plugx | e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe
Size

284KB
MD5

0e436441d1c0e84f2d70d725703cfe40
SHA1

c1c4c3803c09010b23967f0fa650377966eb10c6
SHA256

e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812
SHA512

e28a61ca0cb09a96f57b9a23b501ffd05aef8a99d910efc8fe8e40e7a86b2ab9273aa3e4522712871b46512b595176d99d07279da743e8d3668277475460b813

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral1/memory/1672-72-0x0000000000320000-0x0000000000351000-memory.dmp	family_plugx
behavioral1/memory/1216-80-0x0000000001CF0000-0x0000000001D21000-memory.dmp	family_plugx
behavioral1/memory/944-83-0x0000000000230000-0x0000000000261000-memory.dmp	family_plugx
behavioral1/memory/1300-88-0x00000000002F0000-0x0000000000321000-memory.dmp	family_plugx
behavioral1/memory/944-89-0x0000000000230000-0x0000000000261000-memory.dmp	family_plugx
behavioral1/memory/1300-90-0x00000000002F0000-0x0000000000321000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
1672	Mc.exe
1216	Mc.exe

Deletes itself 1 IoCs

pid	Process
944	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe
1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe
1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe
1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe
1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe
1672	Mc.exe
1216	Mc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31004600430043003700390038003600430038003700450044003100410033000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
944	svchost.exe
944	svchost.exe
944	svchost.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
944	svchost.exe
944	svchost.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
944	svchost.exe
944	svchost.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
944	svchost.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
944	svchost.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
944	svchost.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
944	svchost.exe
944	svchost.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
944	svchost.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
944	svchost.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
944	svchost.exe
944	svchost.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe
1300	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	Mc.exe
Token: SeTcbPrivilege	1672	Mc.exe
Token: SeDebugPrivilege	1216	Mc.exe
Token: SeTcbPrivilege	1216	Mc.exe
Token: SeDebugPrivilege	944	svchost.exe
Token: SeTcbPrivilege	944	svchost.exe
Token: SeDebugPrivilege	1300	msiexec.exe
Token: SeTcbPrivilege	1300	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1672	1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe	27
PID 1884 wrote to memory of 1672	1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe	27
PID 1884 wrote to memory of 1672	1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe	27
PID 1884 wrote to memory of 1672	1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe	27
PID 1884 wrote to memory of 1672	1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe	27
PID 1884 wrote to memory of 1672	1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe	27
PID 1884 wrote to memory of 1672	1884	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe	27
PID 1216 wrote to memory of 944	1216	Mc.exe	29
PID 1216 wrote to memory of 944	1216	Mc.exe	29
PID 1216 wrote to memory of 944	1216	Mc.exe	29
PID 1216 wrote to memory of 944	1216	Mc.exe	29
PID 1216 wrote to memory of 944	1216	Mc.exe	29
PID 1216 wrote to memory of 944	1216	Mc.exe	29
PID 1216 wrote to memory of 944	1216	Mc.exe	29
PID 1216 wrote to memory of 944	1216	Mc.exe	29
PID 1216 wrote to memory of 944	1216	Mc.exe	29
PID 944 wrote to memory of 1300	944	svchost.exe	30
PID 944 wrote to memory of 1300	944	svchost.exe	30
PID 944 wrote to memory of 1300	944	svchost.exe	30
PID 944 wrote to memory of 1300	944	svchost.exe	30
PID 944 wrote to memory of 1300	944	svchost.exe	30
PID 944 wrote to memory of 1300	944	svchost.exe	30
PID 944 wrote to memory of 1300	944	svchost.exe	30
PID 944 wrote to memory of 1300	944	svchost.exe	30
PID 944 wrote to memory of 1300	944	svchost.exe	30
PID 944 wrote to memory of 1300	944	svchost.exe	30
PID 944 wrote to memory of 1300	944	svchost.exe	30
PID 944 wrote to memory of 1300	944	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe
"C:\Users\Admin\AppData\Local\Temp\e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1672

C:\ProgramData\AVck\Mc.exe
C:\ProgramData\AVck\Mc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 944
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AVck\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\ProgramData\AVck\McUtil.dll

Filesize
48KB

MD5
00ca3b500ecadf3ecfad4b37fa28b312

SHA1
d29113741c59e307aace48f3be52c141b4abd5a0

SHA256
0089bce70764692723229ea9e6fd343dc8840755f17bdcbfb66d64b847c0c3aa

SHA512
8611a38da7521996d1dd30c488c9bdcbbc182459a2c78709e158f6e4f3278d783112347fad3a737c1c0f309938ee93a3b25a9ff1910b0a550b7fe319ce75753f

Download Submit
C:\ProgramData\AVck\McUtil.dll.url

Filesize
121KB

MD5
7d8cfe7ffb88cd3c345fd4c154394abc

SHA1
41d87335b7f58cd75109be4a3e15b8fe2b8e2a56

SHA256
28693cc7c943579e30c5fd4115accb1702efc2e83a3994528d96f7d9ecc11c08

SHA512
70c1780678e3935c03fd75ea177f0ba8a5d9704d24210ff0851dfa72451da22d9efd785fc0b47cb0a00525e20463cb21fd6c4d6e8788e33d94132af5f6d195d0

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
759d3c407cda774fe0039dd81aedb07d

SHA1
c4b724f5ec9fde6acb2e1039aa2e6397927542ea

SHA256
24d0ab16e20f922a6c41dde138cc25881b49907d409c95adf33014fea5b5f9e9

SHA512
4ff8b9221eee667cdae402c77c92b82dac44aef9aa43ab7cc64c8677c94f0655e3ad9aa1f7128c2fe5b9ee13e89837fdbbbd7a529291b4816f54564d1af344c1

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
a706caf67cd8511d70272847fc0655ac

SHA1
3681d132739e0ea5dc89a554a8fe0356a9020447

SHA256
16cf477393c86ae79ebbb65715abce2f41c4d9c149fe0f211e03c2d3ff2e60a1

SHA512
af3a861ed579d4527abf2af112926197ce6101a2625234a869be623c8e1678986f1f93c61bd5f25c59276686a54fa3296005eac524fedaf40c22b565292cf3f7

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
ba10d4faff4056fafca9a74f4214abd1

SHA1
44f8a1887ad456638bef18dd25c0b3f494707743

SHA256
af23a28484eb5a1623fb1139c30df0a555b323d84783dda0ee6359f4bb14b415

SHA512
3392415284aa1b6033e41cc65158d252e9fa244be692e3adce1fa2ae9a1a90586238a6be479bdaa13d77f48c883441e81c3be9e7e7deb11807e17d5e03498178

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
6bb43c7f19b9fd91ead1e491766fc1c8

SHA1
d19edec8b6775939d641b52febd5e9e12d4831b4

SHA256
2334ee27bb34ea61e2841649aae40a8610e32de037c940330b86db8fe48a5c84

SHA512
0f7eab300b86309be40c228eec2784991f782a8c007c8bb048ecf51232d2a94d4078aa8791b95c177f986aeddcf1f7d174e9f6ceb09c8a486a9633f288d18699

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll

Filesize
48KB

MD5
00ca3b500ecadf3ecfad4b37fa28b312

SHA1
d29113741c59e307aace48f3be52c141b4abd5a0

SHA256
0089bce70764692723229ea9e6fd343dc8840755f17bdcbfb66d64b847c0c3aa

SHA512
8611a38da7521996d1dd30c488c9bdcbbc182459a2c78709e158f6e4f3278d783112347fad3a737c1c0f309938ee93a3b25a9ff1910b0a550b7fe319ce75753f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll.url

Filesize
121KB

MD5
7d8cfe7ffb88cd3c345fd4c154394abc

SHA1
41d87335b7f58cd75109be4a3e15b8fe2b8e2a56

SHA256
28693cc7c943579e30c5fd4115accb1702efc2e83a3994528d96f7d9ecc11c08

SHA512
70c1780678e3935c03fd75ea177f0ba8a5d9704d24210ff0851dfa72451da22d9efd785fc0b47cb0a00525e20463cb21fd6c4d6e8788e33d94132af5f6d195d0

Download Submit
\ProgramData\AVck\McUtil.dll

Filesize
48KB

MD5
00ca3b500ecadf3ecfad4b37fa28b312

SHA1
d29113741c59e307aace48f3be52c141b4abd5a0

SHA256
0089bce70764692723229ea9e6fd343dc8840755f17bdcbfb66d64b847c0c3aa

SHA512
8611a38da7521996d1dd30c488c9bdcbbc182459a2c78709e158f6e4f3278d783112347fad3a737c1c0f309938ee93a3b25a9ff1910b0a550b7fe319ce75753f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll

Filesize
48KB

MD5
00ca3b500ecadf3ecfad4b37fa28b312

SHA1
d29113741c59e307aace48f3be52c141b4abd5a0

SHA256
0089bce70764692723229ea9e6fd343dc8840755f17bdcbfb66d64b847c0c3aa

SHA512
8611a38da7521996d1dd30c488c9bdcbbc182459a2c78709e158f6e4f3278d783112347fad3a737c1c0f309938ee93a3b25a9ff1910b0a550b7fe319ce75753f

Download Submit
memory/944-83-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/944-75-0x00000000000A0000-0x00000000000BD000-memory.dmp

Filesize
116KB

Download
memory/944-89-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/1216-80-0x0000000001CF0000-0x0000000001D21000-memory.dmp

Filesize
196KB

Download
memory/1300-88-0x00000000002F0000-0x0000000000321000-memory.dmp

Filesize
196KB

Download
memory/1300-90-0x00000000002F0000-0x0000000000321000-memory.dmp

Filesize
196KB

Download
memory/1672-71-0x0000000001D70000-0x0000000001E70000-memory.dmp

Filesize
1024KB

Download
memory/1672-72-0x0000000000320000-0x0000000000351000-memory.dmp

Filesize
196KB

Download
memory/1884-54-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download