plugx | a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189

Analysis

max time kernel
173s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe
Size

235KB
MD5

804ce843677035dfd28bbe503d700500
SHA1

b864221b9e32f72e3da26c25f011bb0472786e7a
SHA256

a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189
SHA512

cc3202f602608c89320eaaf8d53efe7eba0355509c0395be91ca53aa310208f3ff484d64e502d2edaa36e7c5cc19847a13c9463202476821af906ae0f06cc58c

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 7 IoCs

resource	yara_rule
behavioral2/memory/2504-137-0x0000000002180000-0x00000000021AC000-memory.dmp	family_plugx
behavioral2/memory/4608-146-0x0000000000E10000-0x0000000000E3C000-memory.dmp	family_plugx
behavioral2/memory/312-148-0x0000000000CF0000-0x0000000000D1C000-memory.dmp	family_plugx
behavioral2/memory/3596-147-0x0000000002150000-0x000000000217C000-memory.dmp	family_plugx
behavioral2/memory/4140-150-0x00000000021B0000-0x00000000021DC000-memory.dmp	family_plugx
behavioral2/memory/312-151-0x0000000000CF0000-0x0000000000D1C000-memory.dmp	family_plugx
behavioral2/memory/4140-152-0x00000000021B0000-0x00000000021DC000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
2504	Nv.exe
3596	Nv.exe
4608	Nv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe

Loads dropped DLL 3 IoCs

pid	Process
2504	Nv.exe
3596	Nv.exe
4608	Nv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42003700460042004300460045003100380045003500430046003400410041000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2504	Nv.exe
2504	Nv.exe
312	svchost.exe
312	svchost.exe
312	svchost.exe
312	svchost.exe
4140	msiexec.exe
4140	msiexec.exe
312	svchost.exe
312	svchost.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
312	svchost.exe
312	svchost.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
312	svchost.exe
312	svchost.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
312	svchost.exe
312	svchost.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
312	svchost.exe
312	svchost.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe
4140	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
312	svchost.exe
4140	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	Nv.exe
Token: SeTcbPrivilege	2504	Nv.exe
Token: SeDebugPrivilege	3596	Nv.exe
Token: SeTcbPrivilege	3596	Nv.exe
Token: SeDebugPrivilege	4608	Nv.exe
Token: SeTcbPrivilege	4608	Nv.exe
Token: SeDebugPrivilege	312	svchost.exe
Token: SeTcbPrivilege	312	svchost.exe
Token: SeDebugPrivilege	4140	msiexec.exe
Token: SeTcbPrivilege	4140	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2504	2332	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe	79
PID 2332 wrote to memory of 2504	2332	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe	79
PID 2332 wrote to memory of 2504	2332	a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe	79
PID 4608 wrote to memory of 312	4608	Nv.exe	83
PID 4608 wrote to memory of 312	4608	Nv.exe	83
PID 4608 wrote to memory of 312	4608	Nv.exe	83
PID 4608 wrote to memory of 312	4608	Nv.exe	83
PID 4608 wrote to memory of 312	4608	Nv.exe	83
PID 4608 wrote to memory of 312	4608	Nv.exe	83
PID 4608 wrote to memory of 312	4608	Nv.exe	83
PID 4608 wrote to memory of 312	4608	Nv.exe	83
PID 312 wrote to memory of 4140	312	svchost.exe	84
PID 312 wrote to memory of 4140	312	svchost.exe	84
PID 312 wrote to memory of 4140	312	svchost.exe	84
PID 312 wrote to memory of 4140	312	svchost.exe	84
PID 312 wrote to memory of 4140	312	svchost.exe	84
PID 312 wrote to memory of 4140	312	svchost.exe	84
PID 312 wrote to memory of 4140	312	svchost.exe	84
PID 312 wrote to memory of 4140	312	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe
"C:\Users\Admin\AppData\Local\Temp\a281d5e93518d3a0e6e83f2874297389aec4d42ece26b358623e902cd1959189.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 100 2504
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 312
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\SxS\Nv.mp3

Filesize
110KB

MD5
f4147a7cad74bac49b4802a6a9193b9a

SHA1
19a68fd6f2645564cd8d14fea10f12f8a44e8cba

SHA256
214c4c43d4c2a1465c8d1449ec1d009931d005fa1937e284b6e33a91c2e69784

SHA512
4ae32f7450cc5dfa8f32bfb91f95e47e27e6032fa7bf2c43fc0d68ded3d633767b2ad3e2e81e0a19d7a94e3c4f23b58cc2fc74d339401010d785f56b6b49ea37

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
2KB

MD5
88b2b509ac234c097b021fa84cf5cecc

SHA1
b22671d3196be80806cf2066cc0ca2684a36f2af

SHA256
9e5f7810a69bf0c8292556adf8c32a270e272f2098298eb328068a45e4d09d27

SHA512
cf1750f1476378171a6f2a4fe828aece41d9c02440abaf1c2719858b4623af1d892ad8f1a45aa621ba69fe9374213b81bad8e5b701ff461b76d7eecaec717262

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
2KB

MD5
88b2b509ac234c097b021fa84cf5cecc

SHA1
b22671d3196be80806cf2066cc0ca2684a36f2af

SHA256
9e5f7810a69bf0c8292556adf8c32a270e272f2098298eb328068a45e4d09d27

SHA512
cf1750f1476378171a6f2a4fe828aece41d9c02440abaf1c2719858b4623af1d892ad8f1a45aa621ba69fe9374213b81bad8e5b701ff461b76d7eecaec717262

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
2KB

MD5
88b2b509ac234c097b021fa84cf5cecc

SHA1
b22671d3196be80806cf2066cc0ca2684a36f2af

SHA256
9e5f7810a69bf0c8292556adf8c32a270e272f2098298eb328068a45e4d09d27

SHA512
cf1750f1476378171a6f2a4fe828aece41d9c02440abaf1c2719858b4623af1d892ad8f1a45aa621ba69fe9374213b81bad8e5b701ff461b76d7eecaec717262

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.mp3

Filesize
110KB

MD5
f4147a7cad74bac49b4802a6a9193b9a

SHA1
19a68fd6f2645564cd8d14fea10f12f8a44e8cba

SHA256
214c4c43d4c2a1465c8d1449ec1d009931d005fa1937e284b6e33a91c2e69784

SHA512
4ae32f7450cc5dfa8f32bfb91f95e47e27e6032fa7bf2c43fc0d68ded3d633767b2ad3e2e81e0a19d7a94e3c4f23b58cc2fc74d339401010d785f56b6b49ea37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
2KB

MD5
88b2b509ac234c097b021fa84cf5cecc

SHA1
b22671d3196be80806cf2066cc0ca2684a36f2af

SHA256
9e5f7810a69bf0c8292556adf8c32a270e272f2098298eb328068a45e4d09d27

SHA512
cf1750f1476378171a6f2a4fe828aece41d9c02440abaf1c2719858b4623af1d892ad8f1a45aa621ba69fe9374213b81bad8e5b701ff461b76d7eecaec717262

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
2KB

MD5
88b2b509ac234c097b021fa84cf5cecc

SHA1
b22671d3196be80806cf2066cc0ca2684a36f2af

SHA256
9e5f7810a69bf0c8292556adf8c32a270e272f2098298eb328068a45e4d09d27

SHA512
cf1750f1476378171a6f2a4fe828aece41d9c02440abaf1c2719858b4623af1d892ad8f1a45aa621ba69fe9374213b81bad8e5b701ff461b76d7eecaec717262

Download Submit
memory/312-151-0x0000000000CF0000-0x0000000000D1C000-memory.dmp

Filesize
176KB

Download
memory/312-148-0x0000000000CF0000-0x0000000000D1C000-memory.dmp

Filesize
176KB

Download
memory/2504-137-0x0000000002180000-0x00000000021AC000-memory.dmp

Filesize
176KB

Download
memory/2504-136-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/3596-147-0x0000000002150000-0x000000000217C000-memory.dmp

Filesize
176KB

Download
memory/4140-150-0x00000000021B0000-0x00000000021DC000-memory.dmp

Filesize
176KB

Download
memory/4140-152-0x00000000021B0000-0x00000000021DC000-memory.dmp

Filesize
176KB

Download
memory/4608-146-0x0000000000E10000-0x0000000000E3C000-memory.dmp

Filesize
176KB

Download