plugx | e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe
Size

284KB
MD5

0e436441d1c0e84f2d70d725703cfe40
SHA1

c1c4c3803c09010b23967f0fa650377966eb10c6
SHA256

e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812
SHA512

e28a61ca0cb09a96f57b9a23b501ffd05aef8a99d910efc8fe8e40e7a86b2ab9273aa3e4522712871b46512b595176d99d07279da743e8d3668277475460b813

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4944-141-0x00000000020D0000-0x0000000002101000-memory.dmp	family_plugx
behavioral2/memory/1164-146-0x0000000000E70000-0x0000000000EA1000-memory.dmp	family_plugx
behavioral2/memory/4456-149-0x00000000014B0000-0x00000000014E1000-memory.dmp	family_plugx
behavioral2/memory/1752-151-0x0000000002DB0000-0x0000000002DE1000-memory.dmp	family_plugx
behavioral2/memory/4456-152-0x00000000014B0000-0x00000000014E1000-memory.dmp	family_plugx
behavioral2/memory/1752-153-0x0000000002DB0000-0x0000000002DE1000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

Mc.exeMc.exe

pid process

4944 Mc.exe
1164 Mc.exe

pid	process
4944	Mc.exe
1164	Mc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe

Loads dropped DLL 2 IoCs

Processes:

Mc.exeMc.exe

pid process

4944 Mc.exe
1164 Mc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4944	Mc.exe
1164	Mc.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 43003300340043003000300036003500320034003500450037004400350038000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
4456	svchost.exe
4456	svchost.exe
4456	svchost.exe
4456	svchost.exe
4456	svchost.exe
4456	svchost.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
4456	svchost.exe
4456	svchost.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
4456	svchost.exe
4456	svchost.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
4456	svchost.exe
4456	svchost.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
4456	svchost.exe
4456	svchost.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe
1752	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

4456 svchost.exe
1752 msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Mc.exeMc.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4944	Mc.exe
Token: SeTcbPrivilege	4944	Mc.exe
Token: SeDebugPrivilege	1164	Mc.exe
Token: SeTcbPrivilege	1164	Mc.exe
Token: SeDebugPrivilege	4456	svchost.exe
Token: SeTcbPrivilege	4456	svchost.exe
Token: SeDebugPrivilege	1752	msiexec.exe
Token: SeTcbPrivilege	1752	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exeMc.exesvchost.exe

description	pid	process	target process
PID 2612 wrote to memory of 4944	2612	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe	Mc.exe
PID 2612 wrote to memory of 4944	2612	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe	Mc.exe
PID 2612 wrote to memory of 4944	2612	e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe	Mc.exe
PID 1164 wrote to memory of 4456	1164	Mc.exe	svchost.exe
PID 1164 wrote to memory of 4456	1164	Mc.exe	svchost.exe
PID 1164 wrote to memory of 4456	1164	Mc.exe	svchost.exe
PID 1164 wrote to memory of 4456	1164	Mc.exe	svchost.exe
PID 1164 wrote to memory of 4456	1164	Mc.exe	svchost.exe
PID 1164 wrote to memory of 4456	1164	Mc.exe	svchost.exe
PID 1164 wrote to memory of 4456	1164	Mc.exe	svchost.exe
PID 1164 wrote to memory of 4456	1164	Mc.exe	svchost.exe
PID 4456 wrote to memory of 1752	4456	svchost.exe	msiexec.exe
PID 4456 wrote to memory of 1752	4456	svchost.exe	msiexec.exe
PID 4456 wrote to memory of 1752	4456	svchost.exe	msiexec.exe
PID 4456 wrote to memory of 1752	4456	svchost.exe	msiexec.exe
PID 4456 wrote to memory of 1752	4456	svchost.exe	msiexec.exe
PID 4456 wrote to memory of 1752	4456	svchost.exe	msiexec.exe
PID 4456 wrote to memory of 1752	4456	svchost.exe	msiexec.exe
PID 4456 wrote to memory of 1752	4456	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe
"C:\Users\Admin\AppData\Local\Temp\e81499ace2dbbe9d2a4ee5bceb25fa749c525aa604ebf16038c9d97a44037812.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\ProgramData\AVck\Mc.exe
C:\ProgramData\AVck\Mc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 4456
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AVck\Mc.exe
Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\ProgramData\AVck\Mc.exe
Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\ProgramData\AVck\McUtil.dll
Filesize
48KB

MD5
00ca3b500ecadf3ecfad4b37fa28b312

SHA1
d29113741c59e307aace48f3be52c141b4abd5a0

SHA256
0089bce70764692723229ea9e6fd343dc8840755f17bdcbfb66d64b847c0c3aa

SHA512
8611a38da7521996d1dd30c488c9bdcbbc182459a2c78709e158f6e4f3278d783112347fad3a737c1c0f309938ee93a3b25a9ff1910b0a550b7fe319ce75753f

Download Submit
C:\ProgramData\AVck\McUtil.dll
Filesize
48KB

MD5
00ca3b500ecadf3ecfad4b37fa28b312

SHA1
d29113741c59e307aace48f3be52c141b4abd5a0

SHA256
0089bce70764692723229ea9e6fd343dc8840755f17bdcbfb66d64b847c0c3aa

SHA512
8611a38da7521996d1dd30c488c9bdcbbc182459a2c78709e158f6e4f3278d783112347fad3a737c1c0f309938ee93a3b25a9ff1910b0a550b7fe319ce75753f

Download Submit
C:\ProgramData\AVck\McUtil.dll.url
Filesize
121KB

MD5
7d8cfe7ffb88cd3c345fd4c154394abc

SHA1
41d87335b7f58cd75109be4a3e15b8fe2b8e2a56

SHA256
28693cc7c943579e30c5fd4115accb1702efc2e83a3994528d96f7d9ecc11c08

SHA512
70c1780678e3935c03fd75ea177f0ba8a5d9704d24210ff0851dfa72451da22d9efd785fc0b47cb0a00525e20463cb21fd6c4d6e8788e33d94132af5f6d195d0

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
1KB

MD5
687c75b0aed953f7ac416d42288a5f8f

SHA1
fe7ff01c0df71a8d01f149e39e96b5fcd2558ef8

SHA256
40b1fa09cc6e0f375142c121b330c3203d0707e4ef374e15bf422a143541d501

SHA512
a27393e5b1800f9a5c3e86ed7a3fec7fb7db99a48664c76f015693101c1de236b3385f80236bd67a048b84ea1553c5272b5979a1d89916186389020f3802d5b2

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
1KB

MD5
d4777506c08a937373f6562cf9358b23

SHA1
a4e4cf394bfde0125deb1b2485207d0dd7dc0361

SHA256
1caf54c92ef3eac454bf2695077ab879f0706ebaae833f3c295159e552c481f8

SHA512
0f93c795996be91ce9c9720dfb73d141ce62fd5bc4eab2698a0d5820797e395e8bbfb7a6b307763570b7ece9a67c28eed8318535286ebcbe4bbed55a27696f03

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
1KB

MD5
2dd6549d0f0ad1bcd9dd6c3448860143

SHA1
a0bfafc115d5b1be4dae1398555705c17bfe0b31

SHA256
884ab963fd6b3060f7f51317ec961e160786cb30c58ec26cb185b289a9385284

SHA512
49b3bdf979c6605955fae880025d4231ee0586df75d03e1aef92fbecd13c07b982ad8149bacef7e16a09d52aa64d78f663366f1fc48302c050bfb9f72a680512

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
1KB

MD5
cadaecd58b9de26772ff36f20470f3df

SHA1
d8bc4227c1edb69f3a7519348fab71808471824e

SHA256
a29485441dd9dc5b3ac8d96aea15e65bf0bff0caddbaaf254899a2b713b204cd

SHA512
83d65b0b6e5e93f268ce73fb1339e58a173c2efa58d36c6f5d004c22c300e17bf231d1f5c9e0ab5b40aa4100e857eab1db9ebf2461d23ae02e88f85f21df2a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe
Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe
Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll
Filesize
48KB

MD5
00ca3b500ecadf3ecfad4b37fa28b312

SHA1
d29113741c59e307aace48f3be52c141b4abd5a0

SHA256
0089bce70764692723229ea9e6fd343dc8840755f17bdcbfb66d64b847c0c3aa

SHA512
8611a38da7521996d1dd30c488c9bdcbbc182459a2c78709e158f6e4f3278d783112347fad3a737c1c0f309938ee93a3b25a9ff1910b0a550b7fe319ce75753f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll
Filesize
48KB

MD5
00ca3b500ecadf3ecfad4b37fa28b312

SHA1
d29113741c59e307aace48f3be52c141b4abd5a0

SHA256
0089bce70764692723229ea9e6fd343dc8840755f17bdcbfb66d64b847c0c3aa

SHA512
8611a38da7521996d1dd30c488c9bdcbbc182459a2c78709e158f6e4f3278d783112347fad3a737c1c0f309938ee93a3b25a9ff1910b0a550b7fe319ce75753f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll.url
Filesize
121KB

MD5
7d8cfe7ffb88cd3c345fd4c154394abc

SHA1
41d87335b7f58cd75109be4a3e15b8fe2b8e2a56

SHA256
28693cc7c943579e30c5fd4115accb1702efc2e83a3994528d96f7d9ecc11c08

SHA512
70c1780678e3935c03fd75ea177f0ba8a5d9704d24210ff0851dfa72451da22d9efd785fc0b47cb0a00525e20463cb21fd6c4d6e8788e33d94132af5f6d195d0

Download Submit
memory/1164-146-0x0000000000E70000-0x0000000000EA1000-memory.dmp

Filesize
196KB

Download
memory/1752-150-0x0000000000000000-mapping.dmp

Download
memory/1752-151-0x0000000002DB0000-0x0000000002DE1000-memory.dmp

Filesize
196KB

Download
memory/1752-153-0x0000000002DB0000-0x0000000002DE1000-memory.dmp

Filesize
196KB

Download
memory/4456-144-0x0000000000000000-mapping.dmp

Download
memory/4456-149-0x00000000014B0000-0x00000000014E1000-memory.dmp

Filesize
196KB

Download
memory/4456-152-0x00000000014B0000-0x00000000014E1000-memory.dmp

Filesize
196KB

Download
memory/4944-130-0x0000000000000000-mapping.dmp

Download
memory/4944-141-0x00000000020D0000-0x0000000002101000-memory.dmp

Filesize
196KB

Download
memory/4944-140-0x0000000002160000-0x0000000002260000-memory.dmp

Filesize
1024KB

Download