plugx | e383f0476135560686dc4ac2f5790010ff2883cd8f783cf95ab70aa756745651

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2022 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

333e7c22e5aac779863c710144d74913d8ac88443ffe4349c5c8882fc4b7d999.exe
Size

590KB
MD5

99b4e8725fcc7c754f5e11c1a286654d
SHA1

10cc781ca3eb4f11007a9209efd4e7d4621cb959
SHA256

333e7c22e5aac779863c710144d74913d8ac88443ffe4349c5c8882fc4b7d999
SHA512

1d01bda85600490dcb7595bfcf0cf5a435b5adc437123ca6acd76c2f84028b2cfd0a23281fb45926d91a004574a66b8ac07c699e5957fb565b9016acfe92d3de
SSDEEP

12288:ahxp3lZnT9bD8R3bXsTE57bBoUgm5tbOTHvrPOMo/dtvM1GBRxKYi:aJlh9bD8Rr8+bbyrnoltRRxKl

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5048-149-0x00000000015C0000-0x00000000015EF000-memory.dmp	family_plugx
behavioral2/memory/1340-150-0x0000000001020000-0x000000000104F000-memory.dmp	family_plugx
behavioral2/memory/3132-151-0x0000000002B90000-0x0000000002BBF000-memory.dmp	family_plugx
behavioral2/memory/460-152-0x0000000000AA0000-0x0000000000ACF000-memory.dmp	family_plugx
behavioral2/memory/1008-154-0x0000000000BE0000-0x0000000000C0F000-memory.dmp	family_plugx
behavioral2/memory/460-155-0x0000000000AA0000-0x0000000000ACF000-memory.dmp	family_plugx
behavioral2/memory/1008-156-0x0000000000BE0000-0x0000000000C0F000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 3 IoCs

Processes:

AdobeHelper.exeAdobeHelper.exeAdobeHelper.exe

pid process

3132 AdobeHelper.exe
1340 AdobeHelper.exe
5048 AdobeHelper.exe

pid	process
3132	AdobeHelper.exe
1340	AdobeHelper.exe
5048	AdobeHelper.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

333e7c22e5aac779863c710144d74913d8ac88443ffe4349c5c8882fc4b7d999.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	333e7c22e5aac779863c710144d74913d8ac88443ffe4349c5c8882fc4b7d999.exe

Loads dropped DLL 3 IoCs

Processes:

AdobeHelper.exeAdobeHelper.exeAdobeHelper.exe

pid process

3132 AdobeHelper.exe
1340 AdobeHelper.exe
5048 AdobeHelper.exe
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 46.249.49.21
Destination IP 46.249.49.21
Destination IP 46.249.49.21
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3132	AdobeHelper.exe
1340	AdobeHelper.exe
5048	AdobeHelper.exe

description	ioc
Destination IP	46.249.49.21
Destination IP	46.249.49.21
Destination IP	46.249.49.21

Modifies data under HKEY_USERS 17 IoCs

Processes:

odbcad32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	odbcad32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	odbcad32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	odbcad32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	odbcad32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	odbcad32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	odbcad32.exe

Modifies registry class 2 IoCs

Processes:

odbcad32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	odbcad32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44004100360035004600410030003200350041003900370030003300340041000000	odbcad32.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

odbcad32.exeodbcad32.exe

pid process

460 odbcad32.exe
1008 odbcad32.exe

pid	process
460	odbcad32.exe
1008	odbcad32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AdobeHelper.exeodbcad32.exeodbcad32.exe

pid	process
1340	AdobeHelper.exe
1340	AdobeHelper.exe
460	odbcad32.exe
460	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
460	odbcad32.exe
460	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
460	odbcad32.exe
460	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
460	odbcad32.exe
460	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
460	odbcad32.exe
460	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
1008	odbcad32.exe
460	odbcad32.exe
460	odbcad32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

odbcad32.exeodbcad32.exe

pid process

460 odbcad32.exe
1008 odbcad32.exe

pid	process
460	odbcad32.exe
1008	odbcad32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

AdobeHelper.exeAdobeHelper.exeAdobeHelper.exeodbcad32.exeodbcad32.exe

description	pid	process
Token: SeDebugPrivilege	3132	AdobeHelper.exe
Token: SeTcbPrivilege	3132	AdobeHelper.exe
Token: SeDebugPrivilege	1340	AdobeHelper.exe
Token: SeTcbPrivilege	1340	AdobeHelper.exe
Token: SeDebugPrivilege	5048	AdobeHelper.exe
Token: SeTcbPrivilege	5048	AdobeHelper.exe
Token: SeDebugPrivilege	460	odbcad32.exe
Token: SeTcbPrivilege	460	odbcad32.exe
Token: SeDebugPrivilege	1008	odbcad32.exe
Token: SeTcbPrivilege	1008	odbcad32.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

333e7c22e5aac779863c710144d74913d8ac88443ffe4349c5c8882fc4b7d999.exeAdobeHelper.exeodbcad32.exe

description	pid	process	target process
PID 3960 wrote to memory of 3132	3960	333e7c22e5aac779863c710144d74913d8ac88443ffe4349c5c8882fc4b7d999.exe	AdobeHelper.exe
PID 3960 wrote to memory of 3132	3960	333e7c22e5aac779863c710144d74913d8ac88443ffe4349c5c8882fc4b7d999.exe	AdobeHelper.exe
PID 3960 wrote to memory of 3132	3960	333e7c22e5aac779863c710144d74913d8ac88443ffe4349c5c8882fc4b7d999.exe	AdobeHelper.exe
PID 5048 wrote to memory of 460	5048	AdobeHelper.exe	odbcad32.exe
PID 5048 wrote to memory of 460	5048	AdobeHelper.exe	odbcad32.exe
PID 5048 wrote to memory of 460	5048	AdobeHelper.exe	odbcad32.exe
PID 5048 wrote to memory of 460	5048	AdobeHelper.exe	odbcad32.exe
PID 5048 wrote to memory of 460	5048	AdobeHelper.exe	odbcad32.exe
PID 5048 wrote to memory of 460	5048	AdobeHelper.exe	odbcad32.exe
PID 5048 wrote to memory of 460	5048	AdobeHelper.exe	odbcad32.exe
PID 5048 wrote to memory of 460	5048	AdobeHelper.exe	odbcad32.exe
PID 460 wrote to memory of 1008	460	odbcad32.exe	odbcad32.exe
PID 460 wrote to memory of 1008	460	odbcad32.exe	odbcad32.exe
PID 460 wrote to memory of 1008	460	odbcad32.exe	odbcad32.exe
PID 460 wrote to memory of 1008	460	odbcad32.exe	odbcad32.exe
PID 460 wrote to memory of 1008	460	odbcad32.exe	odbcad32.exe
PID 460 wrote to memory of 1008	460	odbcad32.exe	odbcad32.exe
PID 460 wrote to memory of 1008	460	odbcad32.exe	odbcad32.exe
PID 460 wrote to memory of 1008	460	odbcad32.exe	odbcad32.exe

C:\Users\Admin\AppData\Local\Temp\333e7c22e5aac779863c710144d74913d8ac88443ffe4349c5c8882fc4b7d999.exe
"C:\Users\Admin\AppData\Local\Temp\333e7c22e5aac779863c710144d74913d8ac88443ffe4349c5c8882fc4b7d999.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\AdobeHelper.exe
"C:\Users\Admin\AppData\Local\Temp\AdobeHelper.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\ProgramData\Microsoft\Crypto\AdobeHelper.exe
"C:\ProgramData\Microsoft\Crypto\AdobeHelper.exe" 100 3132
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\ProgramData\Microsoft\Crypto\AdobeHelper.exe
"C:\ProgramData\Microsoft\Crypto\AdobeHelper.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\odbcad32.exe
C:\Windows\system32\odbcad32.exe 201 0
2⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\odbcad32.exe
C:\Windows\system32\odbcad32.exe 209 460
3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\AdobeHelper.exe
Filesize
286KB

MD5
17ce2dfd018e3f331f86f6ebd82794ea

SHA1
881911737507b840c2436652d032abeb62cd1d5f

SHA256
95e55a970405599c607029563fefc5e8d8160ad11f8baecf188e981ba3bb6d31

SHA512
db70df5ae9c2fd6d8700b2221b532c536dada1a8fc1f388fa33cf58d542b4da91608fad4cd1a020b6e54aeeb4b1f404aa53174f5d28b124cf3b5d7d5a35af588

Download Submit
C:\ProgramData\Microsoft\Crypto\AdobeHelper.exe
Filesize
286KB

MD5
17ce2dfd018e3f331f86f6ebd82794ea

SHA1
881911737507b840c2436652d032abeb62cd1d5f

SHA256
95e55a970405599c607029563fefc5e8d8160ad11f8baecf188e981ba3bb6d31

SHA512
db70df5ae9c2fd6d8700b2221b532c536dada1a8fc1f388fa33cf58d542b4da91608fad4cd1a020b6e54aeeb4b1f404aa53174f5d28b124cf3b5d7d5a35af588

Download Submit
C:\ProgramData\Microsoft\Crypto\AdobeHelper.exe
Filesize
286KB

MD5
17ce2dfd018e3f331f86f6ebd82794ea

SHA1
881911737507b840c2436652d032abeb62cd1d5f

SHA256
95e55a970405599c607029563fefc5e8d8160ad11f8baecf188e981ba3bb6d31

SHA512
db70df5ae9c2fd6d8700b2221b532c536dada1a8fc1f388fa33cf58d542b4da91608fad4cd1a020b6e54aeeb4b1f404aa53174f5d28b124cf3b5d7d5a35af588

Download Submit
C:\ProgramData\Microsoft\Crypto\CoreFoundation.dll
Filesize
163KB

MD5
b79a9c10017f775780e40c5b030e2043

SHA1
889e16c015a821cc1b9e272e438ced3fe096ed2c

SHA256
3e2a2567f0fee77d8a91e3291ab7520a78c7c5d2c9dd0e79f4f9d309449eb8a2

SHA512
5b359f2fb88cd1ea51044b609f67e53cc98b9d5e749526e4109300d6ccf653123bf48ce5969cd41a53d37e6fe37fab0daa74736791a5f39adba7741e605b5345

Download Submit
C:\ProgramData\Microsoft\Crypto\CoreFoundation.dll
Filesize
163KB

MD5
b79a9c10017f775780e40c5b030e2043

SHA1
889e16c015a821cc1b9e272e438ced3fe096ed2c

SHA256
3e2a2567f0fee77d8a91e3291ab7520a78c7c5d2c9dd0e79f4f9d309449eb8a2

SHA512
5b359f2fb88cd1ea51044b609f67e53cc98b9d5e749526e4109300d6ccf653123bf48ce5969cd41a53d37e6fe37fab0daa74736791a5f39adba7741e605b5345

Download Submit
C:\ProgramData\Microsoft\Crypto\CoreFoundation.dll
Filesize
163KB

MD5
b79a9c10017f775780e40c5b030e2043

SHA1
889e16c015a821cc1b9e272e438ced3fe096ed2c

SHA256
3e2a2567f0fee77d8a91e3291ab7520a78c7c5d2c9dd0e79f4f9d309449eb8a2

SHA512
5b359f2fb88cd1ea51044b609f67e53cc98b9d5e749526e4109300d6ccf653123bf48ce5969cd41a53d37e6fe37fab0daa74736791a5f39adba7741e605b5345

Download Submit
C:\ProgramData\Microsoft\Crypto\logo.png
Filesize
117KB

MD5
1c7b6f2d9ec9bb6d8c94dcf1cbb60736

SHA1
0151f42c59f1c0110f4a9c3a63a3844fc8f7b0d2

SHA256
deda3dea72ddc36d6899c7bd9711e88831dd5521d9ecf38a28b3df554d4a32cf

SHA512
b2305c7cebb7a3e5e7f171e68a13a17f261bca02d55214da7b6f42c5515a8067bd79e0dd6707aebb51e5e707dfca595cb7564c5c3a1aaa9ae4363946410dc80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeHelper.exe
Filesize
286KB

MD5
17ce2dfd018e3f331f86f6ebd82794ea

SHA1
881911737507b840c2436652d032abeb62cd1d5f

SHA256
95e55a970405599c607029563fefc5e8d8160ad11f8baecf188e981ba3bb6d31

SHA512
db70df5ae9c2fd6d8700b2221b532c536dada1a8fc1f388fa33cf58d542b4da91608fad4cd1a020b6e54aeeb4b1f404aa53174f5d28b124cf3b5d7d5a35af588

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeHelper.exe
Filesize
286KB

MD5
17ce2dfd018e3f331f86f6ebd82794ea

SHA1
881911737507b840c2436652d032abeb62cd1d5f

SHA256
95e55a970405599c607029563fefc5e8d8160ad11f8baecf188e981ba3bb6d31

SHA512
db70df5ae9c2fd6d8700b2221b532c536dada1a8fc1f388fa33cf58d542b4da91608fad4cd1a020b6e54aeeb4b1f404aa53174f5d28b124cf3b5d7d5a35af588

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoreFoundation.dll
Filesize
163KB

MD5
b79a9c10017f775780e40c5b030e2043

SHA1
889e16c015a821cc1b9e272e438ced3fe096ed2c

SHA256
3e2a2567f0fee77d8a91e3291ab7520a78c7c5d2c9dd0e79f4f9d309449eb8a2

SHA512
5b359f2fb88cd1ea51044b609f67e53cc98b9d5e749526e4109300d6ccf653123bf48ce5969cd41a53d37e6fe37fab0daa74736791a5f39adba7741e605b5345

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoreFoundation.dll
Filesize
163KB

MD5
b79a9c10017f775780e40c5b030e2043

SHA1
889e16c015a821cc1b9e272e438ced3fe096ed2c

SHA256
3e2a2567f0fee77d8a91e3291ab7520a78c7c5d2c9dd0e79f4f9d309449eb8a2

SHA512
5b359f2fb88cd1ea51044b609f67e53cc98b9d5e749526e4109300d6ccf653123bf48ce5969cd41a53d37e6fe37fab0daa74736791a5f39adba7741e605b5345

Download Submit
C:\Users\Admin\AppData\Local\Temp\logo.png
Filesize
117KB

MD5
1c7b6f2d9ec9bb6d8c94dcf1cbb60736

SHA1
0151f42c59f1c0110f4a9c3a63a3844fc8f7b0d2

SHA256
deda3dea72ddc36d6899c7bd9711e88831dd5521d9ecf38a28b3df554d4a32cf

SHA512
b2305c7cebb7a3e5e7f171e68a13a17f261bca02d55214da7b6f42c5515a8067bd79e0dd6707aebb51e5e707dfca595cb7564c5c3a1aaa9ae4363946410dc80d

Download Submit
memory/460-148-0x0000000000000000-mapping.dmp

Download
memory/460-152-0x0000000000AA0000-0x0000000000ACF000-memory.dmp

Filesize
188KB

Download
memory/460-155-0x0000000000AA0000-0x0000000000ACF000-memory.dmp

Filesize
188KB

Download
memory/1008-153-0x0000000000000000-mapping.dmp

Download
memory/1008-154-0x0000000000BE0000-0x0000000000C0F000-memory.dmp

Filesize
188KB

Download
memory/1008-156-0x0000000000BE0000-0x0000000000C0F000-memory.dmp

Filesize
188KB

Download
memory/1340-150-0x0000000001020000-0x000000000104F000-memory.dmp

Filesize
188KB

Download
memory/3132-138-0x0000000002C20000-0x0000000002D20000-memory.dmp

Filesize
1024KB

Download
memory/3132-132-0x0000000000000000-mapping.dmp

Download
memory/3132-151-0x0000000002B90000-0x0000000002BBF000-memory.dmp

Filesize
188KB

Download
memory/5048-149-0x00000000015C0000-0x00000000015EF000-memory.dmp

Filesize
188KB

Download