plugx | 9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534.exe
Size

421KB
MD5

bcf4313c5a74529513998ea9a3d4fefc
SHA1

9e4044fd6b9fae1d5b5aa7bc3dd9e83780818f35
SHA256

9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534
SHA512

2e9f74a13233a1d5ad0c1d5564c12f6d8bd1ad0377c8240cb90aeefef71264a34e1c917e5b440feb07dbd4e65e487ecb912423f8765e33e7df1c3e58690825f5

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral2/memory/3688-144-0x00000000004D0000-0x00000000004FD000-memory.dmp	family_plugx
behavioral2/memory/4664-145-0x00000000005F0000-0x000000000061D000-memory.dmp	family_plugx
behavioral2/memory/4132-146-0x0000000000FD0000-0x0000000000FFD000-memory.dmp	family_plugx
behavioral2/memory/228-155-0x0000000002CF0000-0x0000000002D1D000-memory.dmp	family_plugx
behavioral2/memory/4132-156-0x0000000000FD0000-0x0000000000FFD000-memory.dmp	family_plugx
behavioral2/memory/228-157-0x0000000002CF0000-0x0000000002D1D000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
5096	c.exe
4664	hc.exe
3688	hc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534.exe

Loads dropped DLL 2 IoCs

pid	Process
4664	hc.exe
3688	hc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003300330036003300380031003600370044003700390033004400360032000000	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2424	WINWORD.EXE
2424	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
4132	svchost.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
4132	svchost.exe
4132	svchost.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
4132	svchost.exe
4132	svchost.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
4132	svchost.exe
4132	svchost.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
4132	svchost.exe
4132	svchost.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
228	msiexec.exe
4132	svchost.exe
4132	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4132	svchost.exe
228	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	hc.exe
Token: SeTcbPrivilege	4664	hc.exe
Token: SeDebugPrivilege	3688	hc.exe
Token: SeTcbPrivilege	3688	hc.exe
Token: SeDebugPrivilege	4132	svchost.exe
Token: SeTcbPrivilege	4132	svchost.exe
Token: SeDebugPrivilege	228	msiexec.exe
Token: SeTcbPrivilege	228	msiexec.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2424	WINWORD.EXE
2424	WINWORD.EXE
2424	WINWORD.EXE
2424	WINWORD.EXE
2424	WINWORD.EXE
2424	WINWORD.EXE
2424	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 2424	884	9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534.exe	81
PID 884 wrote to memory of 2424	884	9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534.exe	81
PID 884 wrote to memory of 5096	884	9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534.exe	83
PID 884 wrote to memory of 5096	884	9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534.exe	83
PID 884 wrote to memory of 5096	884	9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534.exe	83
PID 5096 wrote to memory of 4664	5096	c.exe	84
PID 5096 wrote to memory of 4664	5096	c.exe	84
PID 5096 wrote to memory of 4664	5096	c.exe	84
PID 3688 wrote to memory of 4132	3688	hc.exe	86
PID 3688 wrote to memory of 4132	3688	hc.exe	86
PID 3688 wrote to memory of 4132	3688	hc.exe	86
PID 3688 wrote to memory of 4132	3688	hc.exe	86
PID 3688 wrote to memory of 4132	3688	hc.exe	86
PID 3688 wrote to memory of 4132	3688	hc.exe	86
PID 3688 wrote to memory of 4132	3688	hc.exe	86
PID 3688 wrote to memory of 4132	3688	hc.exe	86
PID 4132 wrote to memory of 228	4132	svchost.exe	92
PID 4132 wrote to memory of 228	4132	svchost.exe	92
PID 4132 wrote to memory of 228	4132	svchost.exe	92
PID 4132 wrote to memory of 228	4132	svchost.exe	92
PID 4132 wrote to memory of 228	4132	svchost.exe	92
PID 4132 wrote to memory of 228	4132	svchost.exe	92
PID 4132 wrote to memory of 228	4132	svchost.exe	92
PID 4132 wrote to memory of 228	4132	svchost.exe	92

C:\Users\Admin\AppData\Local\Temp\9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534.exe
"C:\Users\Admin\AppData\Local\Temp\9c4c4c770a018612b780162bd046fd713e6347a72a5176ed0ee3e51b11823534.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:884
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\c.exe
  "C:\Users\Admin\AppData\Local\Temp\c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\hc\hc.exe
    "C:\Users\Admin\AppData\Local\Temp\hc\hc.exe" 100 5096
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4664

C:\Users\Admin\AppData\Local\Temp\hc\hc.exe
"C:\Users\Admin\AppData\Local\Temp\hc\hc.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 4132
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c.exe

Filesize
306KB

MD5
69d51f27b18cea1a2e1e2bdede6621ae

SHA1
f02a66fbb16a0f8e986e30aa5d5075a7d1b1cbfb

SHA256
30a862b6f45d21c829321fd4d7a0f9e91586a46453903178cae1a5913f684795

SHA512
dbe64e300218ccf06ad0b355cc7fcdca040e332385eee717a5897e6ec913771581a2ae17a0a9d753f0668775fd4fd4dce7ed899e8ff0a71ddbed48fb8935d5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.exe

Filesize
306KB

MD5
69d51f27b18cea1a2e1e2bdede6621ae

SHA1
f02a66fbb16a0f8e986e30aa5d5075a7d1b1cbfb

SHA256
30a862b6f45d21c829321fd4d7a0f9e91586a46453903178cae1a5913f684795

SHA512
dbe64e300218ccf06ad0b355cc7fcdca040e332385eee717a5897e6ec913771581a2ae17a0a9d753f0668775fd4fd4dce7ed899e8ff0a71ddbed48fb8935d5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc\hc.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc\hc.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc\hc.exe

Filesize
169KB

MD5
23f2c3dbdb65c898a11e7f4ddc598a10

SHA1
cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

SHA256
a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

SHA512
0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc\hccutils.DLL

Filesize
2KB

MD5
1a2a20f59bf7c2573a64e2fdc346c85a

SHA1
e4f9b896092fc89e1959110127c959e60ac6c681

SHA256
465932424b76728ab29454ba60419d288e6e7f16bba3752d2b7f4d43ba5ac25b

SHA512
4a70a58df847db1e8f0ab19ca31a759b8df8cfc45f8c14236230ba5f528081604aeb6fcba5f5a035fc691629a60e490c9f1a39a46ddf531443dcbcb711d75c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc\hccutils.DLL.res

Filesize
111KB

MD5
3652107febb36846b6f0a54b789be269

SHA1
c897641f38e349cc55a402c300d03e4030c16ccf

SHA256
3782db6cdfe9381e33100bff53554087bad1c406e04b541034712bf4399dc125

SHA512
78b1c0977d53fd54712fd5d836855d76882c137ab87828f9ea3d4411f79ec892abae2b352857b2cabeb75af71805cb5e346422a2657412e9694580a6014144dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc\hccutils.dll

Filesize
2KB

MD5
1a2a20f59bf7c2573a64e2fdc346c85a

SHA1
e4f9b896092fc89e1959110127c959e60ac6c681

SHA256
465932424b76728ab29454ba60419d288e6e7f16bba3752d2b7f4d43ba5ac25b

SHA512
4a70a58df847db1e8f0ab19ca31a759b8df8cfc45f8c14236230ba5f528081604aeb6fcba5f5a035fc691629a60e490c9f1a39a46ddf531443dcbcb711d75c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc\hccutils.dll

Filesize
2KB

MD5
1a2a20f59bf7c2573a64e2fdc346c85a

SHA1
e4f9b896092fc89e1959110127c959e60ac6c681

SHA256
465932424b76728ab29454ba60419d288e6e7f16bba3752d2b7f4d43ba5ac25b

SHA512
4a70a58df847db1e8f0ab19ca31a759b8df8cfc45f8c14236230ba5f528081604aeb6fcba5f5a035fc691629a60e490c9f1a39a46ddf531443dcbcb711d75c14

Download Submit
memory/228-155-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

Filesize
180KB

Download
memory/228-157-0x0000000002CF0000-0x0000000002D1D000-memory.dmp

Filesize
180KB

Download
memory/2424-150-0x00007FF89ED30000-0x00007FF89ED40000-memory.dmp

Filesize
64KB

Download
memory/2424-151-0x00007FF89ED30000-0x00007FF89ED40000-memory.dmp

Filesize
64KB

Download
memory/2424-162-0x00007FF89ED30000-0x00007FF89ED40000-memory.dmp

Filesize
64KB

Download
memory/2424-161-0x00007FF89ED30000-0x00007FF89ED40000-memory.dmp

Filesize
64KB

Download
memory/2424-160-0x00007FF89ED30000-0x00007FF89ED40000-memory.dmp

Filesize
64KB

Download
memory/2424-147-0x00007FF89ED30000-0x00007FF89ED40000-memory.dmp

Filesize
64KB

Download
memory/2424-149-0x00007FF89ED30000-0x00007FF89ED40000-memory.dmp

Filesize
64KB

Download
memory/2424-148-0x00007FF89ED30000-0x00007FF89ED40000-memory.dmp

Filesize
64KB

Download
memory/2424-159-0x00007FF89ED30000-0x00007FF89ED40000-memory.dmp

Filesize
64KB

Download
memory/2424-152-0x00007FF89C7A0000-0x00007FF89C7B0000-memory.dmp

Filesize
64KB

Download
memory/2424-153-0x00007FF89C7A0000-0x00007FF89C7B0000-memory.dmp

Filesize
64KB

Download
memory/3688-143-0x0000000000C50000-0x0000000000D50000-memory.dmp

Filesize
1024KB

Download
memory/3688-144-0x00000000004D0000-0x00000000004FD000-memory.dmp

Filesize
180KB

Download
memory/4132-156-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

Filesize
180KB

Download
memory/4132-146-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

Filesize
180KB

Download
memory/4664-145-0x00000000005F0000-0x000000000061D000-memory.dmp

Filesize
180KB

Download