plugx | 8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b

Analysis

max time kernel
152s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe
Size

302KB
MD5

21fac61365987a8abfcd0b429a2497bf
SHA1

114fc4d7533b3fd0dd4d034ae55847d4885d1c70
SHA256

8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b
SHA512

d86ab5c4e3f1a33a929a99fa57df943e7ae4086543f947f8178a1216d19c1c16c68f350b36a53b062b55d63f0491f6065a7c3e0813edac7f806158c7035da66b

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 5 IoCs

resource	yara_rule
behavioral1/memory/1936-67-0x00000000002B0000-0x00000000002E1000-memory.dmp	family_plugx
behavioral1/memory/1812-77-0x00000000002B0000-0x00000000002E1000-memory.dmp	family_plugx
behavioral1/memory/1236-78-0x0000000000170000-0x00000000001A1000-memory.dmp	family_plugx
behavioral1/memory/1548-84-0x00000000002C0000-0x00000000002F1000-memory.dmp	family_plugx
behavioral1/memory/1548-86-0x00000000002C0000-0x00000000002F1000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
1936	RsTray.exe
1812	RsTray.exe

Loads dropped DLL 6 IoCs

pid	Process
1660	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe
1660	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe
1660	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe
1660	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe
1936	RsTray.exe
1812	RsTray.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31004300460043003200300037003900410034004500340039004300430044000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1236	svchost.exe
1236	svchost.exe
1236	svchost.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1236	svchost.exe
1236	svchost.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1236	svchost.exe
1236	svchost.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1236	svchost.exe
1236	svchost.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1236	svchost.exe
1236	svchost.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1236	svchost.exe
1236	svchost.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1236	svchost.exe
1236	svchost.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1548	msiexec.exe
1236	svchost.exe
1236	svchost.exe
1548	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	RsTray.exe
Token: SeTcbPrivilege	1936	RsTray.exe
Token: SeDebugPrivilege	1812	RsTray.exe
Token: SeTcbPrivilege	1812	RsTray.exe
Token: SeDebugPrivilege	1236	svchost.exe
Token: SeTcbPrivilege	1236	svchost.exe
Token: SeDebugPrivilege	1548	msiexec.exe
Token: SeTcbPrivilege	1548	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1936	1660	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe	28
PID 1660 wrote to memory of 1936	1660	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe	28
PID 1660 wrote to memory of 1936	1660	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe	28
PID 1660 wrote to memory of 1936	1660	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe	28
PID 1660 wrote to memory of 1936	1660	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe	28
PID 1660 wrote to memory of 1936	1660	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe	28
PID 1660 wrote to memory of 1936	1660	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe	28
PID 1812 wrote to memory of 1236	1812	RsTray.exe	30
PID 1812 wrote to memory of 1236	1812	RsTray.exe	30
PID 1812 wrote to memory of 1236	1812	RsTray.exe	30
PID 1812 wrote to memory of 1236	1812	RsTray.exe	30
PID 1812 wrote to memory of 1236	1812	RsTray.exe	30
PID 1812 wrote to memory of 1236	1812	RsTray.exe	30
PID 1812 wrote to memory of 1236	1812	RsTray.exe	30
PID 1812 wrote to memory of 1236	1812	RsTray.exe	30
PID 1812 wrote to memory of 1236	1812	RsTray.exe	30
PID 1236 wrote to memory of 1548	1236	svchost.exe	31
PID 1236 wrote to memory of 1548	1236	svchost.exe	31
PID 1236 wrote to memory of 1548	1236	svchost.exe	31
PID 1236 wrote to memory of 1548	1236	svchost.exe	31
PID 1236 wrote to memory of 1548	1236	svchost.exe	31
PID 1236 wrote to memory of 1548	1236	svchost.exe	31
PID 1236 wrote to memory of 1548	1236	svchost.exe	31
PID 1236 wrote to memory of 1548	1236	svchost.exe	31
PID 1236 wrote to memory of 1548	1236	svchost.exe	31
PID 1236 wrote to memory of 1548	1236	svchost.exe	31
PID 1236 wrote to memory of 1548	1236	svchost.exe	31
PID 1236 wrote to memory of 1548	1236	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe
"C:\Users\Admin\AppData\Local\Temp\8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1936

C:\ProgramData\360\RsTray.exe
C:\ProgramData\360\RsTray.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1236
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\360\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
C:\ProgramData\360\comserv.dll

Filesize
41KB

MD5
b1253aa4e944916ab10235348cd6a3dd

SHA1
0046b288ba631f7363350e797ceb703ec8ae830e

SHA256
cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb

SHA512
d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023

Download Submit
C:\ProgramData\360\comserv.dll.url

Filesize
122KB

MD5
7a2b112e3291887512f318865b5205e3

SHA1
9719a3e9cd3a4f91954a689d4bfef26cc63cc8c0

SHA256
d863346dcbf9a3926e50af34b2b7c148ef15ca5d6942c1a0b5ccd7f06bbc902a

SHA512
70c5beccd1efd0c70201c7632bd795a7410c225ddf0318affcc8f5e22b4a02af4ae32221c42a69184c9a05961c5d50e331ac7cba88e6663ceeb30372685996a9

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
7KB

MD5
559ac01e87162568a06f39f6b399fdad

SHA1
6d2fc72c9ba958ba4a09364c5dd87a3b713eba4c

SHA256
8d5548654add35893e1d0420ee977d40dc0faec4826c03e5e8a752c6ce86cffa

SHA512
94b298e2f174fbbf5d48befef336f1640d5fd7044c86c58012eb3da7ad24b1dcca9791dbb9217b4b12469dca2fbfb855da88a089662ebf4f297890bdb8fa88bd

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
7KB

MD5
559ac01e87162568a06f39f6b399fdad

SHA1
6d2fc72c9ba958ba4a09364c5dd87a3b713eba4c

SHA256
8d5548654add35893e1d0420ee977d40dc0faec4826c03e5e8a752c6ce86cffa

SHA512
94b298e2f174fbbf5d48befef336f1640d5fd7044c86c58012eb3da7ad24b1dcca9791dbb9217b4b12469dca2fbfb855da88a089662ebf4f297890bdb8fa88bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\comserv.dll

Filesize
41KB

MD5
b1253aa4e944916ab10235348cd6a3dd

SHA1
0046b288ba631f7363350e797ceb703ec8ae830e

SHA256
cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb

SHA512
d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\comserv.dll.url

Filesize
122KB

MD5
7a2b112e3291887512f318865b5205e3

SHA1
9719a3e9cd3a4f91954a689d4bfef26cc63cc8c0

SHA256
d863346dcbf9a3926e50af34b2b7c148ef15ca5d6942c1a0b5ccd7f06bbc902a

SHA512
70c5beccd1efd0c70201c7632bd795a7410c225ddf0318affcc8f5e22b4a02af4ae32221c42a69184c9a05961c5d50e331ac7cba88e6663ceeb30372685996a9

Download Submit
\ProgramData\360\comserv.dll

Filesize
41KB

MD5
b1253aa4e944916ab10235348cd6a3dd

SHA1
0046b288ba631f7363350e797ceb703ec8ae830e

SHA256
cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb

SHA512
d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\comserv.dll

Filesize
41KB

MD5
b1253aa4e944916ab10235348cd6a3dd

SHA1
0046b288ba631f7363350e797ceb703ec8ae830e

SHA256
cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb

SHA512
d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023

Download Submit
memory/1236-73-0x00000000000A0000-0x00000000000BD000-memory.dmp

Filesize
116KB

Download
memory/1236-78-0x0000000000170000-0x00000000001A1000-memory.dmp

Filesize
196KB

Download
memory/1548-84-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/1548-86-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download
memory/1660-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1812-77-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/1936-67-0x00000000002B0000-0x00000000002E1000-memory.dmp

Filesize
196KB

Download
memory/1936-66-0x0000000002020000-0x0000000002120000-memory.dmp

Filesize
1024KB

Download