plugx | a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189

Analysis

max time kernel
155s
max time network
173s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe
Size

235KB
MD5

804ce843677035dfd28bbe503d700500
SHA1

b864221b9e32f72e3da26c25f011bb0472786e7a
SHA256

a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189
SHA512

cc3202f602608c89320eaaf8d53efe7eba0355509c0395be91ca53aa310208f3ff484d64e502d2edaa36e7c5cc19847a13c9463202476821af906ae0f06cc58c

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 8 IoCs

resource	yara_rule
behavioral1/memory/1652-67-0x0000000000340000-0x000000000036C000-memory.dmp	family_plugx
behavioral1/memory/1352-74-0x00000000005A0000-0x00000000005CC000-memory.dmp	family_plugx
behavioral1/memory/1524-82-0x0000000001C70000-0x0000000001C9C000-memory.dmp	family_plugx
behavioral1/memory/1372-83-0x00000000003B0000-0x00000000003DC000-memory.dmp	family_plugx
behavioral1/memory/1352-84-0x00000000005A0000-0x00000000005CC000-memory.dmp	family_plugx
behavioral1/memory/968-89-0x0000000000270000-0x000000000029C000-memory.dmp	family_plugx
behavioral1/memory/1372-90-0x00000000003B0000-0x00000000003DC000-memory.dmp	family_plugx
behavioral1/memory/968-91-0x0000000000270000-0x000000000029C000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
1652	Nv.exe
1352	Nv.exe
1524	Nv.exe

Deletes itself 1 IoCs

pid	Process
1652	Nv.exe

Loads dropped DLL 8 IoCs

pid	Process
1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe
1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe
1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe
1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe
1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe
1652	Nv.exe
1352	Nv.exe
1524	Nv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 46003400380031003300320039004200310035003800430033003600420037000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1652	Nv.exe
1372	svchost.exe
1372	svchost.exe
1372	svchost.exe
1372	svchost.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
1372	svchost.exe
1372	svchost.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
1372	svchost.exe
1372	svchost.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
1372	svchost.exe
1372	svchost.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
1372	svchost.exe
1372	svchost.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
1372	svchost.exe
1372	svchost.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
1372	svchost.exe
1372	svchost.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
968	msiexec.exe
1372	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	Nv.exe
Token: SeTcbPrivilege	1652	Nv.exe
Token: SeDebugPrivilege	1352	Nv.exe
Token: SeTcbPrivilege	1352	Nv.exe
Token: SeDebugPrivilege	1524	Nv.exe
Token: SeTcbPrivilege	1524	Nv.exe
Token: SeDebugPrivilege	1372	svchost.exe
Token: SeTcbPrivilege	1372	svchost.exe
Token: SeDebugPrivilege	968	msiexec.exe
Token: SeTcbPrivilege	968	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1652	1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe	28
PID 1656 wrote to memory of 1652	1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe	28
PID 1656 wrote to memory of 1652	1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe	28
PID 1656 wrote to memory of 1652	1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe	28
PID 1656 wrote to memory of 1652	1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe	28
PID 1656 wrote to memory of 1652	1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe	28
PID 1656 wrote to memory of 1652	1656	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe	28
PID 1524 wrote to memory of 1372	1524	Nv.exe	32
PID 1524 wrote to memory of 1372	1524	Nv.exe	32
PID 1524 wrote to memory of 1372	1524	Nv.exe	32
PID 1524 wrote to memory of 1372	1524	Nv.exe	32
PID 1524 wrote to memory of 1372	1524	Nv.exe	32
PID 1524 wrote to memory of 1372	1524	Nv.exe	32
PID 1524 wrote to memory of 1372	1524	Nv.exe	32
PID 1524 wrote to memory of 1372	1524	Nv.exe	32
PID 1524 wrote to memory of 1372	1524	Nv.exe	32
PID 1372 wrote to memory of 968	1372	svchost.exe	33
PID 1372 wrote to memory of 968	1372	svchost.exe	33
PID 1372 wrote to memory of 968	1372	svchost.exe	33
PID 1372 wrote to memory of 968	1372	svchost.exe	33
PID 1372 wrote to memory of 968	1372	svchost.exe	33
PID 1372 wrote to memory of 968	1372	svchost.exe	33
PID 1372 wrote to memory of 968	1372	svchost.exe	33
PID 1372 wrote to memory of 968	1372	svchost.exe	33
PID 1372 wrote to memory of 968	1372	svchost.exe	33
PID 1372 wrote to memory of 968	1372	svchost.exe	33
PID 1372 wrote to memory of 968	1372	svchost.exe	33
PID 1372 wrote to memory of 968	1372	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe
"C:\Users\Admin\AppData\Local\Temp\a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 100 1652
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1372
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\Nv.mp3

Filesize
110KB

MD5
f4147a7cad74bac49b4802a6a9193b9a

SHA1
19a68fd6f2645564cd8d14fea10f12f8a44e8cba

SHA256
214c4c43d4c2a1465c8d1449ec1d009931d005fa1937e284b6e33a91c2e69784

SHA512
4ae32f7450cc5dfa8f32bfb91f95e47e27e6032fa7bf2c43fc0d68ded3d633767b2ad3e2e81e0a19d7a94e3c4f23b58cc2fc74d339401010d785f56b6b49ea37

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
2KB

MD5
88b2b509ac234c097b021fa84cf5cecc

SHA1
b22671d3196be80806cf2066cc0ca2684a36f2af

SHA256
9e5f7810a69bf0c8292556adf8c32a270e272f2098298eb328068a45e4d09d27

SHA512
cf1750f1476378171a6f2a4fe828aece41d9c02440abaf1c2719858b4623af1d892ad8f1a45aa621ba69fe9374213b81bad8e5b701ff461b76d7eecaec717262

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.mp3

Filesize
110KB

MD5
f4147a7cad74bac49b4802a6a9193b9a

SHA1
19a68fd6f2645564cd8d14fea10f12f8a44e8cba

SHA256
214c4c43d4c2a1465c8d1449ec1d009931d005fa1937e284b6e33a91c2e69784

SHA512
4ae32f7450cc5dfa8f32bfb91f95e47e27e6032fa7bf2c43fc0d68ded3d633767b2ad3e2e81e0a19d7a94e3c4f23b58cc2fc74d339401010d785f56b6b49ea37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
2KB

MD5
88b2b509ac234c097b021fa84cf5cecc

SHA1
b22671d3196be80806cf2066cc0ca2684a36f2af

SHA256
9e5f7810a69bf0c8292556adf8c32a270e272f2098298eb328068a45e4d09d27

SHA512
cf1750f1476378171a6f2a4fe828aece41d9c02440abaf1c2719858b4623af1d892ad8f1a45aa621ba69fe9374213b81bad8e5b701ff461b76d7eecaec717262

Download Submit
\ProgramData\SxS\NvSmartMax.dll

Filesize
2KB

MD5
88b2b509ac234c097b021fa84cf5cecc

SHA1
b22671d3196be80806cf2066cc0ca2684a36f2af

SHA256
9e5f7810a69bf0c8292556adf8c32a270e272f2098298eb328068a45e4d09d27

SHA512
cf1750f1476378171a6f2a4fe828aece41d9c02440abaf1c2719858b4623af1d892ad8f1a45aa621ba69fe9374213b81bad8e5b701ff461b76d7eecaec717262

Download Submit
\ProgramData\SxS\NvSmartMax.dll

Filesize
2KB

MD5
88b2b509ac234c097b021fa84cf5cecc

SHA1
b22671d3196be80806cf2066cc0ca2684a36f2af

SHA256
9e5f7810a69bf0c8292556adf8c32a270e272f2098298eb328068a45e4d09d27

SHA512
cf1750f1476378171a6f2a4fe828aece41d9c02440abaf1c2719858b4623af1d892ad8f1a45aa621ba69fe9374213b81bad8e5b701ff461b76d7eecaec717262

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
2KB

MD5
88b2b509ac234c097b021fa84cf5cecc

SHA1
b22671d3196be80806cf2066cc0ca2684a36f2af

SHA256
9e5f7810a69bf0c8292556adf8c32a270e272f2098298eb328068a45e4d09d27

SHA512
cf1750f1476378171a6f2a4fe828aece41d9c02440abaf1c2719858b4623af1d892ad8f1a45aa621ba69fe9374213b81bad8e5b701ff461b76d7eecaec717262

Download Submit
memory/968-91-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/968-89-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/1352-74-0x00000000005A0000-0x00000000005CC000-memory.dmp

Filesize
176KB

Download
memory/1352-84-0x00000000005A0000-0x00000000005CC000-memory.dmp

Filesize
176KB

Download
memory/1372-90-0x00000000003B0000-0x00000000003DC000-memory.dmp

Filesize
176KB

Download
memory/1372-78-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/1372-83-0x00000000003B0000-0x00000000003DC000-memory.dmp

Filesize
176KB

Download
memory/1524-82-0x0000000001C70000-0x0000000001C9C000-memory.dmp

Filesize
176KB

Download
memory/1652-67-0x0000000000340000-0x000000000036C000-memory.dmp

Filesize
176KB

Download
memory/1652-66-0x0000000000900000-0x0000000000A00000-memory.dmp

Filesize
1024KB

Download
memory/1656-54-0x00000000765C1000-0x00000000765C3000-memory.dmp

Filesize
8KB

Download