plugx | 581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25/06/2022, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe
Size

253KB
MD5

7b0bbf1954bfe5f09cf742acd5b47cea
SHA1

bd3cae7bfc1e52f3ab25136c89ca823ba29d203c
SHA256

581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590
SHA512

f94faabf3673798955d91b0214d955786a1573db0822aee37a0fba0602003cc1714b8abcc233a39a7d251834fc8fd4660874f6aec8a9b80a8e66ab2f2910c807

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 7 IoCs

resource	yara_rule
behavioral2/memory/2196-137-0x0000000001FA0000-0x0000000001FCC000-memory.dmp	family_plugx
behavioral2/memory/4868-146-0x0000000000E30000-0x0000000000E5C000-memory.dmp	family_plugx
behavioral2/memory/3932-147-0x0000000002150000-0x000000000217C000-memory.dmp	family_plugx
behavioral2/memory/4280-148-0x0000000001330000-0x000000000135C000-memory.dmp	family_plugx
behavioral2/memory/1888-150-0x0000000001310000-0x000000000133C000-memory.dmp	family_plugx
behavioral2/memory/4280-151-0x0000000001330000-0x000000000135C000-memory.dmp	family_plugx
behavioral2/memory/1888-152-0x0000000001310000-0x000000000133C000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
2196	NvST.exe
3932	NvST.exe
4868	NvST.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe

Loads dropped DLL 3 IoCs

pid	Process
2196	NvST.exe
3932	NvST.exe
4868	NvST.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	112.213.109.35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42003400430041003300320037004400390039003100410042003900420037000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	NvST.exe
2196	NvST.exe
4280	svchost.exe
4280	svchost.exe
4280	svchost.exe
4280	svchost.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
4280	svchost.exe
4280	svchost.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
4280	svchost.exe
4280	svchost.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
4280	svchost.exe
1888	msiexec.exe
1888	msiexec.exe
4280	svchost.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
4280	svchost.exe
4280	svchost.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe
1888	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4280	svchost.exe
1888	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	NvST.exe
Token: SeTcbPrivilege	2196	NvST.exe
Token: SeDebugPrivilege	3932	NvST.exe
Token: SeTcbPrivilege	3932	NvST.exe
Token: SeDebugPrivilege	4868	NvST.exe
Token: SeTcbPrivilege	4868	NvST.exe
Token: SeDebugPrivilege	4280	svchost.exe
Token: SeTcbPrivilege	4280	svchost.exe
Token: SeDebugPrivilege	1888	msiexec.exe
Token: SeTcbPrivilege	1888	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2196	1960	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe	80
PID 1960 wrote to memory of 2196	1960	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe	80
PID 1960 wrote to memory of 2196	1960	581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe	80
PID 4868 wrote to memory of 4280	4868	NvST.exe	84
PID 4868 wrote to memory of 4280	4868	NvST.exe	84
PID 4868 wrote to memory of 4280	4868	NvST.exe	84
PID 4868 wrote to memory of 4280	4868	NvST.exe	84
PID 4868 wrote to memory of 4280	4868	NvST.exe	84
PID 4868 wrote to memory of 4280	4868	NvST.exe	84
PID 4868 wrote to memory of 4280	4868	NvST.exe	84
PID 4868 wrote to memory of 4280	4868	NvST.exe	84
PID 4280 wrote to memory of 1888	4280	svchost.exe	85
PID 4280 wrote to memory of 1888	4280	svchost.exe	85
PID 4280 wrote to memory of 1888	4280	svchost.exe	85
PID 4280 wrote to memory of 1888	4280	svchost.exe	85
PID 4280 wrote to memory of 1888	4280	svchost.exe	85
PID 4280 wrote to memory of 1888	4280	svchost.exe	85
PID 4280 wrote to memory of 1888	4280	svchost.exe	85
PID 4280 wrote to memory of 1888	4280	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe
"C:\Users\Admin\AppData\Local\Temp\581b2e93b2ce8c6322831dd27187b059459aebae55f41ab43c63b2264e81a590.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196

C:\ProgramData\SxS\NvST.exe
"C:\ProgramData\SxS\NvST.exe" 100 2196
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\ProgramData\SxS\NvST.exe
"C:\ProgramData\SxS\NvST.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 4280
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\NvST.xml

Filesize
111KB

MD5
5af8722a02124aa720907d3f3715d43f

SHA1
18dcff37f7b061ce2c121e47eef0ffc58527019b

SHA256
ee7370500f1d172985f0be1059557a6d6b36525d9cc2dae456398c635315ce25

SHA512
cfbeccdcd59ed48f50b7b006fcdb73581c69163932e4f1240e7515ea6848813971bffa081af9cd03eb3828f2403d559e6e14a59bcae73f9252ed48a964f512af

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
41KB

MD5
3e2640a52a808af29c38e4f3acd602a8

SHA1
c6c216cac0872f30f6072966cc50d0df8e74892e

SHA256
0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c

SHA512
9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
41KB

MD5
3e2640a52a808af29c38e4f3acd602a8

SHA1
c6c216cac0872f30f6072966cc50d0df8e74892e

SHA256
0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c

SHA512
9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
41KB

MD5
3e2640a52a808af29c38e4f3acd602a8

SHA1
c6c216cac0872f30f6072966cc50d0df8e74892e

SHA256
0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c

SHA512
9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvST.xml

Filesize
111KB

MD5
5af8722a02124aa720907d3f3715d43f

SHA1
18dcff37f7b061ce2c121e47eef0ffc58527019b

SHA256
ee7370500f1d172985f0be1059557a6d6b36525d9cc2dae456398c635315ce25

SHA512
cfbeccdcd59ed48f50b7b006fcdb73581c69163932e4f1240e7515ea6848813971bffa081af9cd03eb3828f2403d559e6e14a59bcae73f9252ed48a964f512af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
41KB

MD5
3e2640a52a808af29c38e4f3acd602a8

SHA1
c6c216cac0872f30f6072966cc50d0df8e74892e

SHA256
0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c

SHA512
9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
41KB

MD5
3e2640a52a808af29c38e4f3acd602a8

SHA1
c6c216cac0872f30f6072966cc50d0df8e74892e

SHA256
0ad7ccbe5b4407dd34d83cd92007cf29a1e13e862fdb00bc2b6cf9bdfffa299c

SHA512
9267b42f60f4567320d871daf85296dee591835492743caf1a0d91d58b75bb86447a53b69c1b995e00471f21a22fe7b528482a10cf0ebe2c047331dfa4b9ac0a

Download Submit
memory/1888-150-0x0000000001310000-0x000000000133C000-memory.dmp

Filesize
176KB

Download
memory/1888-152-0x0000000001310000-0x000000000133C000-memory.dmp

Filesize
176KB

Download
memory/2196-136-0x0000000002150000-0x0000000002250000-memory.dmp

Filesize
1024KB

Download
memory/2196-137-0x0000000001FA0000-0x0000000001FCC000-memory.dmp

Filesize
176KB

Download
memory/3932-147-0x0000000002150000-0x000000000217C000-memory.dmp

Filesize
176KB

Download
memory/4280-148-0x0000000001330000-0x000000000135C000-memory.dmp

Filesize
176KB

Download
memory/4280-151-0x0000000001330000-0x000000000135C000-memory.dmp

Filesize
176KB

Download
memory/4868-146-0x0000000000E30000-0x0000000000E5C000-memory.dmp

Filesize
176KB

Download