plugx | 405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe
Size

293KB
MD5

c1012dd1702911ae66927b0233cc2794
SHA1

44821ce2dc95f4775bc200d9f9a499ff6def0af3
SHA256

405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3
SHA512

fc38b8fd5a7509a32d02d25e5dd39a4d69196b7db8cdd39b3f71c24b35135fb320cc2b8abad5405dbfa52237664dd472930c049dd4c23368f882b877cfd5d3ea

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral1/memory/112-76-0x0000000000980000-0x00000000009B1000-memory.dmp	family_plugx
behavioral1/memory/616-77-0x00000000004D0000-0x0000000000501000-memory.dmp	family_plugx
behavioral1/memory/1268-78-0x0000000000190000-0x00000000001C1000-memory.dmp	family_plugx
behavioral1/memory/688-83-0x0000000000330000-0x0000000000361000-memory.dmp	family_plugx
behavioral1/memory/1268-84-0x0000000000190000-0x00000000001C1000-memory.dmp	family_plugx
behavioral1/memory/688-85-0x0000000000330000-0x0000000000361000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
112	OleView.exe
616	OleView.exe

Deletes itself 1 IoCs

pid	Process
1268	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1668	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe
1668	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe
1668	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe
1668	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe
112	OleView.exe
616	OleView.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{47D45614-5D41-4003-AC8D-99940485CAE5}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{47D45614-5D41-4003-AC8D-99940485CAE5}\WpadNetworkName = "Network 3"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-07-2a-57-3c-8a\WpadDecisionTime = 70dc481d098dd801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-07-2a-57-3c-8a\WpadDecisionTime = 10c8d630098dd801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{47D45614-5D41-4003-AC8D-99940485CAE5}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-07-2a-57-3c-8a\WpadDetectedUrl	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{47D45614-5D41-4003-AC8D-99940485CAE5}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{47D45614-5D41-4003-AC8D-99940485CAE5}\WpadDecisionTime = 70dc481d098dd801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-07-2a-57-3c-8a	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{47D45614-5D41-4003-AC8D-99940485CAE5}\da-07-2a-57-3c-8a	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-07-2a-57-3c-8a\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-07-2a-57-3c-8a\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{47D45614-5D41-4003-AC8D-99940485CAE5}\WpadDecisionTime = 10c8d630098dd801	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 36004600430035004400460042004200420043003400380043003800390033000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1268	svchost.exe
1268	svchost.exe
1268	svchost.exe
1268	svchost.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
1268	svchost.exe
1268	svchost.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
1268	svchost.exe
1268	svchost.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
1268	svchost.exe
1268	svchost.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
1268	svchost.exe
1268	svchost.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
1268	svchost.exe
1268	svchost.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
1268	svchost.exe
1268	svchost.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
688	msiexec.exe
1268	svchost.exe
1268	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	112	OleView.exe
Token: SeTcbPrivilege	112	OleView.exe
Token: SeDebugPrivilege	616	OleView.exe
Token: SeTcbPrivilege	616	OleView.exe
Token: SeDebugPrivilege	1268	svchost.exe
Token: SeTcbPrivilege	1268	svchost.exe
Token: SeDebugPrivilege	688	msiexec.exe
Token: SeTcbPrivilege	688	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
112	OleView.exe
616	OleView.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 112	1668	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe	27
PID 1668 wrote to memory of 112	1668	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe	27
PID 1668 wrote to memory of 112	1668	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe	27
PID 1668 wrote to memory of 112	1668	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe	27
PID 1668 wrote to memory of 112	1668	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe	27
PID 1668 wrote to memory of 112	1668	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe	27
PID 1668 wrote to memory of 112	1668	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe	27
PID 616 wrote to memory of 1268	616	OleView.exe	29
PID 616 wrote to memory of 1268	616	OleView.exe	29
PID 616 wrote to memory of 1268	616	OleView.exe	29
PID 616 wrote to memory of 1268	616	OleView.exe	29
PID 616 wrote to memory of 1268	616	OleView.exe	29
PID 616 wrote to memory of 1268	616	OleView.exe	29
PID 616 wrote to memory of 1268	616	OleView.exe	29
PID 616 wrote to memory of 1268	616	OleView.exe	29
PID 616 wrote to memory of 1268	616	OleView.exe	29
PID 1268 wrote to memory of 688	1268	svchost.exe	31
PID 1268 wrote to memory of 688	1268	svchost.exe	31
PID 1268 wrote to memory of 688	1268	svchost.exe	31
PID 1268 wrote to memory of 688	1268	svchost.exe	31
PID 1268 wrote to memory of 688	1268	svchost.exe	31
PID 1268 wrote to memory of 688	1268	svchost.exe	31
PID 1268 wrote to memory of 688	1268	svchost.exe	31
PID 1268 wrote to memory of 688	1268	svchost.exe	31
PID 1268 wrote to memory of 688	1268	svchost.exe	31
PID 1268 wrote to memory of 688	1268	svchost.exe	31
PID 1268 wrote to memory of 688	1268	svchost.exe	31
PID 1268 wrote to memory of 688	1268	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe
"C:\Users\Admin\AppData\Local\Temp\405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:112

C:\ProgramData\OleView\OleView.exe
C:\ProgramData\OleView\OleView.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Deletes itself
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1268
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OleView\ACLUI.DLL

Filesize
36KB

MD5
a558aa8b13c47772c5c66c1add2163b3

SHA1
f6626c639372ed78e28ffbee9088567d4ae3be7a

SHA256
a50aa27cb5a55457b54f0e7e900d72a317713c710ea04a8a4bc01e8d7ab74c9a

SHA512
86a24729a53e0bb0796e2bec87ecdd6b6221e92d74a2045e182fda635397619ac0eff8e5ef0e2a6cfa82abffb3d30d15802f84652174835188b91921c1cb31cd

Download Submit
C:\ProgramData\OleView\ACLUI.DLL.UI

Filesize
121KB

MD5
eac6c13bd4e3237a788daa81c58de243

SHA1
9cd0ec423d09846086c934143e7786078c646d80

SHA256
e4871f4e21da3af277cc82596ef83856400d180aecd0cc48b458feabc4d664a2

SHA512
6d649babeca441446345fe4a8d9ed64338801ae572c3c93e1997e0b06f608a35514a1ae5bec62dff26ac173600113385d2223dfff6fde8c1e7b4628e1580d35b

Download Submit
C:\ProgramData\OleView\OleView.exe

Filesize
186KB

MD5
d1e6767900c85535f300e08d76aac9ab

SHA1
4a0f328e7672ee7ba83f265d48a6077a0c9068d4

SHA256
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

SHA512
40660d9056f24522e5ad95c66cb924df6625eab503dfe4fd65157316abdc04812a152f977ac3fdcf9f74b14b4c9cfe044883abd8a6cd6049bf22448711ff3d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ACLUI.DLL

Filesize
36KB

MD5
a558aa8b13c47772c5c66c1add2163b3

SHA1
f6626c639372ed78e28ffbee9088567d4ae3be7a

SHA256
a50aa27cb5a55457b54f0e7e900d72a317713c710ea04a8a4bc01e8d7ab74c9a

SHA512
86a24729a53e0bb0796e2bec87ecdd6b6221e92d74a2045e182fda635397619ac0eff8e5ef0e2a6cfa82abffb3d30d15802f84652174835188b91921c1cb31cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ACLUI.DLL.UI

Filesize
121KB

MD5
eac6c13bd4e3237a788daa81c58de243

SHA1
9cd0ec423d09846086c934143e7786078c646d80

SHA256
e4871f4e21da3af277cc82596ef83856400d180aecd0cc48b458feabc4d664a2

SHA512
6d649babeca441446345fe4a8d9ed64338801ae572c3c93e1997e0b06f608a35514a1ae5bec62dff26ac173600113385d2223dfff6fde8c1e7b4628e1580d35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.Exe

Filesize
186KB

MD5
d1e6767900c85535f300e08d76aac9ab

SHA1
4a0f328e7672ee7ba83f265d48a6077a0c9068d4

SHA256
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

SHA512
40660d9056f24522e5ad95c66cb924df6625eab503dfe4fd65157316abdc04812a152f977ac3fdcf9f74b14b4c9cfe044883abd8a6cd6049bf22448711ff3d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.exe

Filesize
186KB

MD5
d1e6767900c85535f300e08d76aac9ab

SHA1
4a0f328e7672ee7ba83f265d48a6077a0c9068d4

SHA256
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

SHA512
40660d9056f24522e5ad95c66cb924df6625eab503dfe4fd65157316abdc04812a152f977ac3fdcf9f74b14b4c9cfe044883abd8a6cd6049bf22448711ff3d39

Download Submit
\ProgramData\OleView\ACLUI.DLL

Filesize
36KB

MD5
a558aa8b13c47772c5c66c1add2163b3

SHA1
f6626c639372ed78e28ffbee9088567d4ae3be7a

SHA256
a50aa27cb5a55457b54f0e7e900d72a317713c710ea04a8a4bc01e8d7ab74c9a

SHA512
86a24729a53e0bb0796e2bec87ecdd6b6221e92d74a2045e182fda635397619ac0eff8e5ef0e2a6cfa82abffb3d30d15802f84652174835188b91921c1cb31cd

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ACLUI.DLL

Filesize
36KB

MD5
a558aa8b13c47772c5c66c1add2163b3

SHA1
f6626c639372ed78e28ffbee9088567d4ae3be7a

SHA256
a50aa27cb5a55457b54f0e7e900d72a317713c710ea04a8a4bc01e8d7ab74c9a

SHA512
86a24729a53e0bb0796e2bec87ecdd6b6221e92d74a2045e182fda635397619ac0eff8e5ef0e2a6cfa82abffb3d30d15802f84652174835188b91921c1cb31cd

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.Exe

Filesize
186KB

MD5
d1e6767900c85535f300e08d76aac9ab

SHA1
4a0f328e7672ee7ba83f265d48a6077a0c9068d4

SHA256
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

SHA512
40660d9056f24522e5ad95c66cb924df6625eab503dfe4fd65157316abdc04812a152f977ac3fdcf9f74b14b4c9cfe044883abd8a6cd6049bf22448711ff3d39

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.Exe

Filesize
186KB

MD5
d1e6767900c85535f300e08d76aac9ab

SHA1
4a0f328e7672ee7ba83f265d48a6077a0c9068d4

SHA256
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

SHA512
40660d9056f24522e5ad95c66cb924df6625eab503dfe4fd65157316abdc04812a152f977ac3fdcf9f74b14b4c9cfe044883abd8a6cd6049bf22448711ff3d39

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.Exe

Filesize
186KB

MD5
d1e6767900c85535f300e08d76aac9ab

SHA1
4a0f328e7672ee7ba83f265d48a6077a0c9068d4

SHA256
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

SHA512
40660d9056f24522e5ad95c66cb924df6625eab503dfe4fd65157316abdc04812a152f977ac3fdcf9f74b14b4c9cfe044883abd8a6cd6049bf22448711ff3d39

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.Exe

Filesize
186KB

MD5
d1e6767900c85535f300e08d76aac9ab

SHA1
4a0f328e7672ee7ba83f265d48a6077a0c9068d4

SHA256
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

SHA512
40660d9056f24522e5ad95c66cb924df6625eab503dfe4fd65157316abdc04812a152f977ac3fdcf9f74b14b4c9cfe044883abd8a6cd6049bf22448711ff3d39

Download Submit
memory/112-74-0x0000000002030000-0x0000000002130000-memory.dmp

Filesize
1024KB

Download
memory/112-76-0x0000000000980000-0x00000000009B1000-memory.dmp

Filesize
196KB

Download
memory/616-77-0x00000000004D0000-0x0000000000501000-memory.dmp

Filesize
196KB

Download
memory/688-85-0x0000000000330000-0x0000000000361000-memory.dmp

Filesize
196KB

Download
memory/688-83-0x0000000000330000-0x0000000000361000-memory.dmp

Filesize
196KB

Download
memory/1268-78-0x0000000000190000-0x00000000001C1000-memory.dmp

Filesize
196KB

Download
memory/1268-84-0x0000000000190000-0x00000000001C1000-memory.dmp

Filesize
196KB

Download
memory/1268-71-0x00000000000E0000-0x00000000000FD000-memory.dmp

Filesize
116KB

Download
memory/1668-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download