plugx | 4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159

Analysis

max time kernel
149s
max time network
230s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe
Size

320KB
MD5

4cd11a2596c130a0428b7360d2be2f64
SHA1

d0001afaf54b3a94f0f4bd1e2a80db56ee187d63
SHA256

4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159
SHA512

799ddf76568e9d241070b94ca16fc2f50f872be48c50f4f97fef40b00fafba818a236664b7b68dda493ce214f35bb6592d459db14192376be085f10e67a3c962

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/580-138-0x0000000002310000-0x000000000233D000-memory.dmp	family_plugx
behavioral2/memory/3144-147-0x0000000002080000-0x00000000020AD000-memory.dmp	family_plugx
behavioral2/memory/2284-148-0x0000000000D50000-0x0000000000D7D000-memory.dmp	family_plugx
behavioral2/memory/2924-149-0x0000000001600000-0x000000000162D000-memory.dmp	family_plugx
behavioral2/memory/3144-150-0x0000000002080000-0x00000000020AD000-memory.dmp	family_plugx
behavioral2/memory/2924-151-0x0000000001600000-0x000000000162D000-memory.dmp	family_plugx
behavioral2/memory/228-153-0x00000000024F0000-0x000000000251D000-memory.dmp	family_plugx
behavioral2/memory/228-154-0x00000000024F0000-0x000000000251D000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 3 IoCs

Processes:

hc.exehc.exehc.exe

pid process

580 hc.exe
3144 hc.exe
2284 hc.exe
Loads dropped DLL 3 IoCs

Processes:

hc.exehc.exehc.exe

pid process

580 hc.exe
3144 hc.exe
2284 hc.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 43003100310041003800360036004500320041003900370034004400410031000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hc.exesvchost.exemsiexec.exe

pid	process
580	hc.exe
580	hc.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
2924	svchost.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
2924	svchost.exe
2924	svchost.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
2924	svchost.exe
2924	svchost.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
2924	svchost.exe
2924	svchost.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
2924	svchost.exe
228	msiexec.exe
2924	svchost.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

2924 svchost.exe
228 msiexec.exe

pid	process
2924	svchost.exe
228	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

hc.exehc.exehc.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	580	hc.exe
Token: SeTcbPrivilege	580	hc.exe
Token: SeDebugPrivilege	3144	hc.exe
Token: SeTcbPrivilege	3144	hc.exe
Token: SeDebugPrivilege	2284	hc.exe
Token: SeTcbPrivilege	2284	hc.exe
Token: SeDebugPrivilege	2924	svchost.exe
Token: SeTcbPrivilege	2924	svchost.exe
Token: SeDebugPrivilege	228	msiexec.exe
Token: SeTcbPrivilege	228	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exehc.exesvchost.exe

description	pid	process	target process
PID 3056 wrote to memory of 580	3056	4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe	hc.exe
PID 3056 wrote to memory of 580	3056	4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe	hc.exe
PID 3056 wrote to memory of 580	3056	4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe	hc.exe
PID 2284 wrote to memory of 2924	2284	hc.exe	svchost.exe
PID 2284 wrote to memory of 2924	2284	hc.exe	svchost.exe
PID 2284 wrote to memory of 2924	2284	hc.exe	svchost.exe
PID 2284 wrote to memory of 2924	2284	hc.exe	svchost.exe
PID 2284 wrote to memory of 2924	2284	hc.exe	svchost.exe
PID 2284 wrote to memory of 2924	2284	hc.exe	svchost.exe
PID 2284 wrote to memory of 2924	2284	hc.exe	svchost.exe
PID 2284 wrote to memory of 2924	2284	hc.exe	svchost.exe
PID 2924 wrote to memory of 228	2924	svchost.exe	msiexec.exe
PID 2924 wrote to memory of 228	2924	svchost.exe	msiexec.exe
PID 2924 wrote to memory of 228	2924	svchost.exe	msiexec.exe
PID 2924 wrote to memory of 228	2924	svchost.exe	msiexec.exe
PID 2924 wrote to memory of 228	2924	svchost.exe	msiexec.exe
PID 2924 wrote to memory of 228	2924	svchost.exe	msiexec.exe
PID 2924 wrote to memory of 228	2924	svchost.exe	msiexec.exe
PID 2924 wrote to memory of 228	2924	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe
"C:\Users\Admin\AppData\Local\Temp\4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\hc.exe
  C:\Users\Admin\AppData\Local\Temp\hc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:580

C:\ProgramData\hkcmd\hc.exe
"C:\ProgramData\hkcmd\hc.exe" 100 580
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\ProgramData\hkcmd\hc.exe
"C:\ProgramData\hkcmd\hc.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2924
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hkcmd\hc.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\ProgramData\hkcmd\hc.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\ProgramData\hkcmd\hc.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\ProgramData\hkcmd\hccutils.DLL

Filesize
2KB

MD5
1dd363b3564929d0bc336571dec74cf0

SHA1
21c953538bba7749bcc3ce049b2df9df396bc2b7

SHA256
88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e

SHA512
0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

Download Submit
C:\ProgramData\hkcmd\hccutils.DLL.res

Filesize
111KB

MD5
81693011cb717a15ad364a7344f8ffcf

SHA1
0e26b1b58c3a8f978874fd86762af11208999fb3

SHA256
01d5786b31dbb6855f089ae4569c40d5b99b4aed9462053358572898d797b6aa

SHA512
10ff4a7af7c8bd30b696ca1d2c9d3f7d29ed9a79f45264a0442d64cbc81a6e0945842c24d44e97a96a8db3686d9e00f9d0f73799e90620a74ed6ba7b58dded53

Download Submit
C:\ProgramData\hkcmd\hccutils.dll

Filesize
2KB

MD5
1dd363b3564929d0bc336571dec74cf0

SHA1
21c953538bba7749bcc3ce049b2df9df396bc2b7

SHA256
88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e

SHA512
0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

Download Submit
C:\ProgramData\hkcmd\hccutils.dll

Filesize
2KB

MD5
1dd363b3564929d0bc336571dec74cf0

SHA1
21c953538bba7749bcc3ce049b2df9df396bc2b7

SHA256
88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e

SHA512
0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hccutils.DLL

Filesize
2KB

MD5
1dd363b3564929d0bc336571dec74cf0

SHA1
21c953538bba7749bcc3ce049b2df9df396bc2b7

SHA256
88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e

SHA512
0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hccutils.DLL.res

Filesize
111KB

MD5
81693011cb717a15ad364a7344f8ffcf

SHA1
0e26b1b58c3a8f978874fd86762af11208999fb3

SHA256
01d5786b31dbb6855f089ae4569c40d5b99b4aed9462053358572898d797b6aa

SHA512
10ff4a7af7c8bd30b696ca1d2c9d3f7d29ed9a79f45264a0442d64cbc81a6e0945842c24d44e97a96a8db3686d9e00f9d0f73799e90620a74ed6ba7b58dded53

Download Submit
C:\Users\Admin\AppData\Local\Temp\hccutils.dll

Filesize
2KB

MD5
1dd363b3564929d0bc336571dec74cf0

SHA1
21c953538bba7749bcc3ce049b2df9df396bc2b7

SHA256
88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e

SHA512
0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a

Download Submit
memory/228-154-0x00000000024F0000-0x000000000251D000-memory.dmp

Filesize
180KB

Download
memory/228-153-0x00000000024F0000-0x000000000251D000-memory.dmp

Filesize
180KB

Download
memory/228-152-0x0000000000000000-mapping.dmp

Download
memory/580-138-0x0000000002310000-0x000000000233D000-memory.dmp

Filesize
180KB

Download
memory/580-137-0x00000000021C0000-0x00000000022C0000-memory.dmp

Filesize
1024KB

Download
memory/580-130-0x0000000000000000-mapping.dmp

Download
memory/2284-148-0x0000000000D50000-0x0000000000D7D000-memory.dmp

Filesize
180KB

Download
memory/2924-149-0x0000000001600000-0x000000000162D000-memory.dmp

Filesize
180KB

Download
memory/2924-151-0x0000000001600000-0x000000000162D000-memory.dmp

Filesize
180KB

Download
memory/2924-146-0x0000000000000000-mapping.dmp

Download
memory/3056-136-0x0000000000C00000-0x0000000000C3A000-memory.dmp

Filesize
232KB

Download
memory/3144-150-0x0000000002080000-0x00000000020AD000-memory.dmp

Filesize
180KB

Download
memory/3144-147-0x0000000002080000-0x00000000020AD000-memory.dmp

Filesize
180KB

Download