plugx | f547d35bf1db7451493fb6332447b0ebfcef8a581a69ab6e5981adf12e55437a

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f547d35bf1db7451493fb6332447b0ebfcef8a581a69ab6e5981adf12e55437a.exe
Size

325KB
MD5

9af190e00f38ca6541b1d1d177492c47
SHA1

1c143cd0685fc79cc76f2655e8d2b06fde44bcc5
SHA256

f547d35bf1db7451493fb6332447b0ebfcef8a581a69ab6e5981adf12e55437a
SHA512

d916f6fcc36af490e90310d2fda84f6a629a0be2e1cb89e856699f971516f96b062e03091217005615331be79989133557caabff04979129497a377a7f5de1c2

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 7 IoCs

resource	yara_rule
behavioral2/memory/4656-137-0x00000000022F0000-0x000000000231C000-memory.dmp	family_plugx
behavioral2/memory/1668-148-0x00000000005F0000-0x000000000061C000-memory.dmp	family_plugx
behavioral2/memory/1216-149-0x0000000000640000-0x000000000066C000-memory.dmp	family_plugx
behavioral2/memory/1284-150-0x0000000001400000-0x000000000142C000-memory.dmp	family_plugx
behavioral2/memory/3396-152-0x0000000002590000-0x00000000025BC000-memory.dmp	family_plugx
behavioral2/memory/1284-153-0x0000000001400000-0x000000000142C000-memory.dmp	family_plugx
behavioral2/memory/3396-154-0x0000000002590000-0x00000000025BC000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
4656	hkcmd.exe
1216	hkcmd.exe
1668	hkcmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	f547d35bf1db7451493fb6332447b0ebfcef8a581a69ab6e5981adf12e55437a.exe

Loads dropped DLL 3 IoCs

pid	Process
4656	hkcmd.exe
1216	hkcmd.exe
1668	hkcmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003200390043004200430032003600440041004200340030003000460038000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4656	hkcmd.exe
4656	hkcmd.exe
1284	svchost.exe
1284	svchost.exe
1284	svchost.exe
1284	svchost.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
1284	svchost.exe
1284	svchost.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
1284	svchost.exe
1284	svchost.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
1284	svchost.exe
1284	svchost.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
1284	svchost.exe
1284	svchost.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe
3396	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1284	svchost.exe
3396	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	hkcmd.exe
Token: SeTcbPrivilege	4656	hkcmd.exe
Token: SeDebugPrivilege	1216	hkcmd.exe
Token: SeTcbPrivilege	1216	hkcmd.exe
Token: SeDebugPrivilege	1668	hkcmd.exe
Token: SeTcbPrivilege	1668	hkcmd.exe
Token: SeDebugPrivilege	1284	svchost.exe
Token: SeTcbPrivilege	1284	svchost.exe
Token: SeDebugPrivilege	3396	msiexec.exe
Token: SeTcbPrivilege	3396	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 4656	3376	f547d35bf1db7451493fb6332447b0ebfcef8a581a69ab6e5981adf12e55437a.exe	83
PID 3376 wrote to memory of 4656	3376	f547d35bf1db7451493fb6332447b0ebfcef8a581a69ab6e5981adf12e55437a.exe	83
PID 3376 wrote to memory of 4656	3376	f547d35bf1db7451493fb6332447b0ebfcef8a581a69ab6e5981adf12e55437a.exe	83
PID 1668 wrote to memory of 1284	1668	hkcmd.exe	87
PID 1668 wrote to memory of 1284	1668	hkcmd.exe	87
PID 1668 wrote to memory of 1284	1668	hkcmd.exe	87
PID 1668 wrote to memory of 1284	1668	hkcmd.exe	87
PID 1668 wrote to memory of 1284	1668	hkcmd.exe	87
PID 1668 wrote to memory of 1284	1668	hkcmd.exe	87
PID 1668 wrote to memory of 1284	1668	hkcmd.exe	87
PID 1668 wrote to memory of 1284	1668	hkcmd.exe	87
PID 1284 wrote to memory of 3396	1284	svchost.exe	92
PID 1284 wrote to memory of 3396	1284	svchost.exe	92
PID 1284 wrote to memory of 3396	1284	svchost.exe	92
PID 1284 wrote to memory of 3396	1284	svchost.exe	92
PID 1284 wrote to memory of 3396	1284	svchost.exe	92
PID 1284 wrote to memory of 3396	1284	svchost.exe	92
PID 1284 wrote to memory of 3396	1284	svchost.exe	92
PID 1284 wrote to memory of 3396	1284	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\f547d35bf1db7451493fb6332447b0ebfcef8a581a69ab6e5981adf12e55437a.exe
"C:\Users\Admin\AppData\Local\Temp\f547d35bf1db7451493fb6332447b0ebfcef8a581a69ab6e5981adf12e55437a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656

C:\ProgramData\Kerberos\hkcmd.exe
"C:\ProgramData\Kerberos\hkcmd.exe" 100 4656
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\ProgramData\Kerberos\hkcmd.exe
"C:\ProgramData\Kerberos\hkcmd.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1284
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Kerberos\hccutils.DLL

Filesize
41KB

MD5
55c15efa6369957c69e7c6643bc86ef2

SHA1
ce2bacdc2eeb298016d46e61f4a009b2a706a737

SHA256
7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf

SHA512
a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

Download Submit
C:\ProgramData\Kerberos\hccutils.DLL.res

Filesize
110KB

MD5
3aa819b9089cd906d6434e446bea75ba

SHA1
8e008e0eb41830841eeb4702c382a43757ad930e

SHA256
b414a5ffb5b41d46d963c22964ae3097538c0a3e7ce0e3ba235ca33de3ab717d

SHA512
c09d075044ef7b74c928238aaa1b78c952970280a68213db108d7bdc02fea24a0f6424a745dbf4fb33de93f3b8d8341b7f99e5c47dadd0fda9083e6cc596b965

Download Submit
C:\ProgramData\Kerberos\hccutils.dll

Filesize
41KB

MD5
55c15efa6369957c69e7c6643bc86ef2

SHA1
ce2bacdc2eeb298016d46e61f4a009b2a706a737

SHA256
7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf

SHA512
a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

Download Submit
C:\ProgramData\Kerberos\hccutils.dll

Filesize
41KB

MD5
55c15efa6369957c69e7c6643bc86ef2

SHA1
ce2bacdc2eeb298016d46e61f4a009b2a706a737

SHA256
7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf

SHA512
a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

Download Submit
C:\ProgramData\Kerberos\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
C:\ProgramData\Kerberos\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
C:\ProgramData\Kerberos\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL

Filesize
41KB

MD5
55c15efa6369957c69e7c6643bc86ef2

SHA1
ce2bacdc2eeb298016d46e61f4a009b2a706a737

SHA256
7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf

SHA512
a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL.res

Filesize
110KB

MD5
3aa819b9089cd906d6434e446bea75ba

SHA1
8e008e0eb41830841eeb4702c382a43757ad930e

SHA256
b414a5ffb5b41d46d963c22964ae3097538c0a3e7ce0e3ba235ca33de3ab717d

SHA512
c09d075044ef7b74c928238aaa1b78c952970280a68213db108d7bdc02fea24a0f6424a745dbf4fb33de93f3b8d8341b7f99e5c47dadd0fda9083e6cc596b965

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.dll

Filesize
41KB

MD5
55c15efa6369957c69e7c6643bc86ef2

SHA1
ce2bacdc2eeb298016d46e61f4a009b2a706a737

SHA256
7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf

SHA512
a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
memory/1216-149-0x0000000000640000-0x000000000066C000-memory.dmp

Filesize
176KB

Download
memory/1284-150-0x0000000001400000-0x000000000142C000-memory.dmp

Filesize
176KB

Download
memory/1284-153-0x0000000001400000-0x000000000142C000-memory.dmp

Filesize
176KB

Download
memory/1668-148-0x00000000005F0000-0x000000000061C000-memory.dmp

Filesize
176KB

Download
memory/3396-152-0x0000000002590000-0x00000000025BC000-memory.dmp

Filesize
176KB

Download
memory/3396-154-0x0000000002590000-0x00000000025BC000-memory.dmp

Filesize
176KB

Download
memory/4656-136-0x00000000021C0000-0x00000000022C0000-memory.dmp

Filesize
1024KB

Download
memory/4656-137-0x00000000022F0000-0x000000000231C000-memory.dmp

Filesize
176KB

Download