plugx | 13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe
Size

227KB
MD5

79dd734c547109ae9e5928abbb9acfc0
SHA1

f67b2893a3d249665b86595f39f4a30099d83089
SHA256

13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949
SHA512

2aa189ac5de00a88d7fb8fd76b50a1b425b018e7382cb9fe1e05ac083df24f16180ed56e800d2317d89882dd590652a0cdcb78073f613795f6c81046285ff881
SSDEEP

6144:xLkD+fqCNAl8aVuMULdQrdas2gQntcgMly5CjrjZZ6AnRl:xYD+iCNAl/HULdQrRfQnegMlcCjeAnRl

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1708-73-0x0000000000340000-0x000000000036E000-memory.dmp	family_plugx
behavioral1/memory/676-74-0x0000000000870000-0x000000000089E000-memory.dmp	family_plugx
behavioral1/memory/660-75-0x0000000000100000-0x000000000012E000-memory.dmp	family_plugx
behavioral1/memory/1120-80-0x0000000000290000-0x00000000002BE000-memory.dmp	family_plugx
behavioral1/memory/660-81-0x0000000000100000-0x000000000012E000-memory.dmp	family_plugx
behavioral1/memory/1120-82-0x0000000000290000-0x00000000002BE000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

SOUNDMAN.exeSOUNDMAN.exe

pid process

1708 SOUNDMAN.exe
676 SOUNDMAN.exe
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

660 svchost.exe

pid	process
1708	SOUNDMAN.exe
676	SOUNDMAN.exe

Loads dropped DLL 4 IoCs

Processes:

13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exeSOUNDMAN.exeSOUNDMAN.exe

pid	process
620	13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe
620	13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe
1708	SOUNDMAN.exe
676	SOUNDMAN.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 36004300330032003900330033003600410046003700370031003600390033000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
660	svchost.exe
660	svchost.exe
660	svchost.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
660	svchost.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
660	svchost.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
660	svchost.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
660	svchost.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
660	svchost.exe
660	svchost.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
660	svchost.exe
660	svchost.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
660	svchost.exe
660	svchost.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
660	svchost.exe
660	svchost.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
1120	msiexec.exe
660	svchost.exe
660	svchost.exe
1120	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

SOUNDMAN.exeSOUNDMAN.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1708	SOUNDMAN.exe
Token: SeTcbPrivilege	1708	SOUNDMAN.exe
Token: SeDebugPrivilege	676	SOUNDMAN.exe
Token: SeTcbPrivilege	676	SOUNDMAN.exe
Token: SeDebugPrivilege	660	svchost.exe
Token: SeTcbPrivilege	660	svchost.exe
Token: SeDebugPrivilege	1120	msiexec.exe
Token: SeTcbPrivilege	1120	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exeSOUNDMAN.exesvchost.exe

description	pid	process	target process
PID 620 wrote to memory of 1708	620	13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe	SOUNDMAN.exe
PID 620 wrote to memory of 1708	620	13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe	SOUNDMAN.exe
PID 620 wrote to memory of 1708	620	13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe	SOUNDMAN.exe
PID 620 wrote to memory of 1708	620	13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe	SOUNDMAN.exe
PID 676 wrote to memory of 660	676	SOUNDMAN.exe	svchost.exe
PID 676 wrote to memory of 660	676	SOUNDMAN.exe	svchost.exe
PID 676 wrote to memory of 660	676	SOUNDMAN.exe	svchost.exe
PID 676 wrote to memory of 660	676	SOUNDMAN.exe	svchost.exe
PID 676 wrote to memory of 660	676	SOUNDMAN.exe	svchost.exe
PID 676 wrote to memory of 660	676	SOUNDMAN.exe	svchost.exe
PID 676 wrote to memory of 660	676	SOUNDMAN.exe	svchost.exe
PID 676 wrote to memory of 660	676	SOUNDMAN.exe	svchost.exe
PID 676 wrote to memory of 660	676	SOUNDMAN.exe	svchost.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe
PID 660 wrote to memory of 1120	660	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe
"C:\Users\Admin\AppData\Local\Temp\13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe
  "C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe" 100 620
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1708

C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Deletes itself
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SOUNDMAN\HID.DLL

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
C:\ProgramData\SOUNDMAN\HID.DLLx

Filesize
116KB

MD5
6e41d17b267dd2378feb4b0211dece84

SHA1
860c85a6887360a5dff2547422b0b7c1ce5212f5

SHA256
b8a3f4ca6e1c803ab1b8b709f256a82d6dfa3f33c8ec48d5f5f186031419d8ee

SHA512
e496c67bf3f02fe84501fe2d6fb09578473932fc6917f4087c830820a617419044713d782231fa57b24e23009f03b43974a023baaa832d75369769f27da1310a

Download Submit
C:\ProgramData\SOUNDMAN\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\HID.DLL

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\HID.DLLx

Filesize
116KB

MD5
6e41d17b267dd2378feb4b0211dece84

SHA1
860c85a6887360a5dff2547422b0b7c1ce5212f5

SHA256
b8a3f4ca6e1c803ab1b8b709f256a82d6dfa3f33c8ec48d5f5f186031419d8ee

SHA512
e496c67bf3f02fe84501fe2d6fb09578473932fc6917f4087c830820a617419044713d782231fa57b24e23009f03b43974a023baaa832d75369769f27da1310a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
\ProgramData\SOUNDMAN\HID.dll

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
\Users\Admin\AppData\Local\Temp\HID\hid.dll

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
memory/660-81-0x0000000000100000-0x000000000012E000-memory.dmp

Filesize
184KB

Download
memory/660-68-0x00000000000A0000-0x00000000000BB000-memory.dmp

Filesize
108KB

Download
memory/660-70-0x0000000000000000-mapping.dmp

Download
memory/660-75-0x0000000000100000-0x000000000012E000-memory.dmp

Filesize
184KB

Download
memory/676-72-0x0000000000240000-0x0000000000340000-memory.dmp

Filesize
1024KB

Download
memory/676-74-0x0000000000870000-0x000000000089E000-memory.dmp

Filesize
184KB

Download
memory/1120-78-0x0000000000000000-mapping.dmp

Download
memory/1120-80-0x0000000000290000-0x00000000002BE000-memory.dmp

Filesize
184KB

Download
memory/1120-82-0x0000000000290000-0x00000000002BE000-memory.dmp

Filesize
184KB

Download
memory/1708-73-0x0000000000340000-0x000000000036E000-memory.dmp

Filesize
184KB

Download
memory/1708-56-0x0000000000000000-mapping.dmp

Download
memory/1708-58-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download