plugx | 5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201

Analysis

max time kernel
151s
max time network
163s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe
Size

427KB
MD5

cfe882ba290b6bd30bff5848c20554a5
SHA1

ceb839a8c04c75844cab7b18916234f7cd093157
SHA256

5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201
SHA512

c3dd4139b7a0d4192c0c1f5a096a3cfdc59414ce40a8cb52d2ade2bdc966e0678a591bdf25368bbf8173dff7b4d5cce3c0063a0f945302109294e507ab64f509

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral1/memory/2040-76-0x00000000002C0000-0x00000000002F1000-memory.dmp	family_plugx
behavioral1/memory/968-79-0x00000000002A0000-0x00000000002D1000-memory.dmp	family_plugx
behavioral1/memory/1112-80-0x00000000001D0000-0x0000000000201000-memory.dmp	family_plugx
behavioral1/memory/628-85-0x00000000002D0000-0x0000000000301000-memory.dmp	family_plugx
behavioral1/memory/1112-86-0x00000000001D0000-0x0000000000201000-memory.dmp	family_plugx
behavioral1/memory/628-87-0x00000000002D0000-0x0000000000301000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
968	hkcmd.exe
2040	hkcmd.exe

Deletes itself 1 IoCs

pid	Process
1112	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
360	5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe
360	5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe
360	5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe
360	5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe
968	hkcmd.exe
2040	hkcmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39003400380045003900350033004400410030004500310034003800380035000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1112	svchost.exe
1112	svchost.exe
1112	svchost.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
1112	svchost.exe
1112	svchost.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
1112	svchost.exe
1112	svchost.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
1112	svchost.exe
1112	svchost.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
1112	svchost.exe
1112	svchost.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
1112	svchost.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
1112	svchost.exe
1112	svchost.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
1112	svchost.exe
1112	svchost.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
1112	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	hkcmd.exe
Token: SeTcbPrivilege	968	hkcmd.exe
Token: SeDebugPrivilege	2040	hkcmd.exe
Token: SeTcbPrivilege	2040	hkcmd.exe
Token: SeDebugPrivilege	1112	svchost.exe
Token: SeTcbPrivilege	1112	svchost.exe
Token: SeDebugPrivilege	628	msiexec.exe
Token: SeTcbPrivilege	628	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 968	360	5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe	27
PID 360 wrote to memory of 968	360	5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe	27
PID 360 wrote to memory of 968	360	5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe	27
PID 360 wrote to memory of 968	360	5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe	27
PID 360 wrote to memory of 968	360	5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe	27
PID 360 wrote to memory of 968	360	5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe	27
PID 360 wrote to memory of 968	360	5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe	27
PID 2040 wrote to memory of 1112	2040	hkcmd.exe	29
PID 2040 wrote to memory of 1112	2040	hkcmd.exe	29
PID 2040 wrote to memory of 1112	2040	hkcmd.exe	29
PID 2040 wrote to memory of 1112	2040	hkcmd.exe	29
PID 2040 wrote to memory of 1112	2040	hkcmd.exe	29
PID 2040 wrote to memory of 1112	2040	hkcmd.exe	29
PID 2040 wrote to memory of 1112	2040	hkcmd.exe	29
PID 2040 wrote to memory of 1112	2040	hkcmd.exe	29
PID 2040 wrote to memory of 1112	2040	hkcmd.exe	29
PID 1112 wrote to memory of 628	1112	svchost.exe	30
PID 1112 wrote to memory of 628	1112	svchost.exe	30
PID 1112 wrote to memory of 628	1112	svchost.exe	30
PID 1112 wrote to memory of 628	1112	svchost.exe	30
PID 1112 wrote to memory of 628	1112	svchost.exe	30
PID 1112 wrote to memory of 628	1112	svchost.exe	30
PID 1112 wrote to memory of 628	1112	svchost.exe	30
PID 1112 wrote to memory of 628	1112	svchost.exe	30
PID 1112 wrote to memory of 628	1112	svchost.exe	30
PID 1112 wrote to memory of 628	1112	svchost.exe	30
PID 1112 wrote to memory of 628	1112	svchost.exe	30
PID 1112 wrote to memory of 628	1112	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe
"C:\Users\Admin\AppData\Local\Temp\5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:360
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:968

C:\ProgramData\AVck\hkcmd.exe
C:\ProgramData\AVck\hkcmd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Deletes itself
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1112
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AVck\hccutils.DLL

Filesize
2KB

MD5
1b49645bc75c8353c1bf0d9feb3af7e5

SHA1
5684b5d6d42bf284cfd5537f0300371c3f006314

SHA256
87fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533

SHA512
b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e

Download Submit
C:\ProgramData\AVck\hccutils.DLL.hcc

Filesize
122KB

MD5
1546b7616bea033524a81939983bc766

SHA1
e0a1751cdb7c0d3eb486ea70faeec13a0b352fb4

SHA256
034e116d7e575029461af32ddd04494d67a62d4fe929e779c51b34d106ebc5e6

SHA512
6c7c84f29fbd33e6c3ff6ec14ff1d860beee0bb03703b26798757e2706098f6bad7a245a201f5de82a12f77c394ef30931636abf5f6b71c0d1833d1dd53fc8cb

Download Submit
C:\ProgramData\AVck\hkcmd.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
456B

MD5
2b4c237f10dc501e9309c37dce68a47d

SHA1
017d7e02f1fcd8cae17be23c7011c322c6a0264e

SHA256
9e07c7606396cb797dd3417a78c9380beb223b6b60e8bd84e6dbcf132e98e485

SHA512
537f269bf2f8ba3673197e24cde1c2c786ab4a3e41397bf6a27405cc7129d9b649244d61eb39cf3bf9196d10af3ca5d3f159e271240031bcf6c4d6aeda4a01cd

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
618B

MD5
74af5a000752646ea7ccc48d4ab97558

SHA1
92fc4967bb9e9aa79c7122481280c6c8824cce96

SHA256
e0dbb45258e32432201a9e6a0300bd1a699e0f19d02ba64d791c31c92d5297e7

SHA512
d78916fbb191f2dce66710ab0ccfc1234bcf6483c721904f5473a61b50ac13e66e42209d7f230e04d2803b3cb26fc0d59335c62795988209e01775fc0b2a14a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL

Filesize
2KB

MD5
1b49645bc75c8353c1bf0d9feb3af7e5

SHA1
5684b5d6d42bf284cfd5537f0300371c3f006314

SHA256
87fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533

SHA512
b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL.hcc

Filesize
122KB

MD5
1546b7616bea033524a81939983bc766

SHA1
e0a1751cdb7c0d3eb486ea70faeec13a0b352fb4

SHA256
034e116d7e575029461af32ddd04494d67a62d4fe929e779c51b34d106ebc5e6

SHA512
6c7c84f29fbd33e6c3ff6ec14ff1d860beee0bb03703b26798757e2706098f6bad7a245a201f5de82a12f77c394ef30931636abf5f6b71c0d1833d1dd53fc8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
\ProgramData\AVck\hccutils.dll

Filesize
2KB

MD5
1b49645bc75c8353c1bf0d9feb3af7e5

SHA1
5684b5d6d42bf284cfd5537f0300371c3f006314

SHA256
87fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533

SHA512
b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.dll

Filesize
2KB

MD5
1b49645bc75c8353c1bf0d9feb3af7e5

SHA1
5684b5d6d42bf284cfd5537f0300371c3f006314

SHA256
87fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533

SHA512
b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
memory/360-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/628-87-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/628-85-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/968-79-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/968-65-0x0000000000870000-0x0000000000970000-memory.dmp

Filesize
1024KB

Download
memory/1112-80-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download
memory/1112-72-0x00000000000A0000-0x00000000000BD000-memory.dmp

Filesize
116KB

Download
memory/1112-86-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download
memory/2040-76-0x00000000002C0000-0x00000000002F1000-memory.dmp

Filesize
196KB

Download