plugx | 2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6

General

Target

2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe
Size

248KB
MD5

cc7b091b94c4f0641b180417b017fec2
SHA1

17c59c9bdc7ac4ef8abdca087fdfeefef816f597
SHA256

2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6
SHA512

5c5106833eec8cc386171ff519be0af91493305af9fd2bb632ef19907b88c1633bc7a1b30b068659db3fc8d378b918363c5d8c79064600e4b5f1a83cf93b2461

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1808-62-0x0000000000340000-0x0000000000378000-memory.dmp	family_plugx
behavioral1/memory/2032-63-0x0000000000450000-0x0000000000488000-memory.dmp	family_plugx
behavioral1/memory/808-72-0x0000000001C70000-0x0000000001CA8000-memory.dmp	family_plugx
behavioral1/memory/1548-74-0x0000000000250000-0x0000000000288000-memory.dmp	family_plugx
behavioral1/memory/2032-75-0x0000000000450000-0x0000000000488000-memory.dmp	family_plugx
behavioral1/memory/996-80-0x0000000000900000-0x0000000000938000-memory.dmp	family_plugx
behavioral1/memory/1548-81-0x0000000000250000-0x0000000000288000-memory.dmp	family_plugx
behavioral1/memory/996-82-0x0000000000900000-0x0000000000938000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

NvSmart.exeNvSmart.exe

pid process

2032 NvSmart.exe
808 NvSmart.exe
Deletes itself 1 IoCs

Processes:

NvSmart.exe

pid process

2032 NvSmart.exe
Loads dropped DLL 2 IoCs

Processes:

NvSmart.exeNvSmart.exe

pid process

2032 NvSmart.exe
808 NvSmart.exe

pid	process
2032	NvSmart.exe
808	NvSmart.exe

pid	process
2032	NvSmart.exe

pid	process
2032	NvSmart.exe
808	NvSmart.exe

Drops file in Program Files directory 7 IoCs

Processes:

2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files	2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\boot.ldr	2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe
File created	C:\Program Files (x86)\Common Files\boot.ldr	2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\NvSmart.exe	2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe
File created	C:\Program Files (x86)\Common Files\NvSmart.exe	2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\NvSmartMax.dll	2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe
File created	C:\Program Files (x86)\Common Files\NvSmartMax.dll	2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe

Modifies data under HKEY_USERS 35 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A28EDAD-87B6-4CAA-AB7B-23D85AF2535A}\WpadDecisionTime = 102ded5fa280d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-2a-77-7d-e8-84\WpadDecisionTime = f0ce4774a280d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A28EDAD-87B6-4CAA-AB7B-23D85AF2535A}\WpadDecisionTime = 50230d82a280d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A28EDAD-87B6-4CAA-AB7B-23D85AF2535A}\WpadDecisionTime = 70188996a280d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-2a-77-7d-e8-84\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A28EDAD-87B6-4CAA-AB7B-23D85AF2535A}\WpadNetworkName = "Network 3"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-2a-77-7d-e8-84\WpadDecisionTime = 1007355ca280d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-2a-77-7d-e8-84\WpadDecisionTime = 10e7267ba280d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A28EDAD-87B6-4CAA-AB7B-23D85AF2535A}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A28EDAD-87B6-4CAA-AB7B-23D85AF2535A}\WpadDecisionTime = f0ce4774a280d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-2a-77-7d-e8-84\WpadDecisionTime = 50230d82a280d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A28EDAD-87B6-4CAA-AB7B-23D85AF2535A}\WpadDecisionTime = 1007355ca280d801	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-2a-77-7d-e8-84\WpadDetectedUrl	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-2a-77-7d-e8-84	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A28EDAD-87B6-4CAA-AB7B-23D85AF2535A}\de-2a-77-7d-e8-84	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-2a-77-7d-e8-84\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-2a-77-7d-e8-84\WpadDecisionTime = 102ded5fa280d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A28EDAD-87B6-4CAA-AB7B-23D85AF2535A}\WpadDecisionTime = 10e7267ba280d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-2a-77-7d-e8-84\WpadDecisionTime = 70188996a280d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A28EDAD-87B6-4CAA-AB7B-23D85AF2535A}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A28EDAD-87B6-4CAA-AB7B-23D85AF2535A}\WpadDecision = "0"	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45003600450033003100360041004400370033004200340035004200360046000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
1548	svchost.exe
1548	svchost.exe
1548	svchost.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
1548	svchost.exe
1548	svchost.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
1548	svchost.exe
1548	svchost.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
1548	svchost.exe
1548	svchost.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
1548	svchost.exe
1548	svchost.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
1548	svchost.exe
1548	svchost.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
1548	svchost.exe
1548	svchost.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
996	msiexec.exe
1548	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exeNvSmart.exeNvSmart.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1808	2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe
Token: SeTcbPrivilege	1808	2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe
Token: SeDebugPrivilege	2032	NvSmart.exe
Token: SeTcbPrivilege	2032	NvSmart.exe
Token: SeDebugPrivilege	808	NvSmart.exe
Token: SeTcbPrivilege	808	NvSmart.exe
Token: SeDebugPrivilege	1548	svchost.exe
Token: SeTcbPrivilege	1548	svchost.exe
Token: SeDebugPrivilege	996	msiexec.exe
Token: SeTcbPrivilege	996	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

NvSmart.exesvchost.exe

description	pid	process	target process
PID 808 wrote to memory of 1548	808	NvSmart.exe	svchost.exe
PID 808 wrote to memory of 1548	808	NvSmart.exe	svchost.exe
PID 808 wrote to memory of 1548	808	NvSmart.exe	svchost.exe
PID 808 wrote to memory of 1548	808	NvSmart.exe	svchost.exe
PID 808 wrote to memory of 1548	808	NvSmart.exe	svchost.exe
PID 808 wrote to memory of 1548	808	NvSmart.exe	svchost.exe
PID 808 wrote to memory of 1548	808	NvSmart.exe	svchost.exe
PID 808 wrote to memory of 1548	808	NvSmart.exe	svchost.exe
PID 808 wrote to memory of 1548	808	NvSmart.exe	svchost.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe
PID 1548 wrote to memory of 996	1548	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe
"C:\Users\Admin\AppData\Local\Temp\2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Program Files (x86)\Common Files\NvSmart.exe
"C:\Program Files (x86)\Common Files\NvSmart.exe" 100 1808
1⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Program Files (x86)\Common Files\NvSmart.exe
"C:\Program Files (x86)\Common Files\NvSmart.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1548
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\NvSmart.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Program Files (x86)\Common Files\NvSmart.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Program Files (x86)\Common Files\NvSmartMax.dll
Filesize
3KB

MD5
44b4d9c4782f883fa8c0a1da3ff6a07e

SHA1
275237d091bb2e363ca93f4f06de5046f7373362

SHA256
69c58341551bd76578085b961f01cac3607d9c16b3f9d23f90862b6d0328eeab

SHA512
267a11c1bcdd97e4cd8dffb45f935c6de07008485522ac1af5130bebdbebb496ede792b9e1ee6799c53b3778157d1f08c2713e4f1f0d6c1a7fb9ac3b84dceed4

Download Submit
C:\Program Files (x86)\Common Files\boot.ldr
Filesize
155KB

MD5
d0f2dc03884bea2697f1ce65453c82d6

SHA1
d37de393c9b5d90ce3a1c4c751fee64360599b2f

SHA256
0ac3176b7bb40140e593feda97e9ed8bbf420daeaa6043151dbaacddf503b52a

SHA512
cad8a52baaa5a4032515aa3c34a2c528d76d09d1f8fb81b3a100f47a80cbdc381158766723f09c33f4974009a211512ab4cc103c423e61b683ba8454330edd50

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
456B

MD5
4f921d7c092ff39bbbf6a2a91fc7788c

SHA1
2e0fd6d5ea4944f871835d01b9391cbf818688f6

SHA256
62da7c553cf39f2bb59f276b3dd0fb63251d03ebff686f992a232cc05254991b

SHA512
d449d8d990e916f20b4596cd819b812d48dce7d329e6e2781f91b587a0b2e9ff572a6f960781492f90da3b5f4b0e77c9b9b184b4a0c00815d0e60e622884ee3a

Download Submit
\Program Files (x86)\Common Files\NvSmartMax.dll
Filesize
3KB

MD5
44b4d9c4782f883fa8c0a1da3ff6a07e

SHA1
275237d091bb2e363ca93f4f06de5046f7373362

SHA256
69c58341551bd76578085b961f01cac3607d9c16b3f9d23f90862b6d0328eeab

SHA512
267a11c1bcdd97e4cd8dffb45f935c6de07008485522ac1af5130bebdbebb496ede792b9e1ee6799c53b3778157d1f08c2713e4f1f0d6c1a7fb9ac3b84dceed4

Download Submit
\Program Files (x86)\Common Files\NvSmartMax.dll
Filesize
3KB

MD5
44b4d9c4782f883fa8c0a1da3ff6a07e

SHA1
275237d091bb2e363ca93f4f06de5046f7373362

SHA256
69c58341551bd76578085b961f01cac3607d9c16b3f9d23f90862b6d0328eeab

SHA512
267a11c1bcdd97e4cd8dffb45f935c6de07008485522ac1af5130bebdbebb496ede792b9e1ee6799c53b3778157d1f08c2713e4f1f0d6c1a7fb9ac3b84dceed4

Download Submit
memory/808-72-0x0000000001C70000-0x0000000001CA8000-memory.dmp

Filesize
224KB

Download
memory/996-82-0x0000000000900000-0x0000000000938000-memory.dmp

Filesize
224KB

Download
memory/996-80-0x0000000000900000-0x0000000000938000-memory.dmp

Filesize
224KB

Download
memory/996-78-0x0000000000000000-mapping.dmp

Download
memory/1548-74-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1548-81-0x0000000000250000-0x0000000000288000-memory.dmp

Filesize
224KB

Download
memory/1548-68-0x00000000000E0000-0x0000000000106000-memory.dmp

Filesize
152KB

Download
memory/1548-70-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1808-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1808-62-0x0000000000340000-0x0000000000378000-memory.dmp

Filesize
224KB

Download
memory/2032-75-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/2032-60-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2032-63-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads