plugx | 8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b

Analysis

max time kernel
189s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe
Size

302KB
MD5

21fac61365987a8abfcd0b429a2497bf
SHA1

114fc4d7533b3fd0dd4d034ae55847d4885d1c70
SHA256

8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b
SHA512

d86ab5c4e3f1a33a929a99fa57df943e7ae4086543f947f8178a1216d19c1c16c68f350b36a53b062b55d63f0491f6065a7c3e0813edac7f806158c7035da66b

Score

10^/10

plugx suricata trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral2/memory/3600-144-0x0000000000E90000-0x0000000000EC1000-memory.dmp	family_plugx
behavioral2/memory/4244-145-0x0000000002330000-0x0000000002361000-memory.dmp	family_plugx
behavioral2/memory/4976-146-0x0000000000DE0000-0x0000000000E11000-memory.dmp	family_plugx
behavioral2/memory/4976-147-0x0000000000DE0000-0x0000000000E11000-memory.dmp	family_plugx
behavioral2/memory/5072-149-0x0000000002BC0000-0x0000000002BF1000-memory.dmp	family_plugx
behavioral2/memory/5072-151-0x0000000002BC0000-0x0000000002BF1000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
suricata: ET MALWARE Trojan.Win32.DLOADR.TIOIBEPQ CnC Traffic
suricata: ET MALWARE Trojan.Win32.DLOADR.TIOIBEPQ CnC Traffic
suricata

Executes dropped EXE 2 IoCs

pid	Process
4244	RsTray.exe
3600	RsTray.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe

Loads dropped DLL 2 IoCs

pid	Process
4244	RsTray.exe
3600	RsTray.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 46004200370032004200440046004100410036003400360046003200330031000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4976	svchost.exe
4976	svchost.exe
4976	svchost.exe
4976	svchost.exe
4976	svchost.exe
4976	svchost.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
4976	svchost.exe
4976	svchost.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
4976	svchost.exe
4976	svchost.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
4976	svchost.exe
4976	svchost.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
4976	svchost.exe
4976	svchost.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe
5072	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4976	svchost.exe
5072	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	RsTray.exe
Token: SeTcbPrivilege	4244	RsTray.exe
Token: SeDebugPrivilege	3600	RsTray.exe
Token: SeTcbPrivilege	3600	RsTray.exe
Token: SeDebugPrivilege	4976	svchost.exe
Token: SeTcbPrivilege	4976	svchost.exe
Token: SeDebugPrivilege	5072	msiexec.exe
Token: SeTcbPrivilege	5072	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 4244	3988	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe	80
PID 3988 wrote to memory of 4244	3988	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe	80
PID 3988 wrote to memory of 4244	3988	8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe	80
PID 3600 wrote to memory of 4976	3600	RsTray.exe	83
PID 3600 wrote to memory of 4976	3600	RsTray.exe	83
PID 3600 wrote to memory of 4976	3600	RsTray.exe	83
PID 3600 wrote to memory of 4976	3600	RsTray.exe	83
PID 3600 wrote to memory of 4976	3600	RsTray.exe	83
PID 3600 wrote to memory of 4976	3600	RsTray.exe	83
PID 3600 wrote to memory of 4976	3600	RsTray.exe	83
PID 3600 wrote to memory of 4976	3600	RsTray.exe	83
PID 4976 wrote to memory of 5072	4976	svchost.exe	84
PID 4976 wrote to memory of 5072	4976	svchost.exe	84
PID 4976 wrote to memory of 5072	4976	svchost.exe	84
PID 4976 wrote to memory of 5072	4976	svchost.exe	84
PID 4976 wrote to memory of 5072	4976	svchost.exe	84
PID 4976 wrote to memory of 5072	4976	svchost.exe	84
PID 4976 wrote to memory of 5072	4976	svchost.exe	84
PID 4976 wrote to memory of 5072	4976	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe
"C:\Users\Admin\AppData\Local\Temp\8d97e718b37cc67721fa25fa05b78f12a750b1c6726805a23c43d3b5497d6e6b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4244

C:\ProgramData\360\RsTray.exe
C:\ProgramData\360\RsTray.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 4976
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:5072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\360\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
C:\ProgramData\360\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
C:\ProgramData\360\comserv.dll

Filesize
41KB

MD5
b1253aa4e944916ab10235348cd6a3dd

SHA1
0046b288ba631f7363350e797ceb703ec8ae830e

SHA256
cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb

SHA512
d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023

Download Submit
C:\ProgramData\360\comserv.dll

Filesize
41KB

MD5
b1253aa4e944916ab10235348cd6a3dd

SHA1
0046b288ba631f7363350e797ceb703ec8ae830e

SHA256
cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb

SHA512
d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023

Download Submit
C:\ProgramData\360\comserv.dll.url

Filesize
122KB

MD5
7a2b112e3291887512f318865b5205e3

SHA1
9719a3e9cd3a4f91954a689d4bfef26cc63cc8c0

SHA256
d863346dcbf9a3926e50af34b2b7c148ef15ca5d6942c1a0b5ccd7f06bbc902a

SHA512
70c5beccd1efd0c70201c7632bd795a7410c225ddf0318affcc8f5e22b4a02af4ae32221c42a69184c9a05961c5d50e331ac7cba88e6663ceeb30372685996a9

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
95c7cc5062a6a47651d5a906fb802c5b

SHA1
0981b5d68aaf572c8504ba88bbad6ca4386c1bd9

SHA256
c60e98848c258483df2fbc774ff028e9d6895ad6542c210f33d9e50b8483adb6

SHA512
2af86456c89a7facde3127ab322406d137ae396a7a22f95dc9607470f35f604e64a7ddfad6a942dff2c4f2c95c889b551aca5cf126a0c99964b53b06e5f0420c

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
2a13498b18727963f692d7410d687850

SHA1
f73bf763599574434423068eadd8a59b26b57d69

SHA256
6c88e4d1f4ed38b44d8d8a60bffdff045c7ef96f4d2158f17025457a41362c2e

SHA512
6942d0a601d3dd6303c0b3cb1d8998600ca4e77a7a22d009ac83193d58d05f079afe9a42aadfadd5406a2251ba9754dd1b6e8e9320c8ba2b055e26b28b83fab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\comserv.dll

Filesize
41KB

MD5
b1253aa4e944916ab10235348cd6a3dd

SHA1
0046b288ba631f7363350e797ceb703ec8ae830e

SHA256
cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb

SHA512
d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\comserv.dll

Filesize
41KB

MD5
b1253aa4e944916ab10235348cd6a3dd

SHA1
0046b288ba631f7363350e797ceb703ec8ae830e

SHA256
cb974a188d63849431ffe8868ee4faf020c3ff8679c0f0dd08d10fa91fa9c1eb

SHA512
d5134a43457ebb64e4d523cdb74ed1fda4b1d9d6f16919a5f7021858740d85832b8a7954631801f46bd460a5f2df7e6c5b70d37ef61a4e85deffb6cb9460d023

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\comserv.dll.url

Filesize
122KB

MD5
7a2b112e3291887512f318865b5205e3

SHA1
9719a3e9cd3a4f91954a689d4bfef26cc63cc8c0

SHA256
d863346dcbf9a3926e50af34b2b7c148ef15ca5d6942c1a0b5ccd7f06bbc902a

SHA512
70c5beccd1efd0c70201c7632bd795a7410c225ddf0318affcc8f5e22b4a02af4ae32221c42a69184c9a05961c5d50e331ac7cba88e6663ceeb30372685996a9

Download Submit
memory/3600-143-0x0000000000D30000-0x0000000000E30000-memory.dmp

Filesize
1024KB

Download
memory/3600-144-0x0000000000E90000-0x0000000000EC1000-memory.dmp

Filesize
196KB

Download
memory/4244-145-0x0000000002330000-0x0000000002361000-memory.dmp

Filesize
196KB

Download
memory/4976-146-0x0000000000DE0000-0x0000000000E11000-memory.dmp

Filesize
196KB

Download
memory/4976-147-0x0000000000DE0000-0x0000000000E11000-memory.dmp

Filesize
196KB

Download
memory/5072-149-0x0000000002BC0000-0x0000000002BF1000-memory.dmp

Filesize
196KB

Download
memory/5072-151-0x0000000002BC0000-0x0000000002BF1000-memory.dmp

Filesize
196KB

Download