plugx | f98f1aa93dcebd227365c1c1278c74a043a1a1f24b056e6f99645b9f1b75d873

Analysis

max time kernel
155s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f98f1aa93dcebd227365c1c1278c74a043a1a1f24b056e6f99645b9f1b75d873.exe
Size

641KB
MD5

4694b4224c4cfe637ad61aa3df54b32f
SHA1

29670fa70efbf983c566c424ecf2c291efeb219d
SHA256

f98f1aa93dcebd227365c1c1278c74a043a1a1f24b056e6f99645b9f1b75d873
SHA512

242b8e5d726007e6d25c524a20c2dd7d61ece52f5049e349edf813089f339d61fea3e3aa27c7801469b128b9dd47129f6a47beabd8eb7d9a2ea2d2c8818b65a8

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 7 IoCs

resource	yara_rule
behavioral2/memory/5080-141-0x0000000000700000-0x000000000072D000-memory.dmp	family_plugx
behavioral2/memory/1480-150-0x0000000000B10000-0x0000000000B3D000-memory.dmp	family_plugx
behavioral2/memory/2200-151-0x00000000021F0000-0x000000000221D000-memory.dmp	family_plugx
behavioral2/memory/2324-152-0x0000000000AB0000-0x0000000000ADD000-memory.dmp	family_plugx
behavioral2/memory/4708-154-0x00000000010B0000-0x00000000010DD000-memory.dmp	family_plugx
behavioral2/memory/2324-155-0x0000000000AB0000-0x0000000000ADD000-memory.dmp	family_plugx
behavioral2/memory/4708-156-0x00000000010B0000-0x00000000010DD000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 4 IoCs

pid	Process
4868	2.exe
5080	QQBrowserUpdateService.exe
2200	QQBrowserUpdateService.exe
1480	QQBrowserUpdateService.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	f98f1aa93dcebd227365c1c1278c74a043a1a1f24b056e6f99645b9f1b75d873.exe

Loads dropped DLL 3 IoCs

pid	Process
5080	QQBrowserUpdateService.exe
2200	QQBrowserUpdateService.exe
1480	QQBrowserUpdateService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	f98f1aa93dcebd227365c1c1278c74a043a1a1f24b056e6f99645b9f1b75d873.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 43004500430041003400390042003300460043003300390042003200370039000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5080	QQBrowserUpdateService.exe
5080	QQBrowserUpdateService.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
2324	svchost.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
2324	svchost.exe
2324	svchost.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
2324	svchost.exe
2324	svchost.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
2324	svchost.exe
2324	svchost.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
2324	svchost.exe
2324	svchost.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2324	svchost.exe
4708	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	QQBrowserUpdateService.exe
Token: SeTcbPrivilege	5080	QQBrowserUpdateService.exe
Token: SeDebugPrivilege	2200	QQBrowserUpdateService.exe
Token: SeTcbPrivilege	2200	QQBrowserUpdateService.exe
Token: SeDebugPrivilege	1480	QQBrowserUpdateService.exe
Token: SeTcbPrivilege	1480	QQBrowserUpdateService.exe
Token: SeDebugPrivilege	2324	svchost.exe
Token: SeTcbPrivilege	2324	svchost.exe
Token: SeDebugPrivilege	4708	msiexec.exe
Token: SeTcbPrivilege	4708	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2700	OpenWith.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 4868	2124	f98f1aa93dcebd227365c1c1278c74a043a1a1f24b056e6f99645b9f1b75d873.exe	82
PID 2124 wrote to memory of 4868	2124	f98f1aa93dcebd227365c1c1278c74a043a1a1f24b056e6f99645b9f1b75d873.exe	82
PID 2124 wrote to memory of 4868	2124	f98f1aa93dcebd227365c1c1278c74a043a1a1f24b056e6f99645b9f1b75d873.exe	82
PID 4868 wrote to memory of 5080	4868	2.exe	84
PID 4868 wrote to memory of 5080	4868	2.exe	84
PID 4868 wrote to memory of 5080	4868	2.exe	84
PID 1480 wrote to memory of 2324	1480	QQBrowserUpdateService.exe	89
PID 1480 wrote to memory of 2324	1480	QQBrowserUpdateService.exe	89
PID 1480 wrote to memory of 2324	1480	QQBrowserUpdateService.exe	89
PID 1480 wrote to memory of 2324	1480	QQBrowserUpdateService.exe	89
PID 1480 wrote to memory of 2324	1480	QQBrowserUpdateService.exe	89
PID 1480 wrote to memory of 2324	1480	QQBrowserUpdateService.exe	89
PID 1480 wrote to memory of 2324	1480	QQBrowserUpdateService.exe	89
PID 1480 wrote to memory of 2324	1480	QQBrowserUpdateService.exe	89
PID 2324 wrote to memory of 4708	2324	svchost.exe	90
PID 2324 wrote to memory of 4708	2324	svchost.exe	90
PID 2324 wrote to memory of 4708	2324	svchost.exe	90
PID 2324 wrote to memory of 4708	2324	svchost.exe	90
PID 2324 wrote to memory of 4708	2324	svchost.exe	90
PID 2324 wrote to memory of 4708	2324	svchost.exe	90
PID 2324 wrote to memory of 4708	2324	svchost.exe	90
PID 2324 wrote to memory of 4708	2324	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\f98f1aa93dcebd227365c1c1278c74a043a1a1f24b056e6f99645b9f1b75d873.exe
"C:\Users\Admin\AppData\Local\Temp\f98f1aa93dcebd227365c1c1278c74a043a1a1f24b056e6f99645b9f1b75d873.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe
    C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2700

C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe
"C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe" 100 5080
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe
"C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2324
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QQBrowser\PDH.dll

Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
C:\ProgramData\QQBrowser\PDH.dll

Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\ProgramData\QQBrowser\pdh.dll

Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
C:\ProgramData\QQBrowser\pdh.dll.pak

Filesize
111KB

MD5
60cd656c285d8180a88ead1f5f3aafa4

SHA1
ceecf0f90edb8ae14bec4858bfaff094f7ec75a6

SHA256
0fc0d32b98d949cb72d92ce0084885a297eb590810240104624669145a6a4d61

SHA512
6946af7c604cdde396ad751cb151fa927c697b310d2fa5b6789499ba6cdea0108444ba971f847a6f9e1abd2f3a641d8c3f9168dd6e22e3d4596030b39de5b5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
345KB

MD5
f04e2abd27b72a89598e2a933595aaba

SHA1
d90b623bbf85813c1232b53e46fda33ec24c3bfe

SHA256
95852da6976c0b3f46eac1988490edd3a0b3e9165c17e3a6e934fd4f899fa204

SHA512
30792256f1b549cfe44c12d81c555c59952c3fdba3217a41544655ca942feff0dd72a5dc5b6ce3dd39fe2e642d6bd2c5331fa428b3518367c9ae13f3350b9a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
345KB

MD5
f04e2abd27b72a89598e2a933595aaba

SHA1
d90b623bbf85813c1232b53e46fda33ec24c3bfe

SHA256
95852da6976c0b3f46eac1988490edd3a0b3e9165c17e3a6e934fd4f899fa204

SHA512
30792256f1b549cfe44c12d81c555c59952c3fdba3217a41544655ca942feff0dd72a5dc5b6ce3dd39fe2e642d6bd2c5331fa428b3518367c9ae13f3350b9a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDH.dll

Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdh.dll

Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdh.dll.pak

Filesize
111KB

MD5
60cd656c285d8180a88ead1f5f3aafa4

SHA1
ceecf0f90edb8ae14bec4858bfaff094f7ec75a6

SHA256
0fc0d32b98d949cb72d92ce0084885a297eb590810240104624669145a6a4d61

SHA512
6946af7c604cdde396ad751cb151fa927c697b310d2fa5b6789499ba6cdea0108444ba971f847a6f9e1abd2f3a641d8c3f9168dd6e22e3d4596030b39de5b5db

Download Submit
memory/1480-150-0x0000000000B10000-0x0000000000B3D000-memory.dmp

Filesize
180KB

Download
memory/2200-151-0x00000000021F0000-0x000000000221D000-memory.dmp

Filesize
180KB

Download
memory/2324-152-0x0000000000AB0000-0x0000000000ADD000-memory.dmp

Filesize
180KB

Download
memory/2324-155-0x0000000000AB0000-0x0000000000ADD000-memory.dmp

Filesize
180KB

Download
memory/4708-154-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/4708-156-0x00000000010B0000-0x00000000010DD000-memory.dmp

Filesize
180KB

Download
memory/4868-139-0x00000000005B0000-0x00000000005F0000-memory.dmp

Filesize
256KB

Download
memory/5080-141-0x0000000000700000-0x000000000072D000-memory.dmp

Filesize
180KB

Download
memory/5080-140-0x0000000002100000-0x0000000002200000-memory.dmp

Filesize
1024KB

Download