plugx | a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4

Analysis

max time kernel
158s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe
Size

333KB
MD5

43fae44518dffc888bed58f0948bf012
SHA1

f2e3c025bf548520b2fdc26317b0d1c6b2d52d71
SHA256

a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4
SHA512

8b0d619d8ca955a615e5003471f429cffc8be47d56536d0bb2f8eac0b9a229d5a773ae765ec7bf25f904cdd769d507151b956ff5d00018e36fdcc417309d9eac

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1668-137-0x0000000000760000-0x00000000007B1000-memory.dmp	family_plugx
behavioral2/memory/724-144-0x0000000000C00000-0x0000000000C51000-memory.dmp	family_plugx
behavioral2/memory/5032-148-0x0000000000C00000-0x0000000000C51000-memory.dmp	family_plugx
behavioral2/memory/100-150-0x0000000002F10000-0x0000000002F61000-memory.dmp	family_plugx
behavioral2/memory/5032-151-0x0000000000C00000-0x0000000000C51000-memory.dmp	family_plugx
behavioral2/memory/100-152-0x0000000002F10000-0x0000000002F61000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 3 IoCs

Processes:

VCIntegrate.exeVCIntegrate.exeAOFVPMJXVT.exe

pid process

1668 VCIntegrate.exe
724 VCIntegrate.exe
4752 AOFVPMJXVT.exe

pid	process
1668	VCIntegrate.exe
724	VCIntegrate.exe
4752	AOFVPMJXVT.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe

Loads dropped DLL 2 IoCs

Processes:

VCIntegrate.exeVCIntegrate.exe

pid process

1668 VCIntegrate.exe
724 VCIntegrate.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1668	VCIntegrate.exe
724	VCIntegrate.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30004300310037003900450031003900300032003800460034003400360042000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeAOFVPMJXVT.exemsiexec.exe

pid	process
5032	svchost.exe
5032	svchost.exe
4752	AOFVPMJXVT.exe
4752	AOFVPMJXVT.exe
5032	svchost.exe
5032	svchost.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
5032	svchost.exe
5032	svchost.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
5032	svchost.exe
5032	svchost.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
5032	svchost.exe
5032	svchost.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
5032	svchost.exe
5032	svchost.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe
100	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

5032 svchost.exe
100 msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

VCIntegrate.exeVCIntegrate.exesvchost.exeAOFVPMJXVT.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1668	VCIntegrate.exe
Token: SeTcbPrivilege	1668	VCIntegrate.exe
Token: SeDebugPrivilege	724	VCIntegrate.exe
Token: SeTcbPrivilege	724	VCIntegrate.exe
Token: SeDebugPrivilege	5032	svchost.exe
Token: SeTcbPrivilege	5032	svchost.exe
Token: SeTcbPrivilege	4752	AOFVPMJXVT.exe
Token: SeDebugPrivilege	4752	AOFVPMJXVT.exe
Token: SeDebugPrivilege	100	msiexec.exe
Token: SeTcbPrivilege	100	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exeVCIntegrate.exesvchost.exe

description	pid	process	target process
PID 4856 wrote to memory of 1668	4856	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe	VCIntegrate.exe
PID 4856 wrote to memory of 1668	4856	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe	VCIntegrate.exe
PID 4856 wrote to memory of 1668	4856	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe	VCIntegrate.exe
PID 724 wrote to memory of 5032	724	VCIntegrate.exe	svchost.exe
PID 724 wrote to memory of 5032	724	VCIntegrate.exe	svchost.exe
PID 724 wrote to memory of 5032	724	VCIntegrate.exe	svchost.exe
PID 724 wrote to memory of 5032	724	VCIntegrate.exe	svchost.exe
PID 724 wrote to memory of 5032	724	VCIntegrate.exe	svchost.exe
PID 724 wrote to memory of 5032	724	VCIntegrate.exe	svchost.exe
PID 724 wrote to memory of 5032	724	VCIntegrate.exe	svchost.exe
PID 724 wrote to memory of 5032	724	VCIntegrate.exe	svchost.exe
PID 5032 wrote to memory of 4752	5032	svchost.exe	AOFVPMJXVT.exe
PID 5032 wrote to memory of 4752	5032	svchost.exe	AOFVPMJXVT.exe
PID 5032 wrote to memory of 100	5032	svchost.exe	msiexec.exe
PID 5032 wrote to memory of 100	5032	svchost.exe	msiexec.exe
PID 5032 wrote to memory of 100	5032	svchost.exe	msiexec.exe
PID 5032 wrote to memory of 100	5032	svchost.exe	msiexec.exe
PID 5032 wrote to memory of 100	5032	svchost.exe	msiexec.exe
PID 5032 wrote to memory of 100	5032	svchost.exe	msiexec.exe
PID 5032 wrote to memory of 100	5032	svchost.exe	msiexec.exe
PID 5032 wrote to memory of 100	5032	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe
"C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe
"C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\TEMP\AOFVPMJXVT.exe
"C:\Windows\TEMP\AOFVPMJXVT.exe" Intel(R) Capability Licensing Service Interface CPUMonitor
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 5032
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\NetSeSS.Cfg
Filesize
212KB

MD5
ed3af94dbae43395784af13bb362ef06

SHA1
82616c65c6b3453b7e12ccff8694897977710cfb

SHA256
b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621

SHA512
6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll
Filesize
4KB

MD5
9244fe82fddc1f4ccbda307df165fd71

SHA1
3d270662c1d29b686dc2c72bc947a71a211d7a0c

SHA256
788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394

SHA512
7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll
Filesize
4KB

MD5
9244fe82fddc1f4ccbda307df165fd71

SHA1
3d270662c1d29b686dc2c72bc947a71a211d7a0c

SHA256
788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394

SHA512
7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe
Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe
Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NetSeSS.Cfg
Filesize
212KB

MD5
ed3af94dbae43395784af13bb362ef06

SHA1
82616c65c6b3453b7e12ccff8694897977710cfb

SHA256
b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621

SHA512
6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll
Filesize
4KB

MD5
9244fe82fddc1f4ccbda307df165fd71

SHA1
3d270662c1d29b686dc2c72bc947a71a211d7a0c

SHA256
788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394

SHA512
7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll
Filesize
4KB

MD5
9244fe82fddc1f4ccbda307df165fd71

SHA1
3d270662c1d29b686dc2c72bc947a71a211d7a0c

SHA256
788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394

SHA512
7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
C:\Windows\TEMP\AOFVPMJXVT.exe
Filesize
11KB

MD5
6622918d92a44e67175f7aeb3fcb5a05

SHA1
0b226563fa229783bea7aa27e28f908967c729e6

SHA256
b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

SHA512
65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

Download Submit
C:\Windows\Temp\AOFVPMJXVT.exe
Filesize
11KB

MD5
6622918d92a44e67175f7aeb3fcb5a05

SHA1
0b226563fa229783bea7aa27e28f908967c729e6

SHA256
b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

SHA512
65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

Download Submit
memory/100-152-0x0000000002F10000-0x0000000002F61000-memory.dmp

Filesize
324KB

Download
memory/100-150-0x0000000002F10000-0x0000000002F61000-memory.dmp

Filesize
324KB

Download
memory/100-149-0x0000000000000000-mapping.dmp

Download
memory/724-144-0x0000000000C00000-0x0000000000C51000-memory.dmp

Filesize
324KB

Download
memory/1668-136-0x0000000000570000-0x00000000005A6000-memory.dmp

Filesize
216KB

Download
memory/1668-130-0x0000000000000000-mapping.dmp

Download
memory/1668-137-0x0000000000760000-0x00000000007B1000-memory.dmp

Filesize
324KB

Download
memory/4752-145-0x0000000000000000-mapping.dmp

Download
memory/5032-148-0x0000000000C00000-0x0000000000C51000-memory.dmp

Filesize
324KB

Download
memory/5032-143-0x0000000000000000-mapping.dmp

Download
memory/5032-151-0x0000000000C00000-0x0000000000C51000-memory.dmp

Filesize
324KB

Download