plugx | 6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b.exe
Size

253KB
MD5

bce37dd072dc0eeeba64a67f92e9e7c3
SHA1

a04ad84a2dabb2271c94faced586a90f4a460584
SHA256

6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b
SHA512

fcaa1eb9f77a8bf3018454a9d0117c70c58d0f6e332cfb674bafd752a2a823d63081b2a0116c45caeda5bb44ffd3ef1372fd8f23014db6c3f39061ee85c69947

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 8 IoCs

resource	yara_rule
behavioral2/memory/3360-137-0x00000000006C0000-0x00000000006EC000-memory.dmp	family_plugx
behavioral2/memory/4272-149-0x0000000000E10000-0x0000000000E3C000-memory.dmp	family_plugx
behavioral2/memory/1236-144-0x00000000005C0000-0x00000000005EC000-memory.dmp	family_plugx
behavioral2/memory/4424-150-0x0000000000DD0000-0x0000000000DFC000-memory.dmp	family_plugx
behavioral2/memory/1236-151-0x00000000005C0000-0x00000000005EC000-memory.dmp	family_plugx
behavioral2/memory/4968-153-0x0000000002A00000-0x0000000002A2C000-memory.dmp	family_plugx
behavioral2/memory/4424-154-0x0000000000DD0000-0x0000000000DFC000-memory.dmp	family_plugx
behavioral2/memory/4968-155-0x0000000002A00000-0x0000000002A2C000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
3360	Nv.exe
1236	Nv.exe
4272	Nv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b.exe

Loads dropped DLL 3 IoCs

pid	Process
3360	Nv.exe
1236	Nv.exe
4272	Nv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 32004300440043004200370039003100390043003600300030003500330043000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3360	Nv.exe
3360	Nv.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4424	svchost.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4424	svchost.exe
4424	svchost.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4424	svchost.exe
4424	svchost.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4424	svchost.exe
4424	svchost.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4424	svchost.exe
4424	svchost.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4424	svchost.exe
4968	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3360	Nv.exe
Token: SeTcbPrivilege	3360	Nv.exe
Token: SeDebugPrivilege	1236	Nv.exe
Token: SeTcbPrivilege	1236	Nv.exe
Token: SeDebugPrivilege	4272	Nv.exe
Token: SeTcbPrivilege	4272	Nv.exe
Token: SeDebugPrivilege	4424	svchost.exe
Token: SeTcbPrivilege	4424	svchost.exe
Token: SeDebugPrivilege	4968	msiexec.exe
Token: SeTcbPrivilege	4968	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 3360	2148	6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b.exe	77
PID 2148 wrote to memory of 3360	2148	6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b.exe	77
PID 2148 wrote to memory of 3360	2148	6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b.exe	77
PID 4272 wrote to memory of 4424	4272	Nv.exe	79
PID 4272 wrote to memory of 4424	4272	Nv.exe	79
PID 4272 wrote to memory of 4424	4272	Nv.exe	79
PID 4272 wrote to memory of 4424	4272	Nv.exe	79
PID 4272 wrote to memory of 4424	4272	Nv.exe	79
PID 4272 wrote to memory of 4424	4272	Nv.exe	79
PID 4272 wrote to memory of 4424	4272	Nv.exe	79
PID 4272 wrote to memory of 4424	4272	Nv.exe	79
PID 4424 wrote to memory of 4968	4424	svchost.exe	82
PID 4424 wrote to memory of 4968	4424	svchost.exe	82
PID 4424 wrote to memory of 4968	4424	svchost.exe	82
PID 4424 wrote to memory of 4968	4424	svchost.exe	82
PID 4424 wrote to memory of 4968	4424	svchost.exe	82
PID 4424 wrote to memory of 4968	4424	svchost.exe	82
PID 4424 wrote to memory of 4968	4424	svchost.exe	82
PID 4424 wrote to memory of 4968	4424	svchost.exe	82

C:\Users\Admin\AppData\Local\Temp\6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b.exe
"C:\Users\Admin\AppData\Local\Temp\6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3360

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\msiexec.exe
  C:\Windows\system32\msiexec.exe 209 4424
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4968

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 100 3360
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
48KB

MD5
d659d95d46f71f172cd4f2aca9532949

SHA1
13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

SHA256
9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

SHA512
ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
48KB

MD5
d659d95d46f71f172cd4f2aca9532949

SHA1
13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

SHA256
9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

SHA512
ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
48KB

MD5
d659d95d46f71f172cd4f2aca9532949

SHA1
13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

SHA256
9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

SHA512
ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll.URL

Filesize
110KB

MD5
c889dc4f6294e882c8ce08f1f9a0aa12

SHA1
2522d785f2f78d0bb2841723695e1ab55afa1313

SHA256
d6ad656de945a3e4a8179bae85173bcdf986c85d8328d5e788a8a695faf1576b

SHA512
44d16808678fcbd5936e1a22f715865c948026fdf283b121f3ae17e8f40809f4d75e055b84daf60808a5a9f59f585402b4ce73d9dac0d86524baf207226c6662

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
48KB

MD5
d659d95d46f71f172cd4f2aca9532949

SHA1
13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

SHA256
9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

SHA512
ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
48KB

MD5
d659d95d46f71f172cd4f2aca9532949

SHA1
13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

SHA256
9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

SHA512
ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll.URL

Filesize
110KB

MD5
c889dc4f6294e882c8ce08f1f9a0aa12

SHA1
2522d785f2f78d0bb2841723695e1ab55afa1313

SHA256
d6ad656de945a3e4a8179bae85173bcdf986c85d8328d5e788a8a695faf1576b

SHA512
44d16808678fcbd5936e1a22f715865c948026fdf283b121f3ae17e8f40809f4d75e055b84daf60808a5a9f59f585402b4ce73d9dac0d86524baf207226c6662

Download Submit
memory/1236-151-0x00000000005C0000-0x00000000005EC000-memory.dmp

Filesize
176KB

Download
memory/1236-144-0x00000000005C0000-0x00000000005EC000-memory.dmp

Filesize
176KB

Download
memory/3360-137-0x00000000006C0000-0x00000000006EC000-memory.dmp

Filesize
176KB

Download
memory/3360-136-0x00000000020D0000-0x00000000021D0000-memory.dmp

Filesize
1024KB

Download
memory/4272-149-0x0000000000E10000-0x0000000000E3C000-memory.dmp

Filesize
176KB

Download
memory/4424-150-0x0000000000DD0000-0x0000000000DFC000-memory.dmp

Filesize
176KB

Download
memory/4424-154-0x0000000000DD0000-0x0000000000DFC000-memory.dmp

Filesize
176KB

Download
memory/4968-153-0x0000000002A00000-0x0000000002A2C000-memory.dmp

Filesize
176KB

Download
memory/4968-155-0x0000000002A00000-0x0000000002A2C000-memory.dmp

Filesize
176KB

Download