plugx | ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2022, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe
Size

309KB
MD5

5bdaf494af7e2c4b987e6c99d3f9bd9d
SHA1

3e2d5f71cb9d58a2520599d9db68cc2361ad965d
SHA256

ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982
SHA512

e5af6323558705b70c664d8cd5671c99f3d3f1f40e33a090b59cbe82f06a89f7e78eca1005ad01c016f5926b95c24f6f79c1f07e9f36390792a2cd0dfa88d14d

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

resource	yara_rule
behavioral2/memory/4624-142-0x0000000000B40000-0x0000000000B6C000-memory.dmp	family_plugx
behavioral2/memory/3336-143-0x0000000000900000-0x000000000092C000-memory.dmp	family_plugx
behavioral2/memory/4624-144-0x0000000000B40000-0x0000000000B6C000-memory.dmp	family_plugx
behavioral2/memory/492-145-0x0000000000DA0000-0x0000000000DCC000-memory.dmp	family_plugx
behavioral2/memory/2044-147-0x0000000001290000-0x00000000012BC000-memory.dmp	family_plugx
behavioral2/memory/492-148-0x0000000000DA0000-0x0000000000DCC000-memory.dmp	family_plugx
behavioral2/memory/2044-149-0x0000000001290000-0x00000000012BC000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
4624	CamMute.exe
3336	CamMute.exe

Loads dropped DLL 2 IoCs

pid	Process
4624	CamMute.exe
3336	CamMute.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 34003900450042004200430032004200360031004500340038003000330031000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
492	svchost.exe
492	svchost.exe
492	svchost.exe
492	svchost.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
492	svchost.exe
492	svchost.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
492	svchost.exe
492	svchost.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
492	svchost.exe
492	svchost.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
492	svchost.exe
492	svchost.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
2044	msiexec.exe
492	svchost.exe
492	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
492	svchost.exe
2044	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	CamMute.exe
Token: SeTcbPrivilege	4624	CamMute.exe
Token: SeDebugPrivilege	3336	CamMute.exe
Token: SeTcbPrivilege	3336	CamMute.exe
Token: SeDebugPrivilege	492	svchost.exe
Token: SeTcbPrivilege	492	svchost.exe
Token: SeDebugPrivilege	2044	msiexec.exe
Token: SeTcbPrivilege	2044	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 4624	3812	ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe	76
PID 3812 wrote to memory of 4624	3812	ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe	76
PID 3812 wrote to memory of 4624	3812	ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe	76
PID 3336 wrote to memory of 492	3336	CamMute.exe	78
PID 3336 wrote to memory of 492	3336	CamMute.exe	78
PID 3336 wrote to memory of 492	3336	CamMute.exe	78
PID 3336 wrote to memory of 492	3336	CamMute.exe	78
PID 3336 wrote to memory of 492	3336	CamMute.exe	78
PID 3336 wrote to memory of 492	3336	CamMute.exe	78
PID 3336 wrote to memory of 492	3336	CamMute.exe	78
PID 3336 wrote to memory of 492	3336	CamMute.exe	78
PID 492 wrote to memory of 2044	492	svchost.exe	79
PID 492 wrote to memory of 2044	492	svchost.exe	79
PID 492 wrote to memory of 2044	492	svchost.exe	79
PID 492 wrote to memory of 2044	492	svchost.exe	79
PID 492 wrote to memory of 2044	492	svchost.exe	79
PID 492 wrote to memory of 2044	492	svchost.exe	79
PID 492 wrote to memory of 2044	492	svchost.exe	79
PID 492 wrote to memory of 2044	492	svchost.exe	79

C:\Users\Admin\AppData\Local\Temp\ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe
"C:\Users\Admin\AppData\Local\Temp\ac6d3d0091a7fd9e6f7c8dd56f9a59e93e63f9a11d11ded69c04fbbf2798d982.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
  "C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 100 3812
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4624

C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
"C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 492
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe

Filesize
56KB

MD5
4c8cdd74359dad73a2d499e5775b9bb9

SHA1
89fde2c26d2bdbc5592aa54c65fac51e3f6df631

SHA256
457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba

SHA512
3395cbc20b924d1ea5694180b67a4f410fbfa25e9d977334911a3c9ea93724c7cec763ea2c77444761b93d353888ee262021c7be0cb98918fd5e5044571552c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe

Filesize
56KB

MD5
4c8cdd74359dad73a2d499e5775b9bb9

SHA1
89fde2c26d2bdbc5592aa54c65fac51e3f6df631

SHA256
457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba

SHA512
3395cbc20b924d1ea5694180b67a4f410fbfa25e9d977334911a3c9ea93724c7cec763ea2c77444761b93d353888ee262021c7be0cb98918fd5e5044571552c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe

Filesize
56KB

MD5
4c8cdd74359dad73a2d499e5775b9bb9

SHA1
89fde2c26d2bdbc5592aa54c65fac51e3f6df631

SHA256
457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba

SHA512
3395cbc20b924d1ea5694180b67a4f410fbfa25e9d977334911a3c9ea93724c7cec763ea2c77444761b93d353888ee262021c7be0cb98918fd5e5044571552c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.dll

Filesize
40KB

MD5
6be2cf583a8d3187a04772aee4c05ab6

SHA1
d8ddeaf4a9c23bc05829bbb7b1738513bb1ac310

SHA256
b81c356b56b292b51b0e03ee2c69d96de2a3e0e6f6e7f6111119400a6c7ac14f

SHA512
b571ebda31070b5c48fca922e209712379dff14d32989d6acf664320b6c8ea1031e18a16903ac56e6909c93403467de4679bcc3989691ebf7bd11ece0ff1acfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.dll

Filesize
40KB

MD5
6be2cf583a8d3187a04772aee4c05ab6

SHA1
d8ddeaf4a9c23bc05829bbb7b1738513bb1ac310

SHA256
b81c356b56b292b51b0e03ee2c69d96de2a3e0e6f6e7f6111119400a6c7ac14f

SHA512
b571ebda31070b5c48fca922e209712379dff14d32989d6acf664320b6c8ea1031e18a16903ac56e6909c93403467de4679bcc3989691ebf7bd11ece0ff1acfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.dll

Filesize
40KB

MD5
6be2cf583a8d3187a04772aee4c05ab6

SHA1
d8ddeaf4a9c23bc05829bbb7b1738513bb1ac310

SHA256
b81c356b56b292b51b0e03ee2c69d96de2a3e0e6f6e7f6111119400a6c7ac14f

SHA512
b571ebda31070b5c48fca922e209712379dff14d32989d6acf664320b6c8ea1031e18a16903ac56e6909c93403467de4679bcc3989691ebf7bd11ece0ff1acfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.jax

Filesize
111KB

MD5
0931bcecccf1a17b9071439f8925e3d5

SHA1
6aca8440e310343b4e257ce1f81a1058fff037af

SHA256
e33b5532f8e99e09dcac3cb616b36e4e6deeb7f20199880afaf1fd346f169366

SHA512
efeb0630b5ca0696cab8541e117f690a931f647d94489a7885bb22acd4603e9d4a4f6b835fd65976c41184a01469b14fc3cc699c8d33c8d44ee1ddc6b0a7659a

Download Submit
memory/492-145-0x0000000000DA0000-0x0000000000DCC000-memory.dmp

Filesize
176KB

Download
memory/492-148-0x0000000000DA0000-0x0000000000DCC000-memory.dmp

Filesize
176KB

Download
memory/2044-147-0x0000000001290000-0x00000000012BC000-memory.dmp

Filesize
176KB

Download
memory/2044-149-0x0000000001290000-0x00000000012BC000-memory.dmp

Filesize
176KB

Download
memory/3336-143-0x0000000000900000-0x000000000092C000-memory.dmp

Filesize
176KB

Download
memory/4624-138-0x0000000000A40000-0x0000000000B40000-memory.dmp

Filesize
1024KB

Download
memory/4624-142-0x0000000000B40000-0x0000000000B6C000-memory.dmp

Filesize
176KB

Download
memory/4624-144-0x0000000000B40000-0x0000000000B6C000-memory.dmp

Filesize
176KB

Download