plugx | ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe
Size

309KB
MD5

5bdaf494af7e2c4b987e6c99d3f9bd9d
SHA1

3e2d5f71cb9d58a2520599d9db68cc2361ad965d
SHA256

ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982
SHA512

e5af6323558705b70c664d8cd5671c99f3d3f1f40e33a090b59cbe82f06a89f7e78eca1005ad01c016f5926b95c24f6f79c1f07e9f36390792a2cd0dfa88d14d

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

resource	yara_rule
behavioral1/memory/1664-69-0x0000000000260000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/956-70-0x0000000000260000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/1212-71-0x0000000000200000-0x000000000022C000-memory.dmp	family_plugx
behavioral1/memory/1664-72-0x0000000000260000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/632-77-0x00000000002B0000-0x00000000002DC000-memory.dmp	family_plugx
behavioral1/memory/1212-78-0x0000000000200000-0x000000000022C000-memory.dmp	family_plugx
behavioral1/memory/632-79-0x00000000002B0000-0x00000000002DC000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
1664	CamMute.exe
956	CamMute.exe

Loads dropped DLL 3 IoCs

pid	Process
1780	ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe
1664	CamMute.exe
956	CamMute.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004400440045004400340031004600460042004300330032003200360037000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1212	svchost.exe
1212	svchost.exe
1212	svchost.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
1212	svchost.exe
1212	svchost.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
1212	svchost.exe
1212	svchost.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
1212	svchost.exe
1212	svchost.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
1212	svchost.exe
1212	svchost.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
1212	svchost.exe
1212	svchost.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
1212	svchost.exe
1212	svchost.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
632	msiexec.exe
1212	svchost.exe
1212	svchost.exe
632	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	CamMute.exe
Token: SeTcbPrivilege	1664	CamMute.exe
Token: SeDebugPrivilege	956	CamMute.exe
Token: SeTcbPrivilege	956	CamMute.exe
Token: SeDebugPrivilege	1212	svchost.exe
Token: SeTcbPrivilege	1212	svchost.exe
Token: SeDebugPrivilege	632	msiexec.exe
Token: SeTcbPrivilege	632	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1664	1780	ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe	27
PID 1780 wrote to memory of 1664	1780	ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe	27
PID 1780 wrote to memory of 1664	1780	ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe	27
PID 1780 wrote to memory of 1664	1780	ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe	27
PID 956 wrote to memory of 1212	956	CamMute.exe	29
PID 956 wrote to memory of 1212	956	CamMute.exe	29
PID 956 wrote to memory of 1212	956	CamMute.exe	29
PID 956 wrote to memory of 1212	956	CamMute.exe	29
PID 956 wrote to memory of 1212	956	CamMute.exe	29
PID 956 wrote to memory of 1212	956	CamMute.exe	29
PID 956 wrote to memory of 1212	956	CamMute.exe	29
PID 956 wrote to memory of 1212	956	CamMute.exe	29
PID 956 wrote to memory of 1212	956	CamMute.exe	29
PID 1212 wrote to memory of 632	1212	svchost.exe	30
PID 1212 wrote to memory of 632	1212	svchost.exe	30
PID 1212 wrote to memory of 632	1212	svchost.exe	30
PID 1212 wrote to memory of 632	1212	svchost.exe	30
PID 1212 wrote to memory of 632	1212	svchost.exe	30
PID 1212 wrote to memory of 632	1212	svchost.exe	30
PID 1212 wrote to memory of 632	1212	svchost.exe	30
PID 1212 wrote to memory of 632	1212	svchost.exe	30
PID 1212 wrote to memory of 632	1212	svchost.exe	30
PID 1212 wrote to memory of 632	1212	svchost.exe	30
PID 1212 wrote to memory of 632	1212	svchost.exe	30
PID 1212 wrote to memory of 632	1212	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe
"C:\Users\Admin\AppData\Local\Temp\ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
  "C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 100 1780
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1664

C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
"C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1212
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe

Filesize
56KB

MD5
4c8cdd74359dad73a2d499e5775b9bb9

SHA1
89fde2c26d2bdbc5592aa54c65fac51e3f6df631

SHA256
457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba

SHA512
3395cbc20b924d1ea5694180b67a4f410fbfa25e9d977334911a3c9ea93724c7cec763ea2c77444761b93d353888ee262021c7be0cb98918fd5e5044571552c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe

Filesize
56KB

MD5
4c8cdd74359dad73a2d499e5775b9bb9

SHA1
89fde2c26d2bdbc5592aa54c65fac51e3f6df631

SHA256
457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba

SHA512
3395cbc20b924d1ea5694180b67a4f410fbfa25e9d977334911a3c9ea93724c7cec763ea2c77444761b93d353888ee262021c7be0cb98918fd5e5044571552c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.dll

Filesize
40KB

MD5
6be2cf583a8d3187a04772aee4c05ab6

SHA1
d8ddeaf4a9c23bc05829bbb7b1738513bb1ac310

SHA256
b81c356b56b292b51b0e03ee2c69d96de2a3e0e6f6e7f6111119400a6c7ac14f

SHA512
b571ebda31070b5c48fca922e209712379dff14d32989d6acf664320b6c8ea1031e18a16903ac56e6909c93403467de4679bcc3989691ebf7bd11ece0ff1acfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.jax

Filesize
111KB

MD5
0931bcecccf1a17b9071439f8925e3d5

SHA1
6aca8440e310343b4e257ce1f81a1058fff037af

SHA256
e33b5532f8e99e09dcac3cb616b36e4e6deeb7f20199880afaf1fd346f169366

SHA512
efeb0630b5ca0696cab8541e117f690a931f647d94489a7885bb22acd4603e9d4a4f6b835fd65976c41184a01469b14fc3cc699c8d33c8d44ee1ddc6b0a7659a

Download Submit
\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe

Filesize
56KB

MD5
4c8cdd74359dad73a2d499e5775b9bb9

SHA1
89fde2c26d2bdbc5592aa54c65fac51e3f6df631

SHA256
457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba

SHA512
3395cbc20b924d1ea5694180b67a4f410fbfa25e9d977334911a3c9ea93724c7cec763ea2c77444761b93d353888ee262021c7be0cb98918fd5e5044571552c8

Download Submit
\Users\Admin\AppData\Local\Temp\CAM\CommFunc.dll

Filesize
40KB

MD5
6be2cf583a8d3187a04772aee4c05ab6

SHA1
d8ddeaf4a9c23bc05829bbb7b1738513bb1ac310

SHA256
b81c356b56b292b51b0e03ee2c69d96de2a3e0e6f6e7f6111119400a6c7ac14f

SHA512
b571ebda31070b5c48fca922e209712379dff14d32989d6acf664320b6c8ea1031e18a16903ac56e6909c93403467de4679bcc3989691ebf7bd11ece0ff1acfb

Download Submit
\Users\Admin\AppData\Local\Temp\CAM\CommFunc.dll

Filesize
40KB

MD5
6be2cf583a8d3187a04772aee4c05ab6

SHA1
d8ddeaf4a9c23bc05829bbb7b1738513bb1ac310

SHA256
b81c356b56b292b51b0e03ee2c69d96de2a3e0e6f6e7f6111119400a6c7ac14f

SHA512
b571ebda31070b5c48fca922e209712379dff14d32989d6acf664320b6c8ea1031e18a16903ac56e6909c93403467de4679bcc3989691ebf7bd11ece0ff1acfb

Download Submit
memory/632-79-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/632-77-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/956-68-0x0000000000420000-0x0000000000520000-memory.dmp

Filesize
1024KB

Download
memory/956-70-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/1212-71-0x0000000000200000-0x000000000022C000-memory.dmp

Filesize
176KB

Download
memory/1212-64-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/1212-78-0x0000000000200000-0x000000000022C000-memory.dmp

Filesize
176KB

Download
memory/1664-69-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/1664-72-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/1664-60-0x0000000076601000-0x0000000076603000-memory.dmp

Filesize
8KB

Download