plugx | 398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429

Analysis

max time kernel
159s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe
Size

273KB
MD5

dc7d60cbdeafc23065fc7a507da9fe50
SHA1

3665297459c39bccced9923a1fd4a6fcbead2797
SHA256

398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429
SHA512

301c9ab6628b830d5ea50574fc429be708be14a68d2b060d43cc6561ba31608c08f58af73811053613e6ba46eaa2945edd0d9242b03f6b513a1db0dc2fec8205

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral2/memory/1520-140-0x00000000029B0000-0x00000000029E1000-memory.dmp	family_plugx
behavioral2/memory/660-144-0x0000000001A00000-0x0000000001A31000-memory.dmp	family_plugx
behavioral2/memory/1832-146-0x0000000000F10000-0x0000000000F41000-memory.dmp	family_plugx
behavioral2/memory/4412-148-0x0000000002D70000-0x0000000002DA1000-memory.dmp	family_plugx
behavioral2/memory/1832-149-0x0000000000F10000-0x0000000000F41000-memory.dmp	family_plugx
behavioral2/memory/4412-150-0x0000000002D70000-0x0000000002DA1000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
1520	chrome_frame_helper.exe
660	chrome_frame_helper.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe

Loads dropped DLL 2 IoCs

pid	Process
1520	chrome_frame_helper.exe
660	chrome_frame_helper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31004500420039004100440044004400360045003200330032004600320038000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
1832	svchost.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
1832	svchost.exe
1832	svchost.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
1832	svchost.exe
4412	msiexec.exe
1832	svchost.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
1832	svchost.exe
1832	svchost.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
1832	svchost.exe
1832	svchost.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe
4412	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1832	svchost.exe
4412	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	chrome_frame_helper.exe
Token: SeTcbPrivilege	1520	chrome_frame_helper.exe
Token: SeDebugPrivilege	660	chrome_frame_helper.exe
Token: SeTcbPrivilege	660	chrome_frame_helper.exe
Token: SeDebugPrivilege	1832	svchost.exe
Token: SeTcbPrivilege	1832	svchost.exe
Token: SeDebugPrivilege	4412	msiexec.exe
Token: SeTcbPrivilege	4412	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 1520	4140	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe	81
PID 4140 wrote to memory of 1520	4140	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe	81
PID 4140 wrote to memory of 1520	4140	398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe	81
PID 660 wrote to memory of 1832	660	chrome_frame_helper.exe	84
PID 660 wrote to memory of 1832	660	chrome_frame_helper.exe	84
PID 660 wrote to memory of 1832	660	chrome_frame_helper.exe	84
PID 660 wrote to memory of 1832	660	chrome_frame_helper.exe	84
PID 660 wrote to memory of 1832	660	chrome_frame_helper.exe	84
PID 660 wrote to memory of 1832	660	chrome_frame_helper.exe	84
PID 660 wrote to memory of 1832	660	chrome_frame_helper.exe	84
PID 660 wrote to memory of 1832	660	chrome_frame_helper.exe	84
PID 1832 wrote to memory of 4412	1832	svchost.exe	85
PID 1832 wrote to memory of 4412	1832	svchost.exe	85
PID 1832 wrote to memory of 4412	1832	svchost.exe	85
PID 1832 wrote to memory of 4412	1832	svchost.exe	85
PID 1832 wrote to memory of 4412	1832	svchost.exe	85
PID 1832 wrote to memory of 4412	1832	svchost.exe	85
PID 1832 wrote to memory of 4412	1832	svchost.exe	85
PID 1832 wrote to memory of 4412	1832	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe
"C:\Users\Admin\AppData\Local\Temp\398c0ec8b01bdbc15461e0265b7a62ac466399bcfa005cecf3fe6e921baac429.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1520

C:\ProgramData\chrome_frame_helper\chrome_frame_helper.exe
C:\ProgramData\chrome_frame_helper\chrome_frame_helper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1832
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
456B

MD5
6ff1e449cf2e2cbbf3eb69d84178de71

SHA1
aeb64ecc2dc8ad19000446197396d943e45f554e

SHA256
568b8a0ff52361290fe4d42a801edc6db3c340f28dfa23b844fbeef453c03584

SHA512
b7cd2068b2b3e62ca7a4b9a101dbdb0d36e0dca258166228462e2a38928b5ff9eb6e9a8c1827005d0fec8c39d9248481bcafc606becb1eb3117e6bd51887141d

Download Submit
C:\ProgramData\chrome_frame_helper\chrome_frame_helper.dll

Filesize
41KB

MD5
25c7be08a9cce290d4762acd9c6d94b5

SHA1
c5f61d9791f523847b788d8fbcf141a0d4a84aba

SHA256
2c63c8cb05ab601d3fd53b5dc08a28fa93e3700c5cf38421610f50726f970fe9

SHA512
a872725f1e7e5b1f899fc2151330514ab9f48365fe9d9c5629350c3e06813f5ce59da8da30b27dd0a540f163386311f885235415f3acee6931d1497879b00c2f

Download Submit
C:\ProgramData\chrome_frame_helper\chrome_frame_helper.dll

Filesize
41KB

MD5
25c7be08a9cce290d4762acd9c6d94b5

SHA1
c5f61d9791f523847b788d8fbcf141a0d4a84aba

SHA256
2c63c8cb05ab601d3fd53b5dc08a28fa93e3700c5cf38421610f50726f970fe9

SHA512
a872725f1e7e5b1f899fc2151330514ab9f48365fe9d9c5629350c3e06813f5ce59da8da30b27dd0a540f163386311f885235415f3acee6931d1497879b00c2f

Download Submit
C:\ProgramData\chrome_frame_helper\chrome_frame_helper.dll.hlp

Filesize
121KB

MD5
feca16416fa0de1c0aa04a5ec95dd3b9

SHA1
461a758bcfe2e66ddeacdf229acccb9c68c741ac

SHA256
8521dca581b9a9fb82355bb7660c5d1811359558536b49e39ea68aa9f5f5db0a

SHA512
ae343c9b3657c39164dd3f2b4252b9af3bd7e64282fc146cab6d9928b272be609d1564a33835b33bcdd01e6bb743f29ad1f7d2abe0e0d220b3367e41a49af6a3

Download Submit
C:\ProgramData\chrome_frame_helper\chrome_frame_helper.exe

Filesize
79KB

MD5
ffb84b8561e49a8db60e0001f630831f

SHA1
e429d33a87c64043941268dfc3979bd1c729fbf0

SHA256
805742cc5aa40d0c05476ca0d33a6944954ff0d8f40ac0b3d18b3968453db769

SHA512
8bceac8b8b919232f90ae3c08f9231e68ff33dfc76d0ac56e48c8b7c33ce7674c0cce800b75297cb3dc81aa2e60c96042c4dce604d3228428b0194519b4acb5c

Download Submit
C:\ProgramData\chrome_frame_helper\chrome_frame_helper.exe

Filesize
79KB

MD5
ffb84b8561e49a8db60e0001f630831f

SHA1
e429d33a87c64043941268dfc3979bd1c729fbf0

SHA256
805742cc5aa40d0c05476ca0d33a6944954ff0d8f40ac0b3d18b3968453db769

SHA512
8bceac8b8b919232f90ae3c08f9231e68ff33dfc76d0ac56e48c8b7c33ce7674c0cce800b75297cb3dc81aa2e60c96042c4dce604d3228428b0194519b4acb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.dll

Filesize
41KB

MD5
25c7be08a9cce290d4762acd9c6d94b5

SHA1
c5f61d9791f523847b788d8fbcf141a0d4a84aba

SHA256
2c63c8cb05ab601d3fd53b5dc08a28fa93e3700c5cf38421610f50726f970fe9

SHA512
a872725f1e7e5b1f899fc2151330514ab9f48365fe9d9c5629350c3e06813f5ce59da8da30b27dd0a540f163386311f885235415f3acee6931d1497879b00c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.dll

Filesize
41KB

MD5
25c7be08a9cce290d4762acd9c6d94b5

SHA1
c5f61d9791f523847b788d8fbcf141a0d4a84aba

SHA256
2c63c8cb05ab601d3fd53b5dc08a28fa93e3700c5cf38421610f50726f970fe9

SHA512
a872725f1e7e5b1f899fc2151330514ab9f48365fe9d9c5629350c3e06813f5ce59da8da30b27dd0a540f163386311f885235415f3acee6931d1497879b00c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.dll.hlp

Filesize
121KB

MD5
feca16416fa0de1c0aa04a5ec95dd3b9

SHA1
461a758bcfe2e66ddeacdf229acccb9c68c741ac

SHA256
8521dca581b9a9fb82355bb7660c5d1811359558536b49e39ea68aa9f5f5db0a

SHA512
ae343c9b3657c39164dd3f2b4252b9af3bd7e64282fc146cab6d9928b272be609d1564a33835b33bcdd01e6bb743f29ad1f7d2abe0e0d220b3367e41a49af6a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe

Filesize
79KB

MD5
ffb84b8561e49a8db60e0001f630831f

SHA1
e429d33a87c64043941268dfc3979bd1c729fbf0

SHA256
805742cc5aa40d0c05476ca0d33a6944954ff0d8f40ac0b3d18b3968453db769

SHA512
8bceac8b8b919232f90ae3c08f9231e68ff33dfc76d0ac56e48c8b7c33ce7674c0cce800b75297cb3dc81aa2e60c96042c4dce604d3228428b0194519b4acb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome_frame_helper.exe

Filesize
79KB

MD5
ffb84b8561e49a8db60e0001f630831f

SHA1
e429d33a87c64043941268dfc3979bd1c729fbf0

SHA256
805742cc5aa40d0c05476ca0d33a6944954ff0d8f40ac0b3d18b3968453db769

SHA512
8bceac8b8b919232f90ae3c08f9231e68ff33dfc76d0ac56e48c8b7c33ce7674c0cce800b75297cb3dc81aa2e60c96042c4dce604d3228428b0194519b4acb5c

Download Submit
memory/660-144-0x0000000001A00000-0x0000000001A31000-memory.dmp

Filesize
196KB

Download
memory/1520-136-0x0000000002E00000-0x0000000002F00000-memory.dmp

Filesize
1024KB

Download
memory/1520-140-0x00000000029B0000-0x00000000029E1000-memory.dmp

Filesize
196KB

Download
memory/1832-146-0x0000000000F10000-0x0000000000F41000-memory.dmp

Filesize
196KB

Download
memory/1832-149-0x0000000000F10000-0x0000000000F41000-memory.dmp

Filesize
196KB

Download
memory/4412-148-0x0000000002D70000-0x0000000002DA1000-memory.dmp

Filesize
196KB

Download
memory/4412-150-0x0000000002D70000-0x0000000002DA1000-memory.dmp

Filesize
196KB

Download