plugx | 38381aa1b897a8c4533a83fd5bfc60fdc9a839b568a26033649005dfc164ad75

Analysis

max time kernel
159s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25/06/2022, 20:45 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38381aa1b897a8c4533a83fd5bfc60fdc9a839b568a26033649005dfc164ad75.exe
Size

314KB
MD5

b83ea939e613dd56cb93f4917e7d9d50
SHA1

121f18843dc6fe8779247ab0a931bd6840c67436
SHA256

38381aa1b897a8c4533a83fd5bfc60fdc9a839b568a26033649005dfc164ad75
SHA512

3ab8a22f6c6ca34dbd59b4ff37e4ee46cc607a5d1321cfbf263fbc17c6c670188feface18aa1729808911c6dee7013d36c90f4522f71f7a534d16ed2fb96e229

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 9 IoCs

resource	yara_rule
behavioral2/memory/2248-137-0x0000000002210000-0x0000000002240000-memory.dmp	family_plugx
behavioral2/memory/4324-144-0x00000000021E0000-0x0000000002210000-memory.dmp	family_plugx
behavioral2/memory/1368-149-0x00000000009D0000-0x0000000000A00000-memory.dmp	family_plugx
behavioral2/memory/2248-151-0x0000000002210000-0x0000000002240000-memory.dmp	family_plugx
behavioral2/memory/1012-152-0x0000000001830000-0x0000000001860000-memory.dmp	family_plugx
behavioral2/memory/4324-153-0x00000000021E0000-0x0000000002210000-memory.dmp	family_plugx
behavioral2/memory/4176-155-0x0000000002A10000-0x0000000002A40000-memory.dmp	family_plugx
behavioral2/memory/1012-156-0x0000000001830000-0x0000000001860000-memory.dmp	family_plugx
behavioral2/memory/4176-157-0x0000000002A10000-0x0000000002A40000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
2248	QQBrowserUpdateService.exe
4324	QQBrowserUpdateService.exe
1368	QQBrowserUpdateService.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	38381aa1b897a8c4533a83fd5bfc60fdc9a839b568a26033649005dfc164ad75.exe

Loads dropped DLL 3 IoCs

pid	Process
2248	QQBrowserUpdateService.exe
4324	QQBrowserUpdateService.exe
1368	QQBrowserUpdateService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31004500390044003800330032003800410034004600440033003000410046000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	QQBrowserUpdateService.exe
2248	QQBrowserUpdateService.exe
1012	svchost.exe
1012	svchost.exe
1012	svchost.exe
1012	svchost.exe
1012	svchost.exe
1012	svchost.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
1012	svchost.exe
1012	svchost.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
1012	svchost.exe
1012	svchost.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
1012	svchost.exe
1012	svchost.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
1012	svchost.exe
1012	svchost.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe
4176	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	QQBrowserUpdateService.exe
Token: SeTcbPrivilege	2248	QQBrowserUpdateService.exe
Token: SeDebugPrivilege	4324	QQBrowserUpdateService.exe
Token: SeTcbPrivilege	4324	QQBrowserUpdateService.exe
Token: SeDebugPrivilege	1368	QQBrowserUpdateService.exe
Token: SeTcbPrivilege	1368	QQBrowserUpdateService.exe
Token: SeDebugPrivilege	1012	svchost.exe
Token: SeTcbPrivilege	1012	svchost.exe
Token: SeDebugPrivilege	4176	msiexec.exe
Token: SeTcbPrivilege	4176	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 2248	5016	38381aa1b897a8c4533a83fd5bfc60fdc9a839b568a26033649005dfc164ad75.exe	86
PID 5016 wrote to memory of 2248	5016	38381aa1b897a8c4533a83fd5bfc60fdc9a839b568a26033649005dfc164ad75.exe	86
PID 5016 wrote to memory of 2248	5016	38381aa1b897a8c4533a83fd5bfc60fdc9a839b568a26033649005dfc164ad75.exe	86
PID 1368 wrote to memory of 1012	1368	QQBrowserUpdateService.exe	93
PID 1368 wrote to memory of 1012	1368	QQBrowserUpdateService.exe	93
PID 1368 wrote to memory of 1012	1368	QQBrowserUpdateService.exe	93
PID 1368 wrote to memory of 1012	1368	QQBrowserUpdateService.exe	93
PID 1368 wrote to memory of 1012	1368	QQBrowserUpdateService.exe	93
PID 1368 wrote to memory of 1012	1368	QQBrowserUpdateService.exe	93
PID 1368 wrote to memory of 1012	1368	QQBrowserUpdateService.exe	93
PID 1368 wrote to memory of 1012	1368	QQBrowserUpdateService.exe	93
PID 1012 wrote to memory of 4176	1012	svchost.exe	94
PID 1012 wrote to memory of 4176	1012	svchost.exe	94
PID 1012 wrote to memory of 4176	1012	svchost.exe	94
PID 1012 wrote to memory of 4176	1012	svchost.exe	94
PID 1012 wrote to memory of 4176	1012	svchost.exe	94
PID 1012 wrote to memory of 4176	1012	svchost.exe	94
PID 1012 wrote to memory of 4176	1012	svchost.exe	94
PID 1012 wrote to memory of 4176	1012	svchost.exe	94

C:\Users\Admin\AppData\Local\Temp\38381aa1b897a8c4533a83fd5bfc60fdc9a839b568a26033649005dfc164ad75.exe
"C:\Users\Admin\AppData\Local\Temp\38381aa1b897a8c4533a83fd5bfc60fdc9a839b568a26033649005dfc164ad75.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\QQBrowserUpdateService.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\QQBrowserUpdateService.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248

C:\ProgramData\QQUpdater\QQBrowserUpdateService.exe
"C:\ProgramData\QQUpdater\QQBrowserUpdateService.exe" 100 2248
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\ProgramData\QQUpdater\QQBrowserUpdateService.exe
"C:\ProgramData\QQUpdater\QQBrowserUpdateService.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1012
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4176

10.127.255.255:53

dns

svchost.exe

864 B
6
127.0.0.1:12345

svchost.exe
127.0.0.1:12345

svchost.exe
127.0.0.1:12345

svchost.exe

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QQUpdater\PDH.dll

Filesize
8KB

MD5
2ab8934a0133f1cf3122b1bbab6de846

SHA1
4e0db9d32f99d724fdaa56d18e9fad687333f18a

SHA256
462713911bac73ee904afab28d19f366b6b125ca7656144142654892319259fc

SHA512
164075833213b164b722854252f5349fdae8cb9ba80028fde7670f5bb90b9dae34befd4e32ffc1cd11ae6cbad3fc3176e77a3a85cdf1583c73153387d6d831c5

Download Submit
C:\ProgramData\QQUpdater\PDH.dll

Filesize
8KB

MD5
2ab8934a0133f1cf3122b1bbab6de846

SHA1
4e0db9d32f99d724fdaa56d18e9fad687333f18a

SHA256
462713911bac73ee904afab28d19f366b6b125ca7656144142654892319259fc

SHA512
164075833213b164b722854252f5349fdae8cb9ba80028fde7670f5bb90b9dae34befd4e32ffc1cd11ae6cbad3fc3176e77a3a85cdf1583c73153387d6d831c5

Download Submit
C:\ProgramData\QQUpdater\QQBrowser.pak

Filesize
120KB

MD5
768fb7e913b66701a20cdea2abc7f884

SHA1
10e8ddf7333109b430ccaeb87ae644051d120f5e

SHA256
92812f4d34aca0bd7c7e2f67abd2c1813546f2826ec3380fc45a5ea0822ea76b

SHA512
19c261f9b6508288f0e88d1b9f6385d3393bcb92d6a31c521ea6a22955f17d02b9e1dc690812bdaa9a3ad84ba9929a5732529b78b0f6df560bca573170a23290

Download Submit
C:\ProgramData\QQUpdater\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\ProgramData\QQUpdater\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\ProgramData\QQUpdater\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\ProgramData\QQUpdater\pdh.dll

Filesize
8KB

MD5
2ab8934a0133f1cf3122b1bbab6de846

SHA1
4e0db9d32f99d724fdaa56d18e9fad687333f18a

SHA256
462713911bac73ee904afab28d19f366b6b125ca7656144142654892319259fc

SHA512
164075833213b164b722854252f5349fdae8cb9ba80028fde7670f5bb90b9dae34befd4e32ffc1cd11ae6cbad3fc3176e77a3a85cdf1583c73153387d6d831c5

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
460B

MD5
4666ad3876adbe46b909b9c729c50334

SHA1
a086743576b04d1aae7d842e0a101bf95b292fbd

SHA256
f5cbfa380dc5d84788308c0d529ca85c30d95dbb3548dba06393438cfb540ab7

SHA512
0da73fcf7ac932e23a4b3c2854ffdc22bca576db34e9f973dd3dc9516e1cae5d32b8ef45e60165117b8eaab19b17bb743d31365843ee6b9ef109f2fc293cd4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PDH.dll

Filesize
8KB

MD5
2ab8934a0133f1cf3122b1bbab6de846

SHA1
4e0db9d32f99d724fdaa56d18e9fad687333f18a

SHA256
462713911bac73ee904afab28d19f366b6b125ca7656144142654892319259fc

SHA512
164075833213b164b722854252f5349fdae8cb9ba80028fde7670f5bb90b9dae34befd4e32ffc1cd11ae6cbad3fc3176e77a3a85cdf1583c73153387d6d831c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QQBrowser.pak

Filesize
120KB

MD5
768fb7e913b66701a20cdea2abc7f884

SHA1
10e8ddf7333109b430ccaeb87ae644051d120f5e

SHA256
92812f4d34aca0bd7c7e2f67abd2c1813546f2826ec3380fc45a5ea0822ea76b

SHA512
19c261f9b6508288f0e88d1b9f6385d3393bcb92d6a31c521ea6a22955f17d02b9e1dc690812bdaa9a3ad84ba9929a5732529b78b0f6df560bca573170a23290

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pdh.dll

Filesize
8KB

MD5
2ab8934a0133f1cf3122b1bbab6de846

SHA1
4e0db9d32f99d724fdaa56d18e9fad687333f18a

SHA256
462713911bac73ee904afab28d19f366b6b125ca7656144142654892319259fc

SHA512
164075833213b164b722854252f5349fdae8cb9ba80028fde7670f5bb90b9dae34befd4e32ffc1cd11ae6cbad3fc3176e77a3a85cdf1583c73153387d6d831c5

Download Submit
memory/1012-152-0x0000000001830000-0x0000000001860000-memory.dmp

Filesize
192KB

Download
memory/1012-156-0x0000000001830000-0x0000000001860000-memory.dmp

Filesize
192KB

Download
memory/1368-149-0x00000000009D0000-0x0000000000A00000-memory.dmp

Filesize
192KB

Download
memory/2248-136-0x00000000022F0000-0x00000000023F0000-memory.dmp

Filesize
1024KB

Download
memory/2248-137-0x0000000002210000-0x0000000002240000-memory.dmp

Filesize
192KB

Download
memory/2248-151-0x0000000002210000-0x0000000002240000-memory.dmp

Filesize
192KB

Download
memory/4176-155-0x0000000002A10000-0x0000000002A40000-memory.dmp

Filesize
192KB

Download
memory/4176-157-0x0000000002A10000-0x0000000002A40000-memory.dmp

Filesize
192KB

Download
memory/4324-144-0x00000000021E0000-0x0000000002210000-memory.dmp

Filesize
192KB

Download
memory/4324-153-0x00000000021E0000-0x0000000002210000-memory.dmp

Filesize
192KB

Download