plugx | 057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-11-2022 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
Size

1.6MB
MD5

61402f53a8918246c791e332fb33848d
SHA1

40dd7320248850588077850c2f4e9fd4ec44a951
SHA256

057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7
SHA512

643c901aa7e0031df5fedf107d1f58d5f3e1f84fb7c62a8dbaaa4f3e6c5ea0dac3634d9974187f1198ddc41c4ed8c6be87f86a05cd87ed0f3cfe1aa3df87eff3
SSDEEP

49152:wrc3BBxu8IRhpjmmMdaz9cCDUA1CGF/rIr6WYmf:V3DI7NyDazBln0R

Score

10^/10

plugx trojan vmprotect

Malware Config

Signatures

Detects PlugX payload 7 IoCs

resource	yara_rule
behavioral1/memory/964-66-0x00000000001B0000-0x00000000001DD000-memory.dmp	family_plugx
behavioral1/memory/1756-82-0x0000000000450000-0x000000000047D000-memory.dmp	family_plugx
behavioral1/memory/2036-83-0x0000000000360000-0x000000000038D000-memory.dmp	family_plugx
behavioral1/memory/1020-84-0x0000000000210000-0x000000000023D000-memory.dmp	family_plugx
behavioral1/memory/1700-89-0x00000000003B0000-0x00000000003DD000-memory.dmp	family_plugx
behavioral1/memory/1020-90-0x0000000000210000-0x000000000023D000-memory.dmp	family_plugx
behavioral1/memory/1700-91-0x00000000003B0000-0x00000000003DD000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
964	ASUA.exe
2036	ASUA.exe
1756	ASUA.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/948-55-0x0000000000400000-0x00000000007DA000-memory.dmp	vmprotect
behavioral1/memory/948-57-0x0000000000400000-0x00000000007DA000-memory.dmp	vmprotect

Deletes itself 1 IoCs

pid	Process
964	ASUA.exe

Loads dropped DLL 4 IoCs

pid	Process
948	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
964	ASUA.exe
2036	ASUA.exe
1756	ASUA.exe

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.116.161.95
Destination IP	45.116.161.95

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\timo\logo.png	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
File created	C:\Program Files\timo\ATKEX.dll	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
File created	C:\Program Files\timo\debug.dump	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
File created	C:\Program Files\timo\ASUA.exe	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35004500350034004400460039003300340038004500440036003400340045000000	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1020	svchost.exe
1700	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
948	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
964	ASUA.exe
964	ASUA.exe
2036	ASUA.exe
1020	svchost.exe
1020	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1020	svchost.exe
1020	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1020	svchost.exe
1020	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1020	svchost.exe
1020	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1020	svchost.exe
1020	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1020	svchost.exe
1020	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1020	svchost.exe
1020	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe
1700	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	ASUA.exe
Token: SeTcbPrivilege	964	ASUA.exe
Token: SeDebugPrivilege	2036	ASUA.exe
Token: SeTcbPrivilege	2036	ASUA.exe
Token: SeDebugPrivilege	1756	ASUA.exe
Token: SeTcbPrivilege	1756	ASUA.exe
Token: SeDebugPrivilege	1020	svchost.exe
Token: SeTcbPrivilege	1020	svchost.exe
Token: SeDebugPrivilege	1700	svchost.exe
Token: SeTcbPrivilege	1700	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
948	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
948	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 964	948	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe	28
PID 948 wrote to memory of 964	948	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe	28
PID 948 wrote to memory of 964	948	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe	28
PID 948 wrote to memory of 964	948	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe	28
PID 1756 wrote to memory of 1020	1756	ASUA.exe	32
PID 1756 wrote to memory of 1020	1756	ASUA.exe	32
PID 1756 wrote to memory of 1020	1756	ASUA.exe	32
PID 1756 wrote to memory of 1020	1756	ASUA.exe	32
PID 1756 wrote to memory of 1020	1756	ASUA.exe	32
PID 1756 wrote to memory of 1020	1756	ASUA.exe	32
PID 1756 wrote to memory of 1020	1756	ASUA.exe	32
PID 1756 wrote to memory of 1020	1756	ASUA.exe	32
PID 1756 wrote to memory of 1020	1756	ASUA.exe	32
PID 1020 wrote to memory of 1700	1020	svchost.exe	33
PID 1020 wrote to memory of 1700	1020	svchost.exe	33
PID 1020 wrote to memory of 1700	1020	svchost.exe	33
PID 1020 wrote to memory of 1700	1020	svchost.exe	33
PID 1020 wrote to memory of 1700	1020	svchost.exe	33
PID 1020 wrote to memory of 1700	1020	svchost.exe	33
PID 1020 wrote to memory of 1700	1020	svchost.exe	33
PID 1020 wrote to memory of 1700	1020	svchost.exe	33
PID 1020 wrote to memory of 1700	1020	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
"C:\Users\Admin\AppData\Local\Temp\057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\Program Files\timo\ASUA.exe
  "C:\Program Files\timo\ASUA.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:964

C:\ProgramData\googleupdate\ASUA.exe
"C:\ProgramData\googleupdate\ASUA.exe" 100 964
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\ProgramData\googleupdate\ASUA.exe
"C:\ProgramData\googleupdate\ASUA.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe 209 1020
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\timo\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\Program Files\timo\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\Program Files\timo\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\Program Files\timo\debug.dump

Filesize
114KB

MD5
042a5f5a88dde9b6d2e2dd77966ad666

SHA1
f6a0d53f4506e2d1b86932f35aa4d7ca1ad589f7

SHA256
9adaaef0ec5d51f3936432d6ac17a3234496c8d4c5fcfec1c036601d676c736c

SHA512
e92543c91d4f00f62900d4aca9cb40a8836cac2ca37d14bc9766440254cd58cec913209efc192b7b5fb5fe37f6881399435dd361463171a8198da6f628166158

Download Submit
C:\ProgramData\googleupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\googleupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\googleupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\ProgramData\googleupdate\debug.dump

Filesize
114KB

MD5
042a5f5a88dde9b6d2e2dd77966ad666

SHA1
f6a0d53f4506e2d1b86932f35aa4d7ca1ad589f7

SHA256
9adaaef0ec5d51f3936432d6ac17a3234496c8d4c5fcfec1c036601d676c736c

SHA512
e92543c91d4f00f62900d4aca9cb40a8836cac2ca37d14bc9766440254cd58cec913209efc192b7b5fb5fe37f6881399435dd361463171a8198da6f628166158

Download Submit
\Program Files\timo\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
\Program Files\timo\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
\ProgramData\googleupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
\ProgramData\googleupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
memory/948-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/948-57-0x0000000000400000-0x00000000007DA000-memory.dmp

Filesize
3.9MB

Download
memory/948-55-0x0000000000400000-0x00000000007DA000-memory.dmp

Filesize
3.9MB

Download
memory/964-66-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/964-64-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/1020-78-0x00000000000A0000-0x00000000000BB000-memory.dmp

Filesize
108KB

Download
memory/1020-84-0x0000000000210000-0x000000000023D000-memory.dmp

Filesize
180KB

Download
memory/1020-90-0x0000000000210000-0x000000000023D000-memory.dmp

Filesize
180KB

Download
memory/1700-89-0x00000000003B0000-0x00000000003DD000-memory.dmp

Filesize
180KB

Download
memory/1700-91-0x00000000003B0000-0x00000000003DD000-memory.dmp

Filesize
180KB

Download
memory/1756-82-0x0000000000450000-0x000000000047D000-memory.dmp

Filesize
180KB

Download
memory/2036-83-0x0000000000360000-0x000000000038D000-memory.dmp

Filesize
180KB

Download