plugx | 66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2022 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe
Size

225KB
MD5

83006ac9fb73bc2b891f36dd2f759230
SHA1

9bb28483f4c32dec5f011b01f6e7e2984253ef54
SHA256

66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182
SHA512

424b98dddd25a3ddc2f0b3eb9a9abd602790dc59011c5dd97353262bf26f40c430f06e4bffa75d4270a9edc381abcd33354f55b8ef1f7ba98863a43933216b67
SSDEEP

3072:ybHNCtV8kNGU/eaK0nU1E9xzjC88mwY9WDVjK6RY36/b3ZgdBUDGzr9hkWRFpVN:yb68k4U/eapU1ujlwhs6o83S55N

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2052-139-0x0000000000890000-0x00000000008C0000-memory.dmp	family_plugx
behavioral2/memory/1512-145-0x00000000008B0000-0x00000000008E0000-memory.dmp	family_plugx
behavioral2/memory/2052-147-0x0000000000890000-0x00000000008C0000-memory.dmp	family_plugx
behavioral2/memory/1896-148-0x0000000000760000-0x0000000000790000-memory.dmp	family_plugx
behavioral2/memory/888-150-0x0000000002040000-0x0000000002070000-memory.dmp	family_plugx
behavioral2/memory/1896-151-0x0000000000760000-0x0000000000790000-memory.dmp	family_plugx
behavioral2/memory/888-152-0x0000000002040000-0x0000000002070000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

Gadget.exeGadget.exe

pid process

2052 Gadget.exe
1512 Gadget.exe
Loads dropped DLL 2 IoCs

Processes:

Gadget.exeGadget.exe

pid process

2052 Gadget.exe
1512 Gadget.exe

pid	process
2052	Gadget.exe
1512	Gadget.exe

pid	process
2052	Gadget.exe
1512	Gadget.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30003300430038004200450036004300450044003500320046003500330035000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
1896	svchost.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
1896	svchost.exe
1896	svchost.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
1896	svchost.exe
1896	svchost.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
1896	svchost.exe
1896	svchost.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
1896	svchost.exe
1896	svchost.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe
888	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

1896 svchost.exe
888 msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Gadget.exeGadget.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2052	Gadget.exe
Token: SeTcbPrivilege	2052	Gadget.exe
Token: SeDebugPrivilege	1512	Gadget.exe
Token: SeTcbPrivilege	1512	Gadget.exe
Token: SeDebugPrivilege	1896	svchost.exe
Token: SeTcbPrivilege	1896	svchost.exe
Token: SeDebugPrivilege	888	msiexec.exe
Token: SeTcbPrivilege	888	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exeGadget.exesvchost.exe

description	pid	process	target process
PID 4584 wrote to memory of 2052	4584	66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe	Gadget.exe
PID 4584 wrote to memory of 2052	4584	66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe	Gadget.exe
PID 4584 wrote to memory of 2052	4584	66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe	Gadget.exe
PID 1512 wrote to memory of 1896	1512	Gadget.exe	svchost.exe
PID 1512 wrote to memory of 1896	1512	Gadget.exe	svchost.exe
PID 1512 wrote to memory of 1896	1512	Gadget.exe	svchost.exe
PID 1512 wrote to memory of 1896	1512	Gadget.exe	svchost.exe
PID 1512 wrote to memory of 1896	1512	Gadget.exe	svchost.exe
PID 1512 wrote to memory of 1896	1512	Gadget.exe	svchost.exe
PID 1512 wrote to memory of 1896	1512	Gadget.exe	svchost.exe
PID 1512 wrote to memory of 1896	1512	Gadget.exe	svchost.exe
PID 1896 wrote to memory of 888	1896	svchost.exe	msiexec.exe
PID 1896 wrote to memory of 888	1896	svchost.exe	msiexec.exe
PID 1896 wrote to memory of 888	1896	svchost.exe	msiexec.exe
PID 1896 wrote to memory of 888	1896	svchost.exe	msiexec.exe
PID 1896 wrote to memory of 888	1896	svchost.exe	msiexec.exe
PID 1896 wrote to memory of 888	1896	svchost.exe	msiexec.exe
PID 1896 wrote to memory of 888	1896	svchost.exe	msiexec.exe
PID 1896 wrote to memory of 888	1896	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe
"C:\Users\Admin\AppData\Local\Temp\66cbd44983655b4b5a8ef79e953411ab46abff76ea402ed3e59a2dd882503182.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\Gadget.exe
  C:\Users\Admin\AppData\Local\Temp\\Gadget.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2052

C:\ProgramData\WS\Gadget.exe
C:\ProgramData\WS\Gadget.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1896
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WS\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\ProgramData\WS\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\ProgramData\WS\SideBar.dll

Filesize
41KB

MD5
fe3548281f9716862ee6e614ae7a0e76

SHA1
22d7ab94fd7042a781c0bee992fc0bf25f3bd626

SHA256
a957e638bbbee756d3432481082b88804df33a78ab1ccb2943569b826dd1ff4a

SHA512
a8aef8f3cb08cde1bf3f6d0bf61ae9108c9355fe18b8f33a08be193850538863df13d6791915327ebd33edb1d09769bc5264d22d375c5cbd3bf77be163ce9b92

Download Submit
C:\ProgramData\WS\SideBar.dll

Filesize
41KB

MD5
fe3548281f9716862ee6e614ae7a0e76

SHA1
22d7ab94fd7042a781c0bee992fc0bf25f3bd626

SHA256
a957e638bbbee756d3432481082b88804df33a78ab1ccb2943569b826dd1ff4a

SHA512
a8aef8f3cb08cde1bf3f6d0bf61ae9108c9355fe18b8f33a08be193850538863df13d6791915327ebd33edb1d09769bc5264d22d375c5cbd3bf77be163ce9b92

Download Submit
C:\ProgramData\WS\SideBar.dll.doc

Filesize
121KB

MD5
0475f406de14fdbca2ec542d6743e1c4

SHA1
7d36518acf345794a0a6421542d1c6b8b052e58a

SHA256
2d028ae3e1040aa1b263ece9ae7c27f38f285bf3b500383d21f47dc47fee2d7e

SHA512
f077df6a32be3f6561f78414af4835465576ec2a3f9401aa1702145c0956f2988c19ce0a525b344fea30e77b0248444d86311fe40d7150eec1a1de57c14c007a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gadget.exe

Filesize
25KB

MD5
6b97b3cd2fcfb4b74985143230441463

SHA1
8985c2394ed9a58c36f907962b0724fe66c204a6

SHA256
5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

SHA512
736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

Download Submit
C:\Users\Admin\AppData\Local\Temp\SideBar.dll

Filesize
41KB

MD5
fe3548281f9716862ee6e614ae7a0e76

SHA1
22d7ab94fd7042a781c0bee992fc0bf25f3bd626

SHA256
a957e638bbbee756d3432481082b88804df33a78ab1ccb2943569b826dd1ff4a

SHA512
a8aef8f3cb08cde1bf3f6d0bf61ae9108c9355fe18b8f33a08be193850538863df13d6791915327ebd33edb1d09769bc5264d22d375c5cbd3bf77be163ce9b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\SideBar.dll.doc

Filesize
121KB

MD5
0475f406de14fdbca2ec542d6743e1c4

SHA1
7d36518acf345794a0a6421542d1c6b8b052e58a

SHA256
2d028ae3e1040aa1b263ece9ae7c27f38f285bf3b500383d21f47dc47fee2d7e

SHA512
f077df6a32be3f6561f78414af4835465576ec2a3f9401aa1702145c0956f2988c19ce0a525b344fea30e77b0248444d86311fe40d7150eec1a1de57c14c007a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sidebar.dll

Filesize
41KB

MD5
fe3548281f9716862ee6e614ae7a0e76

SHA1
22d7ab94fd7042a781c0bee992fc0bf25f3bd626

SHA256
a957e638bbbee756d3432481082b88804df33a78ab1ccb2943569b826dd1ff4a

SHA512
a8aef8f3cb08cde1bf3f6d0bf61ae9108c9355fe18b8f33a08be193850538863df13d6791915327ebd33edb1d09769bc5264d22d375c5cbd3bf77be163ce9b92

Download Submit
memory/888-149-0x0000000000000000-mapping.dmp

Download
memory/888-150-0x0000000002040000-0x0000000002070000-memory.dmp

Filesize
192KB

Download
memory/888-152-0x0000000002040000-0x0000000002070000-memory.dmp

Filesize
192KB

Download
memory/1512-145-0x00000000008B0000-0x00000000008E0000-memory.dmp

Filesize
192KB

Download
memory/1896-146-0x0000000000000000-mapping.dmp

Download
memory/1896-148-0x0000000000760000-0x0000000000790000-memory.dmp

Filesize
192KB

Download
memory/1896-151-0x0000000000760000-0x0000000000790000-memory.dmp

Filesize
192KB

Download
memory/2052-139-0x0000000000890000-0x00000000008C0000-memory.dmp

Filesize
192KB

Download
memory/2052-138-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/2052-132-0x0000000000000000-mapping.dmp

Download
memory/2052-147-0x0000000000890000-0x00000000008C0000-memory.dmp

Filesize
192KB

Download