plugx | 13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe
Size

227KB
MD5

79dd734c547109ae9e5928abbb9acfc0
SHA1

f67b2893a3d249665b86595f39f4a30099d83089
SHA256

13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949
SHA512

2aa189ac5de00a88d7fb8fd76b50a1b425b018e7382cb9fe1e05ac083df24f16180ed56e800d2317d89882dd590652a0cdcb78073f613795f6c81046285ff881
SSDEEP

6144:xLkD+fqCNAl8aVuMULdQrdas2gQntcgMly5CjrjZZ6AnRl:xYD+iCNAl/HULdQrRfQnegMlcCjeAnRl

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1704-141-0x00000000022E0000-0x000000000230E000-memory.dmp	family_plugx
behavioral2/memory/4768-146-0x0000000000E90000-0x0000000000EBE000-memory.dmp	family_plugx
behavioral2/memory/1472-149-0x0000000000D80000-0x0000000000DAE000-memory.dmp	family_plugx
behavioral2/memory/3652-151-0x0000000000880000-0x00000000008AE000-memory.dmp	family_plugx
behavioral2/memory/1472-152-0x0000000000D80000-0x0000000000DAE000-memory.dmp	family_plugx
behavioral2/memory/3652-153-0x0000000000880000-0x00000000008AE000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

SOUNDMAN.exeSOUNDMAN.exe

pid process

1704 SOUNDMAN.exe
4768 SOUNDMAN.exe
Loads dropped DLL 2 IoCs

Processes:

SOUNDMAN.exeSOUNDMAN.exe

pid process

1704 SOUNDMAN.exe
4768 SOUNDMAN.exe

pid	process
1704	SOUNDMAN.exe
4768	SOUNDMAN.exe

pid	process
1704	SOUNDMAN.exe
4768	SOUNDMAN.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 35003100310043003500460044004300370036004300340045003500320039000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
1472	svchost.exe
1472	svchost.exe
1472	svchost.exe
1472	svchost.exe
1472	svchost.exe
1472	svchost.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
1472	svchost.exe
1472	svchost.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
1472	svchost.exe
1472	svchost.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
1472	svchost.exe
1472	svchost.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
1472	svchost.exe
1472	svchost.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe
3652	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

1472 svchost.exe
3652 msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

SOUNDMAN.exeSOUNDMAN.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1704	SOUNDMAN.exe
Token: SeTcbPrivilege	1704	SOUNDMAN.exe
Token: SeDebugPrivilege	4768	SOUNDMAN.exe
Token: SeTcbPrivilege	4768	SOUNDMAN.exe
Token: SeDebugPrivilege	1472	svchost.exe
Token: SeTcbPrivilege	1472	svchost.exe
Token: SeDebugPrivilege	3652	msiexec.exe
Token: SeTcbPrivilege	3652	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exeSOUNDMAN.exesvchost.exe

description	pid	process	target process
PID 5040 wrote to memory of 1704	5040	13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe	SOUNDMAN.exe
PID 5040 wrote to memory of 1704	5040	13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe	SOUNDMAN.exe
PID 5040 wrote to memory of 1704	5040	13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe	SOUNDMAN.exe
PID 4768 wrote to memory of 1472	4768	SOUNDMAN.exe	svchost.exe
PID 4768 wrote to memory of 1472	4768	SOUNDMAN.exe	svchost.exe
PID 4768 wrote to memory of 1472	4768	SOUNDMAN.exe	svchost.exe
PID 4768 wrote to memory of 1472	4768	SOUNDMAN.exe	svchost.exe
PID 4768 wrote to memory of 1472	4768	SOUNDMAN.exe	svchost.exe
PID 4768 wrote to memory of 1472	4768	SOUNDMAN.exe	svchost.exe
PID 4768 wrote to memory of 1472	4768	SOUNDMAN.exe	svchost.exe
PID 4768 wrote to memory of 1472	4768	SOUNDMAN.exe	svchost.exe
PID 1472 wrote to memory of 3652	1472	svchost.exe	msiexec.exe
PID 1472 wrote to memory of 3652	1472	svchost.exe	msiexec.exe
PID 1472 wrote to memory of 3652	1472	svchost.exe	msiexec.exe
PID 1472 wrote to memory of 3652	1472	svchost.exe	msiexec.exe
PID 1472 wrote to memory of 3652	1472	svchost.exe	msiexec.exe
PID 1472 wrote to memory of 3652	1472	svchost.exe	msiexec.exe
PID 1472 wrote to memory of 3652	1472	svchost.exe	msiexec.exe
PID 1472 wrote to memory of 3652	1472	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe
"C:\Users\Admin\AppData\Local\Temp\13ede7e26b40c2ba9de9162763fc488ec03e220f7422f885e94d935085ff8949.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe
  "C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe" 100 5040
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1704

C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SOUNDMAN\HID.DLL

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
C:\ProgramData\SOUNDMAN\HID.DLLx

Filesize
116KB

MD5
6e41d17b267dd2378feb4b0211dece84

SHA1
860c85a6887360a5dff2547422b0b7c1ce5212f5

SHA256
b8a3f4ca6e1c803ab1b8b709f256a82d6dfa3f33c8ec48d5f5f186031419d8ee

SHA512
e496c67bf3f02fe84501fe2d6fb09578473932fc6917f4087c830820a617419044713d782231fa57b24e23009f03b43974a023baaa832d75369769f27da1310a

Download Submit
C:\ProgramData\SOUNDMAN\HID.dll

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
C:\ProgramData\SOUNDMAN\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\ProgramData\SOUNDMAN\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
456B

MD5
53a909ff6d9f8dcb3692da41b1136cdf

SHA1
af0ce4234d0786b08d1aef7b54dd0a629a004b55

SHA256
acc0a927d554d123bc4696de7f9c384ba0486b223abea1be25256096218973ba

SHA512
7b314b5f7864e6d236bd7d30542c8aeead8e3e1ad9c83af4468991c8cc4591cf7b032af28af113edfad947d4640ae00e3c69c385173d8c87753dbce483b26fe0

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
618B

MD5
8fff9d24637bcb8cb8228e7e0064d5d1

SHA1
e1de1224d6f5349ce7ce6a8fa502828ec848f904

SHA256
dd6f73f59f213aaabd300ae6f64e3385f4f59b68d8b51e55b9d3dee6a1581f05

SHA512
da3c09b41aed03f53f1b019f6e728ef553e547745bbe4eaf084f4079351f440a07f399271532139d83b3d4be36f68b09cc9d56839715ba73ccfb1970ca791de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\HID.DLL

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\HID.DLLx

Filesize
116KB

MD5
6e41d17b267dd2378feb4b0211dece84

SHA1
860c85a6887360a5dff2547422b0b7c1ce5212f5

SHA256
b8a3f4ca6e1c803ab1b8b709f256a82d6dfa3f33c8ec48d5f5f186031419d8ee

SHA512
e496c67bf3f02fe84501fe2d6fb09578473932fc6917f4087c830820a617419044713d782231fa57b24e23009f03b43974a023baaa832d75369769f27da1310a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\hid.dll

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
memory/1472-145-0x0000000000000000-mapping.dmp

Download
memory/1472-152-0x0000000000D80000-0x0000000000DAE000-memory.dmp

Filesize
184KB

Download
memory/1472-149-0x0000000000D80000-0x0000000000DAE000-memory.dmp

Filesize
184KB

Download
memory/1704-140-0x00000000021A0000-0x00000000022A0000-memory.dmp

Filesize
1024KB

Download
memory/1704-141-0x00000000022E0000-0x000000000230E000-memory.dmp

Filesize
184KB

Download
memory/1704-132-0x0000000000000000-mapping.dmp

Download
memory/3652-150-0x0000000000000000-mapping.dmp

Download
memory/3652-151-0x0000000000880000-0x00000000008AE000-memory.dmp

Filesize
184KB

Download
memory/3652-153-0x0000000000880000-0x00000000008AE000-memory.dmp

Filesize
184KB

Download
memory/4768-146-0x0000000000E90000-0x0000000000EBE000-memory.dmp

Filesize
184KB

Download