plugx | 66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe
Size

225KB
MD5

83006ac9fb73bc2b891f36dd2f759230
SHA1

9bb28483f4c32dec5f011b01f6e7e2984253ef54
SHA256

66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182
SHA512

424b98dddd25a3ddc2f0b3eb9a9abd602790dc59011c5dd97353262bf26f40c430f06e4bffa75d4270a9edc381abcd33354f55b8ef1f7ba98863a43933216b67
SSDEEP

3072:ybHNCtV8kNGU/eaK0nU1E9xzjC88mwY9WDVjK6RY36/b3ZgdBUDGzr9hkWRFpVN:yb68k4U/eapU1ujlwhs6o83S55N

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1344-72-0x0000000000440000-0x0000000000470000-memory.dmp	family_plugx
behavioral1/memory/1736-73-0x0000000000410000-0x0000000000440000-memory.dmp	family_plugx
behavioral1/memory/1040-74-0x00000000001F0000-0x0000000000220000-memory.dmp	family_plugx
behavioral1/memory/1044-79-0x0000000000240000-0x0000000000270000-memory.dmp	family_plugx
behavioral1/memory/1040-80-0x00000000001F0000-0x0000000000220000-memory.dmp	family_plugx
behavioral1/memory/1044-81-0x0000000000240000-0x0000000000270000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

Gadget.exeGadget.exe

pid process

1344 Gadget.exe
1736 Gadget.exe
Deletes itself 1 IoCs

Processes:

svchost.exe

pid process

1040 svchost.exe
Loads dropped DLL 3 IoCs

Processes:

66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exeGadget.exeGadget.exe

pid process

1204 66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe
1344 Gadget.exe
1736 Gadget.exe

pid	process
1344	Gadget.exe
1736	Gadget.exe

pid	process
1204	66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe
1344	Gadget.exe
1736	Gadget.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-d1-f6-53-72-5c\WpadDecisionTime = 30f8d3690eedd801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-d1-f6-53-72-5c\WpadDecisionTime = 7048b67e0eedd801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D154EF9-F13D-4204-80A0-811DE0C47834}\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D154EF9-F13D-4204-80A0-811DE0C47834}\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-d1-f6-53-72-5c\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-d1-f6-53-72-5c\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-d1-f6-53-72-5c\WpadDetectedUrl	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D154EF9-F13D-4204-80A0-811DE0C47834}\WpadDecisionTime = 7048b67e0eedd801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-d1-f6-53-72-5c\WpadDecisionTime = d0b18c930eedd801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D154EF9-F13D-4204-80A0-811DE0C47834}\WpadNetworkName = "Network 2"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-d1-f6-53-72-5c\WpadDecisionTime = 10ccf8540eedd801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D154EF9-F13D-4204-80A0-811DE0C47834}\WpadDecisionTime = 10ccf8540eedd801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D154EF9-F13D-4204-80A0-811DE0C47834}\WpadDecisionTime = 30f8d3690eedd801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D154EF9-F13D-4204-80A0-811DE0C47834}\WpadDecisionTime = d0b18c930eedd801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D154EF9-F13D-4204-80A0-811DE0C47834}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-d1-f6-53-72-5c	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8D154EF9-F13D-4204-80A0-811DE0C47834}\8e-d1-f6-53-72-5c	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30004200340045003200440046003900420032004200310035004300360033000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
1040	svchost.exe
1040	svchost.exe
1040	svchost.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1040	svchost.exe
1040	svchost.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1040	svchost.exe
1040	svchost.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1040	svchost.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1040	svchost.exe
1040	svchost.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1040	svchost.exe
1040	svchost.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1040	svchost.exe
1040	svchost.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1040	svchost.exe
1040	svchost.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1044	msiexec.exe
1040	svchost.exe
1040	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Gadget.exeGadget.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1344	Gadget.exe
Token: SeTcbPrivilege	1344	Gadget.exe
Token: SeDebugPrivilege	1736	Gadget.exe
Token: SeTcbPrivilege	1736	Gadget.exe
Token: SeDebugPrivilege	1040	svchost.exe
Token: SeTcbPrivilege	1040	svchost.exe
Token: SeDebugPrivilege	1044	msiexec.exe
Token: SeTcbPrivilege	1044	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exeGadget.exesvchost.exe

description	pid	process	target process
PID 1204 wrote to memory of 1344	1204	66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe	Gadget.exe
PID 1204 wrote to memory of 1344	1204	66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe	Gadget.exe
PID 1204 wrote to memory of 1344	1204	66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe	Gadget.exe
PID 1204 wrote to memory of 1344	1204	66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe	Gadget.exe
PID 1736 wrote to memory of 1040	1736	Gadget.exe	svchost.exe
PID 1736 wrote to memory of 1040	1736	Gadget.exe	svchost.exe
PID 1736 wrote to memory of 1040	1736	Gadget.exe	svchost.exe
PID 1736 wrote to memory of 1040	1736	Gadget.exe	svchost.exe
PID 1736 wrote to memory of 1040	1736	Gadget.exe	svchost.exe
PID 1736 wrote to memory of 1040	1736	Gadget.exe	svchost.exe
PID 1736 wrote to memory of 1040	1736	Gadget.exe	svchost.exe
PID 1736 wrote to memory of 1040	1736	Gadget.exe	svchost.exe
PID 1736 wrote to memory of 1040	1736	Gadget.exe	svchost.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe
PID 1040 wrote to memory of 1044	1040	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe
"C:\Users\Admin\AppData\Local\Temp\66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\Gadget.exe
  C:\Users\Admin\AppData\Local\Temp\\Gadget.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1344

C:\ProgramData\WS\Gadget.exe
C:\ProgramData\WS\Gadget.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Deletes itself
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1040
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WS\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\ProgramData\WS\SideBar.dll

Filesize
41KB

MD5
fe3548281f9716862ee6e614ae7a0e76

SHA1
22d7ab94fd7042a781c0bee992fc0bf25f3bd626

SHA256
a957e638bbbee756d3432481082b88804df33a78ab1ccb2943569b826dd1ff4a

SHA512
a8aef8f3cb08cde1bf3f6d0bf61ae9108c9355fe18b8f33a08be193850538863df13d6791915327ebd33edb1d09769bc5264d22d375c5cbd3bf77be163ce9b92

Download Submit
C:\ProgramData\WS\SideBar.dll.doc

Filesize
121KB

MD5
0475f406de14fdbca2ec542d6743e1c4

SHA1
7d36518acf345794a0a6421542d1c6b8b052e58a

SHA256
2d028ae3e1040aa1b263ece9ae7c27f38f285bf3b500383d21f47dc47fee2d7e

SHA512
f077df6a32be3f6561f78414af4835465576ec2a3f9401aa1702145c0956f2988c19ce0a525b344fea30e77b0248444d86311fe40d7150eec1a1de57c14c007a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\SideBar.dll

Filesize
41KB

MD5
fe3548281f9716862ee6e614ae7a0e76

SHA1
22d7ab94fd7042a781c0bee992fc0bf25f3bd626

SHA256
a957e638bbbee756d3432481082b88804df33a78ab1ccb2943569b826dd1ff4a

SHA512
a8aef8f3cb08cde1bf3f6d0bf61ae9108c9355fe18b8f33a08be193850538863df13d6791915327ebd33edb1d09769bc5264d22d375c5cbd3bf77be163ce9b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\SideBar.dll.doc

Filesize
121KB

MD5
0475f406de14fdbca2ec542d6743e1c4

SHA1
7d36518acf345794a0a6421542d1c6b8b052e58a

SHA256
2d028ae3e1040aa1b263ece9ae7c27f38f285bf3b500383d21f47dc47fee2d7e

SHA512
f077df6a32be3f6561f78414af4835465576ec2a3f9401aa1702145c0956f2988c19ce0a525b344fea30e77b0248444d86311fe40d7150eec1a1de57c14c007a

Download Submit
\ProgramData\WS\SideBar.dll

Filesize
41KB

MD5
fe3548281f9716862ee6e614ae7a0e76

SHA1
22d7ab94fd7042a781c0bee992fc0bf25f3bd626

SHA256
a957e638bbbee756d3432481082b88804df33a78ab1ccb2943569b826dd1ff4a

SHA512
a8aef8f3cb08cde1bf3f6d0bf61ae9108c9355fe18b8f33a08be193850538863df13d6791915327ebd33edb1d09769bc5264d22d375c5cbd3bf77be163ce9b92

Download Submit
\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
\Users\Admin\AppData\Local\Temp\Sidebar.dll

Filesize
41KB

MD5
fe3548281f9716862ee6e614ae7a0e76

SHA1
22d7ab94fd7042a781c0bee992fc0bf25f3bd626

SHA256
a957e638bbbee756d3432481082b88804df33a78ab1ccb2943569b826dd1ff4a

SHA512
a8aef8f3cb08cde1bf3f6d0bf61ae9108c9355fe18b8f33a08be193850538863df13d6791915327ebd33edb1d09769bc5264d22d375c5cbd3bf77be163ce9b92

Download Submit
memory/1040-74-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/1040-67-0x0000000000120000-0x000000000013D000-memory.dmp

Filesize
116KB

Download
memory/1040-69-0x0000000000000000-mapping.dmp

Download
memory/1040-80-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/1044-81-0x0000000000240000-0x0000000000270000-memory.dmp

Filesize
192KB

Download
memory/1044-79-0x0000000000240000-0x0000000000270000-memory.dmp

Filesize
192KB

Download
memory/1044-77-0x0000000000000000-mapping.dmp

Download
memory/1344-55-0x0000000000000000-mapping.dmp

Download
memory/1344-72-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/1344-60-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1736-73-0x0000000000410000-0x0000000000440000-memory.dmp

Filesize
192KB

Download
memory/1736-71-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download