plugx | 4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159

Analysis

max time kernel
49s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe
Size

320KB
MD5

4cd11a2596c130a0428b7360d2be2f64
SHA1

d0001afaf54b3a94f0f4bd1e2a80db56ee187d63
SHA256

4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159
SHA512

799ddf76568e9d241070b94ca16fc2f50f872be48c50f4f97fef40b00fafba818a236664b7b68dda493ce214f35bb6592d459db14192376be085f10e67a3c962

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1580-63-0x0000000000460000-0x000000000048D000-memory.dmp	family_plugx
behavioral1/memory/2044-70-0x0000000000380000-0x00000000003AD000-memory.dmp	family_plugx
behavioral1/memory/1780-78-0x0000000001C80000-0x0000000001CAD000-memory.dmp	family_plugx
behavioral1/memory/736-79-0x0000000000220000-0x000000000024D000-memory.dmp	family_plugx
behavioral1/memory/2044-80-0x0000000000380000-0x00000000003AD000-memory.dmp	family_plugx
behavioral1/memory/1996-85-0x00000000004D0000-0x00000000004FD000-memory.dmp	family_plugx
behavioral1/memory/736-86-0x0000000000220000-0x000000000024D000-memory.dmp	family_plugx
behavioral1/memory/736-87-0x0000000000220000-0x000000000024D000-memory.dmp	family_plugx
behavioral1/memory/1996-88-0x00000000004D0000-0x00000000004FD000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 3 IoCs

Processes:

hc.exehc.exehc.exe

pid process

1580 hc.exe
2044 hc.exe
1780 hc.exe
Deletes itself 1 IoCs

Processes:

hc.exe

pid process

1580 hc.exe
Loads dropped DLL 4 IoCs

Processes:

4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exehc.exehc.exehc.exe

pid process

1092 4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe
1580 hc.exe
2044 hc.exe
1780 hc.exe

pid	process
1092	4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe
1580	hc.exe
2044	hc.exe
1780	hc.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42003900350038003900360033003000380033003500350043003900410036000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

hc.exesvchost.exemsiexec.exe

pid	process
1580	hc.exe
736	svchost.exe
736	svchost.exe
736	svchost.exe
736	svchost.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
736	svchost.exe
736	svchost.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
736	svchost.exe
736	svchost.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe
1996	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

hc.exehc.exehc.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1580	hc.exe
Token: SeTcbPrivilege	1580	hc.exe
Token: SeDebugPrivilege	2044	hc.exe
Token: SeTcbPrivilege	2044	hc.exe
Token: SeDebugPrivilege	1780	hc.exe
Token: SeTcbPrivilege	1780	hc.exe
Token: SeDebugPrivilege	736	svchost.exe
Token: SeTcbPrivilege	736	svchost.exe
Token: SeDebugPrivilege	1996	msiexec.exe
Token: SeTcbPrivilege	1996	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exehc.exesvchost.exe

description	pid	process	target process
PID 1092 wrote to memory of 1580	1092	4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe	hc.exe
PID 1092 wrote to memory of 1580	1092	4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe	hc.exe
PID 1092 wrote to memory of 1580	1092	4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe	hc.exe
PID 1092 wrote to memory of 1580	1092	4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe	hc.exe
PID 1780 wrote to memory of 736	1780	hc.exe	svchost.exe
PID 1780 wrote to memory of 736	1780	hc.exe	svchost.exe
PID 1780 wrote to memory of 736	1780	hc.exe	svchost.exe
PID 1780 wrote to memory of 736	1780	hc.exe	svchost.exe
PID 1780 wrote to memory of 736	1780	hc.exe	svchost.exe
PID 1780 wrote to memory of 736	1780	hc.exe	svchost.exe
PID 1780 wrote to memory of 736	1780	hc.exe	svchost.exe
PID 1780 wrote to memory of 736	1780	hc.exe	svchost.exe
PID 1780 wrote to memory of 736	1780	hc.exe	svchost.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe
PID 736 wrote to memory of 1996	736	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe
"C:\Users\Admin\AppData\Local\Temp\4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\hc.exe
C:\Users\Admin\AppData\Local\Temp\hc.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\ProgramData\hkcmd\hc.exe
"C:\ProgramData\hkcmd\hc.exe" 100 1580
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\ProgramData\hkcmd\hc.exe
"C:\ProgramData\hkcmd\hc.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 736
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hkcmd\hc.exe
Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\ProgramData\hkcmd\hc.exe
Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\ProgramData\hkcmd\hccutils.DLL
Filesize
2KB

MD5
1dd363b3564929d0bc336571dec74cf0

SHA1
21c953538bba7749bcc3ce049b2df9df396bc2b7

SHA256
88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e

SHA512
0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

Download Submit
C:\ProgramData\hkcmd\hccutils.DLL.res
Filesize
111KB

MD5
81693011cb717a15ad364a7344f8ffcf

SHA1
0e26b1b58c3a8f978874fd86762af11208999fb3

SHA256
01d5786b31dbb6855f089ae4569c40d5b99b4aed9462053358572898d797b6aa

SHA512
10ff4a7af7c8bd30b696ca1d2c9d3f7d29ed9a79f45264a0442d64cbc81a6e0945842c24d44e97a96a8db3686d9e00f9d0f73799e90620a74ed6ba7b58dded53

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc.exe
Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc.exe
Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hccutils.DLL
Filesize
2KB

MD5
1dd363b3564929d0bc336571dec74cf0

SHA1
21c953538bba7749bcc3ce049b2df9df396bc2b7

SHA256
88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e

SHA512
0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hccutils.DLL.res
Filesize
111KB

MD5
81693011cb717a15ad364a7344f8ffcf

SHA1
0e26b1b58c3a8f978874fd86762af11208999fb3

SHA256
01d5786b31dbb6855f089ae4569c40d5b99b4aed9462053358572898d797b6aa

SHA512
10ff4a7af7c8bd30b696ca1d2c9d3f7d29ed9a79f45264a0442d64cbc81a6e0945842c24d44e97a96a8db3686d9e00f9d0f73799e90620a74ed6ba7b58dded53

Download Submit
\ProgramData\hkcmd\hccutils.dll
Filesize
2KB

MD5
1dd363b3564929d0bc336571dec74cf0

SHA1
21c953538bba7749bcc3ce049b2df9df396bc2b7

SHA256
88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e

SHA512
0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

Download Submit
\ProgramData\hkcmd\hccutils.dll
Filesize
2KB

MD5
1dd363b3564929d0bc336571dec74cf0

SHA1
21c953538bba7749bcc3ce049b2df9df396bc2b7

SHA256
88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e

SHA512
0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

Download Submit
\Users\Admin\AppData\Local\Temp\hc.exe
Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
\Users\Admin\AppData\Local\Temp\hccutils.dll
Filesize
2KB

MD5
1dd363b3564929d0bc336571dec74cf0

SHA1
21c953538bba7749bcc3ce049b2df9df396bc2b7

SHA256
88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e

SHA512
0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

Download Submit
memory/736-79-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/736-74-0x00000000000E0000-0x00000000000FB000-memory.dmp

Filesize
108KB

Download
memory/736-87-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/736-86-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/736-76-0x0000000000000000-mapping.dmp

Download
memory/1092-61-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/1580-59-0x00000000752A1000-0x00000000752A3000-memory.dmp

Filesize
8KB

Download
memory/1580-63-0x0000000000460000-0x000000000048D000-memory.dmp

Filesize
180KB

Download
memory/1580-55-0x0000000000000000-mapping.dmp

Download
memory/1580-62-0x0000000001BC0000-0x0000000001CC0000-memory.dmp

Filesize
1024KB

Download
memory/1780-78-0x0000000001C80000-0x0000000001CAD000-memory.dmp

Filesize
180KB

Download
memory/1996-83-0x0000000000000000-mapping.dmp

Download
memory/1996-85-0x00000000004D0000-0x00000000004FD000-memory.dmp

Filesize
180KB

Download
memory/1996-88-0x00000000004D0000-0x00000000004FD000-memory.dmp

Filesize
180KB

Download
memory/2044-80-0x0000000000380000-0x00000000003AD000-memory.dmp

Filesize
180KB

Download
memory/2044-70-0x0000000000380000-0x00000000003AD000-memory.dmp

Filesize
180KB

Download