plugx | bf0bfdf017bdce9ba2359784a42c4ce7ee3e1a6ce47716e0b31c40be8c61e18a

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0bfdf017bdce9ba2359784a42c4ce7ee3e1a6ce47716e0b31c40be8c61e18a.exe
Size

472KB
MD5

46f2c5f4ba116e0abdc2165778adaa3a
SHA1

27aad7de7c4f686992c9c378992f50d4e38445e3
SHA256

bf0bfdf017bdce9ba2359784a42c4ce7ee3e1a6ce47716e0b31c40be8c61e18a
SHA512

829b4eee0fe22febecb19a88064f420f46915b0716477e59613d378c1f5ab9becca3db62c841e1077a2af5f2fbbce54d16ff0821d64b1fffcf7494497a91d68e

Score

10^/10

plugx suricata trojan

Malware Config

Signatures

Detects PlugX Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2044-68-0x0000000000380000-0x00000000003B1000-memory.dmp	family_plugx
behavioral1/memory/2024-75-0x0000000000480000-0x00000000004B1000-memory.dmp	family_plugx
behavioral1/memory/980-76-0x00000000001D0000-0x0000000000201000-memory.dmp	family_plugx
behavioral1/memory/1876-82-0x00000000002A0000-0x00000000002D1000-memory.dmp	family_plugx
behavioral1/memory/980-84-0x00000000001D0000-0x0000000000201000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
suricata: ET MALWARE Trojan.Win32.DLOADR.TIOIBEPQ CnC Traffic
suricata: ET MALWARE Trojan.Win32.DLOADR.TIOIBEPQ CnC Traffic
suricata

Executes dropped EXE 3 IoCs

pid	Process
1016	start.exe
2044	RsTray.exe
2024	RsTray.exe

Loads dropped DLL 4 IoCs

pid	Process
1964	bf0bfdf017bdce9ba2359784a42c4ce7ee3e1a6ce47716e0b31c40be8c61e18a.exe
1964	bf0bfdf017bdce9ba2359784a42c4ce7ee3e1a6ce47716e0b31c40be8c61e18a.exe
2044	RsTray.exe
2024	RsTray.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	153.148.120.217
Destination IP	153.148.120.217
Destination IP	153.148.120.217

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59391BEF-0CE5-4F47-AA19-DC4C8DA4B4DC}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59391BEF-0CE5-4F47-AA19-DC4C8DA4B4DC}\WpadDecisionTime = 709c6ea90f8dd801	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59391BEF-0CE5-4F47-AA19-DC4C8DA4B4DC}\WpadNetworkName = "Network 3"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-f8-1a-e9-fe-67	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-f8-1a-e9-fe-67\WpadDecisionTime = 709c6ea90f8dd801	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-f8-1a-e9-fe-67\WpadDetectedUrl	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59391BEF-0CE5-4F47-AA19-DC4C8DA4B4DC}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59391BEF-0CE5-4F47-AA19-DC4C8DA4B4DC}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59391BEF-0CE5-4F47-AA19-DC4C8DA4B4DC}\ca-f8-1a-e9-fe-67	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-f8-1a-e9-fe-67\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-f8-1a-e9-fe-67\WpadDecision = "0"	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30003400310046004400320031003800300041003500390044003000440042000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1016	start.exe
980	svchost.exe
980	svchost.exe
980	svchost.exe
980	svchost.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
980	svchost.exe
980	svchost.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
980	svchost.exe
980	svchost.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
980	svchost.exe
980	svchost.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
980	svchost.exe
980	svchost.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
980	svchost.exe
980	svchost.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
980	svchost.exe
980	svchost.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
1876	msiexec.exe
980	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	RsTray.exe
Token: SeTcbPrivilege	2044	RsTray.exe
Token: SeDebugPrivilege	2024	RsTray.exe
Token: SeTcbPrivilege	2024	RsTray.exe
Token: SeDebugPrivilege	980	svchost.exe
Token: SeTcbPrivilege	980	svchost.exe
Token: SeDebugPrivilege	1876	msiexec.exe
Token: SeTcbPrivilege	1876	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1016	start.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1016	1964	bf0bfdf017bdce9ba2359784a42c4ce7ee3e1a6ce47716e0b31c40be8c61e18a.exe	28
PID 1964 wrote to memory of 1016	1964	bf0bfdf017bdce9ba2359784a42c4ce7ee3e1a6ce47716e0b31c40be8c61e18a.exe	28
PID 1964 wrote to memory of 1016	1964	bf0bfdf017bdce9ba2359784a42c4ce7ee3e1a6ce47716e0b31c40be8c61e18a.exe	28
PID 1964 wrote to memory of 1016	1964	bf0bfdf017bdce9ba2359784a42c4ce7ee3e1a6ce47716e0b31c40be8c61e18a.exe	28
PID 2024 wrote to memory of 980	2024	RsTray.exe	31
PID 2024 wrote to memory of 980	2024	RsTray.exe	31
PID 2024 wrote to memory of 980	2024	RsTray.exe	31
PID 2024 wrote to memory of 980	2024	RsTray.exe	31
PID 2024 wrote to memory of 980	2024	RsTray.exe	31
PID 2024 wrote to memory of 980	2024	RsTray.exe	31
PID 2024 wrote to memory of 980	2024	RsTray.exe	31
PID 2024 wrote to memory of 980	2024	RsTray.exe	31
PID 2024 wrote to memory of 980	2024	RsTray.exe	31
PID 980 wrote to memory of 1876	980	svchost.exe	32
PID 980 wrote to memory of 1876	980	svchost.exe	32
PID 980 wrote to memory of 1876	980	svchost.exe	32
PID 980 wrote to memory of 1876	980	svchost.exe	32
PID 980 wrote to memory of 1876	980	svchost.exe	32
PID 980 wrote to memory of 1876	980	svchost.exe	32
PID 980 wrote to memory of 1876	980	svchost.exe	32
PID 980 wrote to memory of 1876	980	svchost.exe	32
PID 980 wrote to memory of 1876	980	svchost.exe	32
PID 980 wrote to memory of 1876	980	svchost.exe	32
PID 980 wrote to memory of 1876	980	svchost.exe	32
PID 980 wrote to memory of 1876	980	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\bf0bfdf017bdce9ba2359784a42c4ce7ee3e1a6ce47716e0b31c40be8c61e18a.exe
"C:\Users\Admin\AppData\Local\Temp\bf0bfdf017bdce9ba2359784a42c4ce7ee3e1a6ce47716e0b31c40be8c61e18a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\start.exe
  C:\Users\Admin\AppData\Local\Temp\\start.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1016

C:\Users\Admin\AppData\Local\Temp\RsTray.exe
"C:\Users\Admin\AppData\Local\Temp\RsTray.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\ProgramData\DHZ\RsTray.exe
C:\ProgramData\DHZ\RsTray.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 980
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DHZ\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
C:\ProgramData\DHZ\comserv.dll

Filesize
32KB

MD5
420fb807bbc87bf73295b369d3f4cabd

SHA1
bcbae44eb7e94611e4a0b1f8e52881f095ab75ca

SHA256
b8717d54cea5a0eaa50567bb86b990fc1f943b387ac660e8a5ae2470fcc4adde

SHA512
96d4bf6029d014cd61c4b2ac006120303a771b9acbfcbfd1d9ee03febbf26ef676ff081b1bd19c5c9777ef65b8ed742f0470a18b4e998b394c37e329437a3968

Download Submit
C:\ProgramData\DHZ\comserv.dll.url

Filesize
122KB

MD5
db4793c86492501c63c3920e9e750e47

SHA1
6fa5c97fd303180d928fff6c11c65f8052cb6b25

SHA256
c1a117b96a7027b30c1a59f6db06f78388f6f2e356f6737fe66a30ad08935026

SHA512
b1e981a1730d0a12fe610706ef6c008b9be4fff610789d1b2308283d450b3eb225845080cbb4c61c16a436b6ba081a4b890f29fb128d38318ab44441787fd56e

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
980B

MD5
0fb68e97d0e7a03c4d0219e4f2ba47a6

SHA1
95fc434044e21f34c29599f23b0a3f692d638948

SHA256
66b08380495e9350b2715b2798c44b2d8eef30ac28e4f308ac324545d5894943

SHA512
e27e5a844c2c30388231ee508fe74b55f248d7adf22df84770dd1126a7b37c729a2d33605fd7b89ee0528af44e84c5e83e944fd7a1b4a9a4ac9c76c91d5fc050

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
0dc1cabe06fd53234de0aa89f7b2ebc6

SHA1
ba321fa1328e16441be6484bd8bff0999c0662f6

SHA256
665cd3521688a0d13ac69dfe706ba1550813c025110e16f7c91a0d4955c037f5

SHA512
430d955a12973b0beaad952ff633c0f5c4fc6b39109b8fceedf1618c03ad173622351e9c438f5b16c2b0b8edb8ef99dc06f9d81b26040dc67157e3c1d0ab4603

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsTray.exe

Filesize
174KB

MD5
d65adc7ad95e88fab486707b8c228f17

SHA1
dfa0589b58a469e34695a22313d184e5352a3282

SHA256
a3674fef407c354e911a8a6c7d4b991802c47cf6409d6dc32dc84be6312159e2

SHA512
3c9114610dfc107adec6a6220356607c737499866eba965985bb1f6b9aedbfae529a5432abb8307ce0653580fab9c2580c66d96ef4cdb4319a0fde5ad3c3ac01

Download Submit
C:\Users\Admin\AppData\Local\Temp\comserv.dll

Filesize
32KB

MD5
420fb807bbc87bf73295b369d3f4cabd

SHA1
bcbae44eb7e94611e4a0b1f8e52881f095ab75ca

SHA256
b8717d54cea5a0eaa50567bb86b990fc1f943b387ac660e8a5ae2470fcc4adde

SHA512
96d4bf6029d014cd61c4b2ac006120303a771b9acbfcbfd1d9ee03febbf26ef676ff081b1bd19c5c9777ef65b8ed742f0470a18b4e998b394c37e329437a3968

Download Submit
C:\Users\Admin\AppData\Local\Temp\comserv.dll.url

Filesize
122KB

MD5
db4793c86492501c63c3920e9e750e47

SHA1
6fa5c97fd303180d928fff6c11c65f8052cb6b25

SHA256
c1a117b96a7027b30c1a59f6db06f78388f6f2e356f6737fe66a30ad08935026

SHA512
b1e981a1730d0a12fe610706ef6c008b9be4fff610789d1b2308283d450b3eb225845080cbb4c61c16a436b6ba081a4b890f29fb128d38318ab44441787fd56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
32KB

MD5
4b8e0cfdf0ed997374afabd7bceb6c65

SHA1
4ae917f202ce218f9cc9ce29a70bd3674f29939f

SHA256
daeb3768b11e56f15d3e3342b4a3451506afeea92c9e7f5560ee8fe90e0e93d2

SHA512
32fc03b03f5d1a05bfd78d0d97cbed13a08319435bdccf5fc86a2d0fe927bd26e25f8be36ad632bd0d0ae3efac6e0eeb2b17caa55e9f890fbbd7d66f93244c8c

Download Submit
\ProgramData\DHZ\comserv.dll

Filesize
32KB

MD5
420fb807bbc87bf73295b369d3f4cabd

SHA1
bcbae44eb7e94611e4a0b1f8e52881f095ab75ca

SHA256
b8717d54cea5a0eaa50567bb86b990fc1f943b387ac660e8a5ae2470fcc4adde

SHA512
96d4bf6029d014cd61c4b2ac006120303a771b9acbfcbfd1d9ee03febbf26ef676ff081b1bd19c5c9777ef65b8ed742f0470a18b4e998b394c37e329437a3968

Download Submit
\Users\Admin\AppData\Local\Temp\comserv.dll

Filesize
32KB

MD5
420fb807bbc87bf73295b369d3f4cabd

SHA1
bcbae44eb7e94611e4a0b1f8e52881f095ab75ca

SHA256
b8717d54cea5a0eaa50567bb86b990fc1f943b387ac660e8a5ae2470fcc4adde

SHA512
96d4bf6029d014cd61c4b2ac006120303a771b9acbfcbfd1d9ee03febbf26ef676ff081b1bd19c5c9777ef65b8ed742f0470a18b4e998b394c37e329437a3968

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe

Filesize
32KB

MD5
4b8e0cfdf0ed997374afabd7bceb6c65

SHA1
4ae917f202ce218f9cc9ce29a70bd3674f29939f

SHA256
daeb3768b11e56f15d3e3342b4a3451506afeea92c9e7f5560ee8fe90e0e93d2

SHA512
32fc03b03f5d1a05bfd78d0d97cbed13a08319435bdccf5fc86a2d0fe927bd26e25f8be36ad632bd0d0ae3efac6e0eeb2b17caa55e9f890fbbd7d66f93244c8c

Download Submit
\Users\Admin\AppData\Local\Temp\start.exe

Filesize
32KB

MD5
4b8e0cfdf0ed997374afabd7bceb6c65

SHA1
4ae917f202ce218f9cc9ce29a70bd3674f29939f

SHA256
daeb3768b11e56f15d3e3342b4a3451506afeea92c9e7f5560ee8fe90e0e93d2

SHA512
32fc03b03f5d1a05bfd78d0d97cbed13a08319435bdccf5fc86a2d0fe927bd26e25f8be36ad632bd0d0ae3efac6e0eeb2b17caa55e9f890fbbd7d66f93244c8c

Download Submit
memory/980-76-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download
memory/980-84-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download
memory/980-71-0x00000000000A0000-0x00000000000BD000-memory.dmp

Filesize
116KB

Download
memory/1876-82-0x00000000002A0000-0x00000000002D1000-memory.dmp

Filesize
196KB

Download
memory/2024-75-0x0000000000480000-0x00000000004B1000-memory.dmp

Filesize
196KB

Download
memory/2044-62-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/2044-68-0x0000000000380000-0x00000000003B1000-memory.dmp

Filesize
196KB

Download
memory/2044-67-0x0000000001EC0000-0x0000000001FC0000-memory.dmp

Filesize
1024KB

Download