plugx | 581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590

Analysis

max time kernel
152s
max time network
149s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe
Size

253KB
MD5

7b0bbf1954bfe5f09cf742acd5b47cea
SHA1

bd3cae7bfc1e52f3ab25136c89ca823ba29d203c
SHA256

581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590
SHA512

f94faabf3673798955d91b0214d955786a1573db0822aee37a0fba0602003cc1714b8abcc233a39a7d251834fc8fd4660874f6aec8a9b80a8e66ab2f2910c807

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 7 IoCs

resource	yara_rule
behavioral1/memory/1908-67-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/1216-81-0x0000000000440000-0x000000000046C000-memory.dmp	family_plugx
behavioral1/memory/1552-82-0x00000000002A0000-0x00000000002CC000-memory.dmp	family_plugx
behavioral1/memory/268-83-0x0000000000270000-0x000000000029C000-memory.dmp	family_plugx
behavioral1/memory/1204-88-0x00000000002E0000-0x000000000030C000-memory.dmp	family_plugx
behavioral1/memory/268-89-0x0000000000270000-0x000000000029C000-memory.dmp	family_plugx
behavioral1/memory/1204-90-0x00000000002E0000-0x000000000030C000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
1908	NvST.exe
1552	NvST.exe
1216	NvST.exe

Deletes itself 1 IoCs

pid	Process
1908	NvST.exe

Loads dropped DLL 8 IoCs

pid	Process
1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe
1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe
1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe
1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe
1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe
1908	NvST.exe
1552	NvST.exe
1216	NvST.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	112.213.109.35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39004300320033003200440046003000460037004600300039003900440042000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	NvST.exe
268	svchost.exe
268	svchost.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
268	svchost.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
268	svchost.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
268	svchost.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
268	svchost.exe
268	svchost.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
268	svchost.exe
268	svchost.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
268	svchost.exe
268	svchost.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
268	svchost.exe
268	svchost.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
268	svchost.exe
268	svchost.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
1204	msiexec.exe
268	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	NvST.exe
Token: SeTcbPrivilege	1908	NvST.exe
Token: SeDebugPrivilege	1552	NvST.exe
Token: SeTcbPrivilege	1552	NvST.exe
Token: SeDebugPrivilege	1216	NvST.exe
Token: SeTcbPrivilege	1216	NvST.exe
Token: SeDebugPrivilege	268	svchost.exe
Token: SeTcbPrivilege	268	svchost.exe
Token: SeDebugPrivilege	1204	msiexec.exe
Token: SeTcbPrivilege	1204	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1908	1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe	26
PID 1964 wrote to memory of 1908	1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe	26
PID 1964 wrote to memory of 1908	1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe	26
PID 1964 wrote to memory of 1908	1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe	26
PID 1964 wrote to memory of 1908	1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe	26
PID 1964 wrote to memory of 1908	1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe	26
PID 1964 wrote to memory of 1908	1964	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe	26
PID 1216 wrote to memory of 268	1216	NvST.exe	30
PID 1216 wrote to memory of 268	1216	NvST.exe	30
PID 1216 wrote to memory of 268	1216	NvST.exe	30
PID 1216 wrote to memory of 268	1216	NvST.exe	30
PID 1216 wrote to memory of 268	1216	NvST.exe	30
PID 1216 wrote to memory of 268	1216	NvST.exe	30
PID 1216 wrote to memory of 268	1216	NvST.exe	30
PID 1216 wrote to memory of 268	1216	NvST.exe	30
PID 1216 wrote to memory of 268	1216	NvST.exe	30
PID 268 wrote to memory of 1204	268	svchost.exe	31
PID 268 wrote to memory of 1204	268	svchost.exe	31
PID 268 wrote to memory of 1204	268	svchost.exe	31
PID 268 wrote to memory of 1204	268	svchost.exe	31
PID 268 wrote to memory of 1204	268	svchost.exe	31
PID 268 wrote to memory of 1204	268	svchost.exe	31
PID 268 wrote to memory of 1204	268	svchost.exe	31
PID 268 wrote to memory of 1204	268	svchost.exe	31
PID 268 wrote to memory of 1204	268	svchost.exe	31
PID 268 wrote to memory of 1204	268	svchost.exe	31
PID 268 wrote to memory of 1204	268	svchost.exe	31
PID 268 wrote to memory of 1204	268	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe
"C:\Users\Admin\AppData\Local\Temp\581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908

C:\ProgramData\SxS\NvST.exe
"C:\ProgramData\SxS\NvST.exe" 100 1908
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\ProgramData\SxS\NvST.exe
"C:\ProgramData\SxS\NvST.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 268
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\NvST.xml

Filesize
111KB

MD5
5af8722a02124aa720907d3f3715d43f

SHA1
18dcff37f7b061ce2c121e47eef0ffc58527019b

SHA256
ee7370500f1d172985f0be1059557a6d6b36525d9cc2dae456398c635315ce25

SHA512
cfbeccdcd59ed48f50b7b006fcdb73581c69163932e4f1240e7515ea6848813971bffa081af9cd03eb3828f2403d559e6e14a59bcae73f9252ed48a964f512af

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
41KB

MD5
3e2640a52a808af29c38e4f3acd602a8

SHA1
c6c216cac0872f30f6072966cc50d0df8e74892e

SHA256
0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c

SHA512
9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.xml

Filesize
111KB

MD5
5af8722a02124aa720907d3f3715d43f

SHA1
18dcff37f7b061ce2c121e47eef0ffc58527019b

SHA256
ee7370500f1d172985f0be1059557a6d6b36525d9cc2dae456398c635315ce25

SHA512
cfbeccdcd59ed48f50b7b006fcdb73581c69163932e4f1240e7515ea6848813971bffa081af9cd03eb3828f2403d559e6e14a59bcae73f9252ed48a964f512af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
41KB

MD5
3e2640a52a808af29c38e4f3acd602a8

SHA1
c6c216cac0872f30f6072966cc50d0df8e74892e

SHA256
0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c

SHA512
9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a

Download Submit
\ProgramData\SxS\NvSmartMax.dll

Filesize
41KB

MD5
3e2640a52a808af29c38e4f3acd602a8

SHA1
c6c216cac0872f30f6072966cc50d0df8e74892e

SHA256
0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c

SHA512
9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a

Download Submit
\ProgramData\SxS\NvSmartMax.dll

Filesize
41KB

MD5
3e2640a52a808af29c38e4f3acd602a8

SHA1
c6c216cac0872f30f6072966cc50d0df8e74892e

SHA256
0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c

SHA512
9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
41KB

MD5
3e2640a52a808af29c38e4f3acd602a8

SHA1
c6c216cac0872f30f6072966cc50d0df8e74892e

SHA256
0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c

SHA512
9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a

Download Submit
memory/268-83-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/268-89-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/268-77-0x0000000000130000-0x000000000014A000-memory.dmp

Filesize
104KB

Download
memory/1204-88-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download
memory/1204-90-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download
memory/1216-81-0x0000000000440000-0x000000000046C000-memory.dmp

Filesize
176KB

Download
memory/1552-82-0x00000000002A0000-0x00000000002CC000-memory.dmp

Filesize
176KB

Download
memory/1908-67-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/1908-66-0x0000000000410000-0x0000000000510000-memory.dmp

Filesize
1024KB

Download
memory/1964-54-0x00000000756E1000-0x00000000756E3000-memory.dmp

Filesize
8KB

Download