plugx | 72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274

Analysis

max time kernel
167s
max time network
167s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe
Size

282KB
MD5

0007d793ad31e3820d29dd5e748fee74
SHA1

8baae1242567f5a89904edcb73a5fa357df1a69d
SHA256

72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274
SHA512

c940e4a5d43bf0b4655139924bc8c8a3d412b07a27bb9fb439985015e3a1eaf72bdc93582cd434d91300de58b6199035cef5ceaab60a2686c0a44b5c7eaaa854

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 5 IoCs

resource	yara_rule
behavioral1/memory/1104-66-0x0000000000480000-0x00000000004B1000-memory.dmp	family_plugx
behavioral1/memory/2044-79-0x0000000000330000-0x0000000000361000-memory.dmp	family_plugx
behavioral1/memory/1408-80-0x0000000000190000-0x00000000001C1000-memory.dmp	family_plugx
behavioral1/memory/1748-86-0x0000000000200000-0x0000000000231000-memory.dmp	family_plugx
behavioral1/memory/1748-87-0x0000000000200000-0x0000000000231000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
1104	Mc.exe
2044	Mc.exe

Loads dropped DLL 7 IoCs

pid	Process
1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe
1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe
1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe
1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe
1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe
1104	Mc.exe
2044	Mc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39003000320045003500430038003800460037003200410032003000450043000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1408	svchost.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1408	svchost.exe
1408	svchost.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1408	svchost.exe
1408	svchost.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1408	svchost.exe
1408	svchost.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1408	svchost.exe
1408	svchost.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1408	svchost.exe
1408	svchost.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1408	svchost.exe
1408	svchost.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1748	msiexec.exe
1408	svchost.exe
1408	svchost.exe
1748	msiexec.exe
1748	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	Mc.exe
Token: SeTcbPrivilege	1104	Mc.exe
Token: SeDebugPrivilege	2044	Mc.exe
Token: SeTcbPrivilege	2044	Mc.exe
Token: SeDebugPrivilege	1408	svchost.exe
Token: SeTcbPrivilege	1408	svchost.exe
Token: SeDebugPrivilege	1748	msiexec.exe
Token: SeTcbPrivilege	1748	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1104	1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe	28
PID 1256 wrote to memory of 1104	1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe	28
PID 1256 wrote to memory of 1104	1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe	28
PID 1256 wrote to memory of 1104	1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe	28
PID 1256 wrote to memory of 1104	1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe	28
PID 1256 wrote to memory of 1104	1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe	28
PID 1256 wrote to memory of 1104	1256	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe	28
PID 2044 wrote to memory of 1408	2044	Mc.exe	30
PID 2044 wrote to memory of 1408	2044	Mc.exe	30
PID 2044 wrote to memory of 1408	2044	Mc.exe	30
PID 2044 wrote to memory of 1408	2044	Mc.exe	30
PID 2044 wrote to memory of 1408	2044	Mc.exe	30
PID 2044 wrote to memory of 1408	2044	Mc.exe	30
PID 2044 wrote to memory of 1408	2044	Mc.exe	30
PID 2044 wrote to memory of 1408	2044	Mc.exe	30
PID 2044 wrote to memory of 1408	2044	Mc.exe	30
PID 1408 wrote to memory of 1748	1408	svchost.exe	31
PID 1408 wrote to memory of 1748	1408	svchost.exe	31
PID 1408 wrote to memory of 1748	1408	svchost.exe	31
PID 1408 wrote to memory of 1748	1408	svchost.exe	31
PID 1408 wrote to memory of 1748	1408	svchost.exe	31
PID 1408 wrote to memory of 1748	1408	svchost.exe	31
PID 1408 wrote to memory of 1748	1408	svchost.exe	31
PID 1408 wrote to memory of 1748	1408	svchost.exe	31
PID 1408 wrote to memory of 1748	1408	svchost.exe	31
PID 1408 wrote to memory of 1748	1408	svchost.exe	31
PID 1408 wrote to memory of 1748	1408	svchost.exe	31
PID 1408 wrote to memory of 1748	1408	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe
"C:\Users\Admin\AppData\Local\Temp\72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1104

C:\ProgramData\SxS\Mc.exe
C:\ProgramData\SxS\Mc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1408
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\ProgramData\SxS\McUtil.dll

Filesize
48KB

MD5
1cc39f75936ccfcd2e7d35384afba8e9

SHA1
a49603344986f38f6b99107303f6aa1705b26304

SHA256
860047314b4d56e5de6701c0653407717d122d75c34cbef7ef9887aa8d104a77

SHA512
f030af05d25fff59537b211f296969d8d9c558c2c58e6d1f002768f69f88eaeea324ed484f38ac32d79893f7f409526196bc4d655d51d7462839340cc51a22ed

Download Submit
C:\ProgramData\SxS\McUtil.dll.url

Filesize
122KB

MD5
dca6e071f7b5ab1f4378face61c45b91

SHA1
8d23590e8e0d47e476d496838b0f8c05ef45edc0

SHA256
565fb02fd1038df56e48297b8e4503f444f6cd74959e90972fc449e91e0cbd67

SHA512
d52ba5058fe19adb73c2be39ca55c51ec21471538afc1ff93c5d34ff9b0b135daf739a4fa5409c8bb72e86016f1c0d516472918f0895ea02f6f440d27031e303

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
488B

MD5
d35f3afafeac73af9ff2e7c2ddf9b886

SHA1
73efa5ffff139a3af9529a67a11917d8604d5caa

SHA256
671bfdbf94984b10023f1a8afef942551d4b76cd1f00176d306c2708fd61d1bf

SHA512
6805b42946f7774dcaeff08a79cb17732e0da5dba045fc8d926d6e30987335bab1cc38fadf8438b1c63bb29726e866bd5cf1e5d46ef84a2a212ec4c9abc3bda9

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
b7409265c39ac15780da2df987370bec

SHA1
bc16098c11408f9bef75dbc17eb67f2962f8538a

SHA256
dd03c484d271c2d8df8d09772696c67d0abcca005b83cdaf7f2973176e711f07

SHA512
63eece7de77120fa3ff7945c656aeb60df24ee1131f54a5dbd369c5724e87dc99856a6e45c7708f4b65c08dc9bcea9a7135b68250c8b448f736fd452b6c15138

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
7KB

MD5
4e92bd4b04ba0e710189f943ad411d4d

SHA1
58cebef02a4bf2e9463f58be424f44a411c43935

SHA256
e4781a9c00ab8d910337b38fb6cdff73507478cf98ae7c72425ab6419964157c

SHA512
4ffd25464877bc158f9b52d91d8fc82f061b9638c31abd2830c0c0cb0330b463bd1e18e78fa21395d120e800129330716cd2cebaf677104affef88c27a53dde0

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
7KB

MD5
eb023c046c8d844847557a7f7d9b84b9

SHA1
7d8f3e45a810e6ca027171af5379a4fe5963f62c

SHA256
49008c6f0b89847842f61830d9bab182120db7c01e3a776443029d7d2ec0f811

SHA512
68f22f258910df208c3023ac16ead2314f04c32bfee9c112f197164cd84582780b52fd1b89b2a070364a5f96f21fefe7d7c09fa87b06cc2938e0dd51c72a601a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll

Filesize
48KB

MD5
1cc39f75936ccfcd2e7d35384afba8e9

SHA1
a49603344986f38f6b99107303f6aa1705b26304

SHA256
860047314b4d56e5de6701c0653407717d122d75c34cbef7ef9887aa8d104a77

SHA512
f030af05d25fff59537b211f296969d8d9c558c2c58e6d1f002768f69f88eaeea324ed484f38ac32d79893f7f409526196bc4d655d51d7462839340cc51a22ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll.url

Filesize
122KB

MD5
dca6e071f7b5ab1f4378face61c45b91

SHA1
8d23590e8e0d47e476d496838b0f8c05ef45edc0

SHA256
565fb02fd1038df56e48297b8e4503f444f6cd74959e90972fc449e91e0cbd67

SHA512
d52ba5058fe19adb73c2be39ca55c51ec21471538afc1ff93c5d34ff9b0b135daf739a4fa5409c8bb72e86016f1c0d516472918f0895ea02f6f440d27031e303

Download Submit
\ProgramData\SxS\McUtil.dll

Filesize
48KB

MD5
1cc39f75936ccfcd2e7d35384afba8e9

SHA1
a49603344986f38f6b99107303f6aa1705b26304

SHA256
860047314b4d56e5de6701c0653407717d122d75c34cbef7ef9887aa8d104a77

SHA512
f030af05d25fff59537b211f296969d8d9c558c2c58e6d1f002768f69f88eaeea324ed484f38ac32d79893f7f409526196bc4d655d51d7462839340cc51a22ed

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll

Filesize
48KB

MD5
1cc39f75936ccfcd2e7d35384afba8e9

SHA1
a49603344986f38f6b99107303f6aa1705b26304

SHA256
860047314b4d56e5de6701c0653407717d122d75c34cbef7ef9887aa8d104a77

SHA512
f030af05d25fff59537b211f296969d8d9c558c2c58e6d1f002768f69f88eaeea324ed484f38ac32d79893f7f409526196bc4d655d51d7462839340cc51a22ed

Download Submit
memory/1104-66-0x0000000000480000-0x00000000004B1000-memory.dmp

Filesize
196KB

Download
memory/1256-54-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/1408-74-0x00000000000A0000-0x00000000000BD000-memory.dmp

Filesize
116KB

Download
memory/1408-80-0x0000000000190000-0x00000000001C1000-memory.dmp

Filesize
196KB

Download
memory/1748-86-0x0000000000200000-0x0000000000231000-memory.dmp

Filesize
196KB

Download
memory/1748-87-0x0000000000200000-0x0000000000231000-memory.dmp

Filesize
196KB

Download
memory/2044-79-0x0000000000330000-0x0000000000361000-memory.dmp

Filesize
196KB

Download