesize
173KB

MD5
e76ee3dd4b09116ccb947a2c063cfe0e

SHA1
6369bb55c284bd373c4be35cdcde36026d8a8a7d

SHA256
e8cbf2de0dcd938d74ae3d8f4c17142b5debca17808f7801d55ecc95feadfb3c

SHA512
171868e5b33885459504bb9c0c82dbf2b54c2ec656050ab1686328dfa69e2a62b15d1d7278f2682902356fd88a6c13001f7cadbd6f9b7afbc37b2613bf8ce2da

Download Submit
C:\Users\Admin\AppData\Roaming\XGMiniDownloader\000045packer.exe
Filesize
1.8MB

MD5
848dc30afe377fdeb82a45539a6ecf62

SHA1
0d1a038e77b5be899928d2459532edecf329695a

SHA256
0ee6fbd8eb2275164accfec12e1e55cecb07dde988df23984fbbf054f2b24c87

SHA512
059249e7d19423b85a480a58cbc55998685fb8cc326608f52a53f938863738b0b971ca0d3ca1d4da0ef42271c4fb18c372f8bdb0fef74cbc0939c76f9448b08d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\dl_peer_id.dll
Filesize
40KB

MD5
b3c4f33da415eb7648d71a89312df114

SHA1
8cac341abda25120b89da085dadee72f17b7b356

SHA256
b388009ca8311e82e37b4009054ac21350157299d1240a8070b66a177ffdd3f9

SHA512
03ea98d2ad918593277c5cede06061ef2446f10e74b3c6bcf512094bff9ead911802fb5d24efba4d95b4579ef5c12dcbe3338b556c0c35d249b2703f82367183

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe
Filesize
41KB

MD5
2b736720e2c2674b8037a03266574048

SHA1
b0fccf6893442467f1c8a7f05783d1f1ea27fa74

SHA256
27d22e2fb09e101ec13d9dc16bf743d6a49111c3205ea9127d1733696c3afbe1

SHA512
70c6458db107dc7254abc61508f014fe40f11a733d043cc1388113ef2887dcb666656d65a51d61fa65fff25ede393e4a99bf6a9976a895255f5807e57abfad94

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe
Filesize
41KB

MD5
2b736720e2c2674b8037a03266574048

SHA1
b0fccf6893442467f1c8a7f05783d1f1ea27fa74

SHA256
27d22e2fb09e101ec13d9dc16bf743d6a49111c3205ea9127d1733696c3afbe1

SHA512
70c6458db107dc7254abc61508f014fe40f11a733d043cc1388113ef2887dcb666656d65a51d61fa65fff25ede393e4a99bf6a9976a895255f5807e57abfad94

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe
Filesize
41KB

MD5
2b736720e2c2674b8037a03266574048

SHA1
b0fccf6893442467f1c8a7f05783d1f1ea27fa74

SHA256
27d22e2fb09e101ec13d9dc16bf743d6a49111c3205ea9127d1733696c3afbe1

SHA512
70c6458db107dc7254abc61508f014fe40f11a733d043cc1388113ef2887dcb666656d65a51d61fa65fff25ede393e4a99bf6a9976a895255f5807e57abfad94

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\start.exe
Filesize
41KB

MD5
2b736720e2c2674b8037a03266574048

SHA1
b0fccf6893442467f1c8a7f05783d1f1ea27fa74

SHA256
27d22e2fb09e101ec13d9dc16bf743d6a49111c3205ea9127d1733696c3afbe1

SHA512
70c6458db107dc7254abc61508f014fe40f11a733d043cc1388113ef2887dcb666656d65a51d61fa65fff25ede393e4a99bf6a9976a895255f5807e57abfad94

Download Submit
\Users\Admin\AppData\Roaming\XGMiniDownloader\000045packer.exe
Filesize
1.8MB

MD5
848dc30afe377fdeb82a45539a6ecf62

SHA1
0d1a038e77b5be899928d2459532edecf329695a

SHA256
0ee6fbd8eb2275164accfec12e1e55cecb07dde988df23984fbbf054f2b24c87

SHA512
059249e7d19423b85a480a58cbc55998685fb8cc326608f52a53f938863738b0b971ca0d3ca1d4da0ef42271c4fb18c372f8bdb0fef74cbc0939c76f9448b08d

Download Submit
\Users\Admin\AppData\Roaming\XGMiniDownloader\000045packer.exe
Filesize
1.8MB

MD5
848dc30afe377fdeb82a45539a6ecf62

SHA1
0d1a038e77b5be899928d2459532edecf329695a

SHA256
0ee6fbd8eb2275164accfec12e1e55cecb07dde988df23984fbbf054f2b24c87

SHA512
059249e7d19423b85a480a58cbc55998685fb8cc326608f52a53f938863738b0b971ca0d3ca1d4da0ef42271c4fb18c372f8bdb0fef74cbc0939c76f9448b08d

Download Submit
\Users\Admin\AppData\Roaming\XGMiniDownloader\000045packer.exe
Filesize
1.8MB

MD5
848dc30afe377fdeb82a45539a6ecf62

SHA1
0d1a038e77b5be899928d2459532edecf329695a

SHA256
0ee6fbd8eb2275164accfec12e1e55cecb07dde988df23984fbbf054f2b24c87

SHA512
059249e7d19423b85a480a58cbc55998685fb8cc326608f52a53f938863738b0b971ca0d3ca1d4da0ef42271c4fb18c372f8bdb0fef74cbc0939c76f9448b08d

Download Submit
\Users\Admin\AppData\Roaming\XGMiniDownloader\000045packer.exe
Filesize
1.8MB

MD5
848dc30afe377fdeb82a45539a6ecf62

SHA1
0d1a038e77b5be899928d2459532edecf329695a

SHA256
0ee6fbd8eb2275164accfec12e1e55cecb07dde988df23984fbbf054f2b24c87

SHA512
059249e7d19423b85a480a58cbc55998685fb8cc326608f52a53f938863738b0b971ca0d3ca1d4da0ef42271c4fb18c372f8bdb0fef74cbc0939c76f9448b08d

Download Submit
\Users\Admin\AppData\Roaming\XGMiniDownloader\000045packer.exe
Filesize
1.8MB

MD5
848dc30afe377fdeb82a45539a6ecf62

SHA1
0d1a038e77b5be899928d2459532edecf329695a

SHA256
0ee6fbd8eb2275164accfec12e1e55cecb07dde988df23984fbbf054f2b24c87

SHA512
059249e7d19423b85a480a58cbc55998685fb8cc326608f52a53f938863738b0b971ca0d3ca1d4da0ef42271c4fb18c372f8bdb0fef74cbc0939c76f9448b08d

Download Submit
\Users\Admin\AppData\Roaming\XGMiniDownloader\000045packer.exe
Filesize
1.8MB

MD5
848dc30afe377fdeb82a45539a6ecf62

SHA1
0d1a038e77b5be899928d2459532edecf329695a

SHA256
0ee6fbd8eb2275164accfec12e1e55cecb07dde988df23984fbbf054f2b24c87

SHA512
059249e7d19423b85a480a58cbc55998685fb8cc326608f52a53f938863738b0b971ca0d3ca1d4da0ef42271c4fb18c372f8bdb0fef74cbc0939c76f9448b08d

Download Submit
\Users\Admin\AppData\Roaming\XGMiniDownloader\000045packer.exe
Filesize
1.8MB

MD5
848dc30afe377fdeb82a45539a6ecf62

SHA1
0d1a038e77b5be899928d2459532edecf329695a

SHA256
0ee6fbd8eb2275164accfec12e1e55cecb07dde988df23984fbbf054f2b24c87

SHA512
059249e7d19423b85a480a58cbc55998685fb8cc326608f52a53f938863738b0b971ca0d3ca1d4da0ef42271c4fb18c372f8bdb0fef74cbc0939c76f9448b08d

Download Submit
\Users\Admin\AppData\Roaming\XGMiniDownloader\000045packer.exe
Filesize
1.8MB

MD5
848dc30afe377fdeb82a45539a6ecf62

SHA1
0d1a038e77b5be899928d2459532edecf329695a

SHA256
0ee6fbd8eb2275164accfec12e1e55cecb07dde988df23984fbbf054f2b24c87

SHA512
059249e7d19423b85a480a58cbc55998685fb8cc326608f52a53f938863738b0b971ca0d3ca1d4da0ef42271c4fb18c372f8bdb0fef74cbc0939c76f9448b08d

Download Submit
memory/912-59-0x0000000000000000-mapping.dmp

Download
memory/964-67-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download
memory/1412-73-0x0000000000000000-mapping.dmp

Download
memory/1560-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1640-70-0x0000000000000000-mapping.dmp

Download