plugx | 72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe
Size

282KB
MD5

0007d793ad31e3820d29dd5e748fee74
SHA1

8baae1242567f5a89904edcb73a5fa357df1a69d
SHA256

72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274
SHA512

c940e4a5d43bf0b4655139924bc8c8a3d412b07a27bb9fb439985015e3a1eaf72bdc93582cd434d91300de58b6199035cef5ceaab60a2686c0a44b5c7eaaa854

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral2/memory/2668-136-0x00000000020D0000-0x0000000002101000-memory.dmp	family_plugx
behavioral2/memory/1768-145-0x0000000000D90000-0x0000000000DC1000-memory.dmp	family_plugx
behavioral2/memory/3952-146-0x0000000000E30000-0x0000000000E61000-memory.dmp	family_plugx
behavioral2/memory/2300-149-0x0000000002A00000-0x0000000002A31000-memory.dmp	family_plugx
behavioral2/memory/3952-150-0x0000000000E30000-0x0000000000E61000-memory.dmp	family_plugx
behavioral2/memory/2300-151-0x0000000002A00000-0x0000000002A31000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
2668	Mc.exe
1768	Mc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	Mc.exe
1768	Mc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 37003100390043003000310032003600440032004400380033004100310033000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3952	svchost.exe
3952	svchost.exe
3952	svchost.exe
3952	svchost.exe
3952	svchost.exe
3952	svchost.exe
3952	svchost.exe
3952	svchost.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
3952	svchost.exe
3952	svchost.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
3952	svchost.exe
3952	svchost.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
3952	svchost.exe
3952	svchost.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
3952	svchost.exe
3952	svchost.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe
2300	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3952	svchost.exe
2300	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	Mc.exe
Token: SeTcbPrivilege	2668	Mc.exe
Token: SeDebugPrivilege	1768	Mc.exe
Token: SeTcbPrivilege	1768	Mc.exe
Token: SeDebugPrivilege	3952	svchost.exe
Token: SeTcbPrivilege	3952	svchost.exe
Token: SeDebugPrivilege	2300	msiexec.exe
Token: SeTcbPrivilege	2300	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 2668	4912	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe	82
PID 4912 wrote to memory of 2668	4912	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe	82
PID 4912 wrote to memory of 2668	4912	72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe	82
PID 1768 wrote to memory of 3952	1768	Mc.exe	90
PID 1768 wrote to memory of 3952	1768	Mc.exe	90
PID 1768 wrote to memory of 3952	1768	Mc.exe	90
PID 1768 wrote to memory of 3952	1768	Mc.exe	90
PID 1768 wrote to memory of 3952	1768	Mc.exe	90
PID 1768 wrote to memory of 3952	1768	Mc.exe	90
PID 1768 wrote to memory of 3952	1768	Mc.exe	90
PID 1768 wrote to memory of 3952	1768	Mc.exe	90
PID 3952 wrote to memory of 2300	3952	svchost.exe	94
PID 3952 wrote to memory of 2300	3952	svchost.exe	94
PID 3952 wrote to memory of 2300	3952	svchost.exe	94
PID 3952 wrote to memory of 2300	3952	svchost.exe	94
PID 3952 wrote to memory of 2300	3952	svchost.exe	94
PID 3952 wrote to memory of 2300	3952	svchost.exe	94
PID 3952 wrote to memory of 2300	3952	svchost.exe	94
PID 3952 wrote to memory of 2300	3952	svchost.exe	94

C:\Users\Admin\AppData\Local\Temp\72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe
"C:\Users\Admin\AppData\Local\Temp\72120bf8bf604bc1f1aa455b22d3df431cc95836306fab186cd64da53527a274.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

C:\ProgramData\SxS\Mc.exe
C:\ProgramData\SxS\Mc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 3952
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\ProgramData\SxS\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\ProgramData\SxS\McUtil.dll

Filesize
48KB

MD5
1cc39f75936ccfcd2e7d35384afba8e9

SHA1
a49603344986f38f6b99107303f6aa1705b26304

SHA256
860047314b4d56e5de6701c0653407717d122d75c34cbef7ef9887aa8d104a77

SHA512
f030af05d25fff59537b211f296969d8d9c558c2c58e6d1f002768f69f88eaeea324ed484f38ac32d79893f7f409526196bc4d655d51d7462839340cc51a22ed

Download Submit
C:\ProgramData\SxS\McUtil.dll

Filesize
48KB

MD5
1cc39f75936ccfcd2e7d35384afba8e9

SHA1
a49603344986f38f6b99107303f6aa1705b26304

SHA256
860047314b4d56e5de6701c0653407717d122d75c34cbef7ef9887aa8d104a77

SHA512
f030af05d25fff59537b211f296969d8d9c558c2c58e6d1f002768f69f88eaeea324ed484f38ac32d79893f7f409526196bc4d655d51d7462839340cc51a22ed

Download Submit
C:\ProgramData\SxS\McUtil.dll.url

Filesize
122KB

MD5
dca6e071f7b5ab1f4378face61c45b91

SHA1
8d23590e8e0d47e476d496838b0f8c05ef45edc0

SHA256
565fb02fd1038df56e48297b8e4503f444f6cd74959e90972fc449e91e0cbd67

SHA512
d52ba5058fe19adb73c2be39ca55c51ec21471538afc1ff93c5d34ff9b0b135daf739a4fa5409c8bb72e86016f1c0d516472918f0895ea02f6f440d27031e303

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
652B

MD5
9eb490eb6e6df4923ee6d9eb6421b742

SHA1
bf7fcbef7e8162f1e00ba939a730752ca4ac172a

SHA256
e52f5ce0d7ffea736fe9cb3950472185b0e7af278cec37738f07dc9d5116c318

SHA512
37c4e16ca154677318074e6dc61ee8f7caaa2bb391038525462d6a355a64afedb11797b0ffe32b60241541ddb987f3047e9267e4afe290b709fd4853a4b03210

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
814B

MD5
c273e43d21154c81190b054e329f20f0

SHA1
2e2e9fa7c03a7470251fc2b1a00addf0a42e43da

SHA256
f655021284864dac68f4ad1f69cf8b9c4454afbb7ea760761a598664e1240f55

SHA512
85c180fa9de6bd1dd39e4b34a660ba3a509771d209548fa70ed6db4b38f747844c90e8bee7969c7332217d4092f3b6116f6583ab6a77ed3eae29d4ce5ddc876a

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
8d6a37666236ff86c428c1025499cdb1

SHA1
708716d31c5b8829957e86e902d30a9163ab2ebc

SHA256
166813f1e24b61454739713f473184b4320a4f98b83061b4cdcdf5582c351c09

SHA512
15014e1a35a1ff2fd6d1ea9282110dba74dee811f641af2a6213559a76f2a374ceac1288b42da632b01fdd9c2377cc78c8e0567ff43643a148e4cc50c57ee168

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
1KB

MD5
1cbca2989325c8ff0907f5307ccc970c

SHA1
a460dfe43036d411cbd7e6b0c14b8e21c89e6d80

SHA256
b4406535f4e0fc2387689bc475a9193f7a725401ee1659acb17cddbbdd0261ad

SHA512
890f01e43cbe294a97ea4c1e33a3b657df0fd7de0220517b17678447280c544461eab9b1abb2ae61757585bde3f43ed7381b38d76cfd9e46db21362dba8e1811

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe

Filesize
137KB

MD5
884d46c01c762ad6ddd2759fd921bf71

SHA1
d201b130232e0ea411daa23c1ba2892fe6468712

SHA256
3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

SHA512
0acb3fe1050c1c07880ed2161956c4bee7c1e813a5fb518059b9bb88ed0bff50c108ad7b3708b6568413df4bdcc6f4d26dcd8759625a5ab77c4b26c1ba4f8813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll

Filesize
48KB

MD5
1cc39f75936ccfcd2e7d35384afba8e9

SHA1
a49603344986f38f6b99107303f6aa1705b26304

SHA256
860047314b4d56e5de6701c0653407717d122d75c34cbef7ef9887aa8d104a77

SHA512
f030af05d25fff59537b211f296969d8d9c558c2c58e6d1f002768f69f88eaeea324ed484f38ac32d79893f7f409526196bc4d655d51d7462839340cc51a22ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll

Filesize
48KB

MD5
1cc39f75936ccfcd2e7d35384afba8e9

SHA1
a49603344986f38f6b99107303f6aa1705b26304

SHA256
860047314b4d56e5de6701c0653407717d122d75c34cbef7ef9887aa8d104a77

SHA512
f030af05d25fff59537b211f296969d8d9c558c2c58e6d1f002768f69f88eaeea324ed484f38ac32d79893f7f409526196bc4d655d51d7462839340cc51a22ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\McUtil.dll.url

Filesize
122KB

MD5
dca6e071f7b5ab1f4378face61c45b91

SHA1
8d23590e8e0d47e476d496838b0f8c05ef45edc0

SHA256
565fb02fd1038df56e48297b8e4503f444f6cd74959e90972fc449e91e0cbd67

SHA512
d52ba5058fe19adb73c2be39ca55c51ec21471538afc1ff93c5d34ff9b0b135daf739a4fa5409c8bb72e86016f1c0d516472918f0895ea02f6f440d27031e303

Download Submit
memory/1768-145-0x0000000000D90000-0x0000000000DC1000-memory.dmp

Filesize
196KB

Download
memory/2300-149-0x0000000002A00000-0x0000000002A31000-memory.dmp

Filesize
196KB

Download
memory/2300-151-0x0000000002A00000-0x0000000002A31000-memory.dmp

Filesize
196KB

Download
memory/2668-136-0x00000000020D0000-0x0000000002101000-memory.dmp

Filesize
196KB

Download
memory/3952-146-0x0000000000E30000-0x0000000000E61000-memory.dmp

Filesize
196KB

Download
memory/3952-150-0x0000000000E30000-0x0000000000E61000-memory.dmp

Filesize
196KB

Download