plugx | 405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3

Analysis

max time kernel
154s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe
Size

293KB
MD5

c1012dd1702911ae66927b0233cc2794
SHA1

44821ce2dc95f4775bc200d9f9a499ff6def0af3
SHA256

405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3
SHA512

fc38b8fd5a7509a32d02d25e5dd39a4d69196b7db8cdd39b3f71c24b35135fb320cc2b8abad5405dbfa52237664dd472930c049dd4c23368f882b877cfd5d3ea

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral2/memory/3768-143-0x00000000019E0000-0x0000000001A11000-memory.dmp	family_plugx
behavioral2/memory/624-144-0x0000000003200000-0x0000000003231000-memory.dmp	family_plugx
behavioral2/memory/1108-145-0x0000000000A00000-0x0000000000A31000-memory.dmp	family_plugx
behavioral2/memory/2660-147-0x0000000002760000-0x0000000002791000-memory.dmp	family_plugx
behavioral2/memory/1108-148-0x0000000000A00000-0x0000000000A31000-memory.dmp	family_plugx
behavioral2/memory/2660-149-0x0000000002760000-0x0000000002791000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
624	OleView.exe
3768	OleView.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe

Loads dropped DLL 2 IoCs

pid	Process
624	OleView.exe
3768	OleView.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003100330037003600350044003200430037003000340033003000390046000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
1108	svchost.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
1108	svchost.exe
1108	svchost.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
1108	svchost.exe
1108	svchost.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
1108	svchost.exe
1108	svchost.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
1108	svchost.exe
1108	svchost.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe
2660	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1108	svchost.exe
2660	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	OleView.exe
Token: SeTcbPrivilege	624	OleView.exe
Token: SeDebugPrivilege	3768	OleView.exe
Token: SeTcbPrivilege	3768	OleView.exe
Token: SeDebugPrivilege	1108	svchost.exe
Token: SeTcbPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	2660	msiexec.exe
Token: SeTcbPrivilege	2660	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
624	OleView.exe
3768	OleView.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 624	2912	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe	82
PID 2912 wrote to memory of 624	2912	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe	82
PID 2912 wrote to memory of 624	2912	405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe	82
PID 3768 wrote to memory of 1108	3768	OleView.exe	85
PID 3768 wrote to memory of 1108	3768	OleView.exe	85
PID 3768 wrote to memory of 1108	3768	OleView.exe	85
PID 3768 wrote to memory of 1108	3768	OleView.exe	85
PID 3768 wrote to memory of 1108	3768	OleView.exe	85
PID 3768 wrote to memory of 1108	3768	OleView.exe	85
PID 3768 wrote to memory of 1108	3768	OleView.exe	85
PID 3768 wrote to memory of 1108	3768	OleView.exe	85
PID 1108 wrote to memory of 2660	1108	svchost.exe	86
PID 1108 wrote to memory of 2660	1108	svchost.exe	86
PID 1108 wrote to memory of 2660	1108	svchost.exe	86
PID 1108 wrote to memory of 2660	1108	svchost.exe	86
PID 1108 wrote to memory of 2660	1108	svchost.exe	86
PID 1108 wrote to memory of 2660	1108	svchost.exe	86
PID 1108 wrote to memory of 2660	1108	svchost.exe	86
PID 1108 wrote to memory of 2660	1108	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe
"C:\Users\Admin\AppData\Local\Temp\405bac66c665f2ffe99811b1b73716d663e91f93a9dd469eb361df63da4c1ee3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:624

C:\ProgramData\OleView\OleView.exe
C:\ProgramData\OleView\OleView.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1108
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OleView\ACLUI.DLL

Filesize
36KB

MD5
a558aa8b13c47772c5c66c1add2163b3

SHA1
f6626c639372ed78e28ffbee9088567d4ae3be7a

SHA256
a50aa27cb5a55457b54f0e7e900d72a317713c710ea04a8a4bc01e8d7ab74c9a

SHA512
86a24729a53e0bb0796e2bec87ecdd6b6221e92d74a2045e182fda635397619ac0eff8e5ef0e2a6cfa82abffb3d30d15802f84652174835188b91921c1cb31cd

Download Submit
C:\ProgramData\OleView\ACLUI.DLL

Filesize
36KB

MD5
a558aa8b13c47772c5c66c1add2163b3

SHA1
f6626c639372ed78e28ffbee9088567d4ae3be7a

SHA256
a50aa27cb5a55457b54f0e7e900d72a317713c710ea04a8a4bc01e8d7ab74c9a

SHA512
86a24729a53e0bb0796e2bec87ecdd6b6221e92d74a2045e182fda635397619ac0eff8e5ef0e2a6cfa82abffb3d30d15802f84652174835188b91921c1cb31cd

Download Submit
C:\ProgramData\OleView\ACLUI.DLL.UI

Filesize
121KB

MD5
eac6c13bd4e3237a788daa81c58de243

SHA1
9cd0ec423d09846086c934143e7786078c646d80

SHA256
e4871f4e21da3af277cc82596ef83856400d180aecd0cc48b458feabc4d664a2

SHA512
6d649babeca441446345fe4a8d9ed64338801ae572c3c93e1997e0b06f608a35514a1ae5bec62dff26ac173600113385d2223dfff6fde8c1e7b4628e1580d35b

Download Submit
C:\ProgramData\OleView\OleView.exe

Filesize
186KB

MD5
d1e6767900c85535f300e08d76aac9ab

SHA1
4a0f328e7672ee7ba83f265d48a6077a0c9068d4

SHA256
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

SHA512
40660d9056f24522e5ad95c66cb924df6625eab503dfe4fd65157316abdc04812a152f977ac3fdcf9f74b14b4c9cfe044883abd8a6cd6049bf22448711ff3d39

Download Submit
C:\ProgramData\OleView\OleView.exe

Filesize
186KB

MD5
d1e6767900c85535f300e08d76aac9ab

SHA1
4a0f328e7672ee7ba83f265d48a6077a0c9068d4

SHA256
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

SHA512
40660d9056f24522e5ad95c66cb924df6625eab503dfe4fd65157316abdc04812a152f977ac3fdcf9f74b14b4c9cfe044883abd8a6cd6049bf22448711ff3d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ACLUI.DLL

Filesize
36KB

MD5
a558aa8b13c47772c5c66c1add2163b3

SHA1
f6626c639372ed78e28ffbee9088567d4ae3be7a

SHA256
a50aa27cb5a55457b54f0e7e900d72a317713c710ea04a8a4bc01e8d7ab74c9a

SHA512
86a24729a53e0bb0796e2bec87ecdd6b6221e92d74a2045e182fda635397619ac0eff8e5ef0e2a6cfa82abffb3d30d15802f84652174835188b91921c1cb31cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ACLUI.DLL

Filesize
36KB

MD5
a558aa8b13c47772c5c66c1add2163b3

SHA1
f6626c639372ed78e28ffbee9088567d4ae3be7a

SHA256
a50aa27cb5a55457b54f0e7e900d72a317713c710ea04a8a4bc01e8d7ab74c9a

SHA512
86a24729a53e0bb0796e2bec87ecdd6b6221e92d74a2045e182fda635397619ac0eff8e5ef0e2a6cfa82abffb3d30d15802f84652174835188b91921c1cb31cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ACLUI.DLL.UI

Filesize
121KB

MD5
eac6c13bd4e3237a788daa81c58de243

SHA1
9cd0ec423d09846086c934143e7786078c646d80

SHA256
e4871f4e21da3af277cc82596ef83856400d180aecd0cc48b458feabc4d664a2

SHA512
6d649babeca441446345fe4a8d9ed64338801ae572c3c93e1997e0b06f608a35514a1ae5bec62dff26ac173600113385d2223dfff6fde8c1e7b4628e1580d35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.Exe

Filesize
186KB

MD5
d1e6767900c85535f300e08d76aac9ab

SHA1
4a0f328e7672ee7ba83f265d48a6077a0c9068d4

SHA256
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

SHA512
40660d9056f24522e5ad95c66cb924df6625eab503dfe4fd65157316abdc04812a152f977ac3fdcf9f74b14b4c9cfe044883abd8a6cd6049bf22448711ff3d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\OleView.exe

Filesize
186KB

MD5
d1e6767900c85535f300e08d76aac9ab

SHA1
4a0f328e7672ee7ba83f265d48a6077a0c9068d4

SHA256
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520

SHA512
40660d9056f24522e5ad95c66cb924df6625eab503dfe4fd65157316abdc04812a152f977ac3fdcf9f74b14b4c9cfe044883abd8a6cd6049bf22448711ff3d39

Download Submit
memory/624-144-0x0000000003200000-0x0000000003231000-memory.dmp

Filesize
196KB

Download
memory/1108-145-0x0000000000A00000-0x0000000000A31000-memory.dmp

Filesize
196KB

Download
memory/1108-148-0x0000000000A00000-0x0000000000A31000-memory.dmp

Filesize
196KB

Download
memory/2660-147-0x0000000002760000-0x0000000002791000-memory.dmp

Filesize
196KB

Download
memory/2660-149-0x0000000002760000-0x0000000002791000-memory.dmp

Filesize
196KB

Download
memory/3768-142-0x00000000018E0000-0x00000000019E0000-memory.dmp

Filesize
1024KB

Download
memory/3768-143-0x00000000019E0000-0x0000000001A11000-memory.dmp

Filesize
196KB

Download