plugx | 057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2022 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
Size

1.6MB
MD5

61402f53a8918246c791e332fb33848d
SHA1

40dd7320248850588077850c2f4e9fd4ec44a951
SHA256

057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7
SHA512

643c901aa7e0031df5fedf107d1f58d5f3e1f84fb7c62a8dbaaa4f3e6c5ea0dac3634d9974187f1198ddc41c4ed8c6be87f86a05cd87ed0f3cfe1aa3df87eff3
SSDEEP

49152:wrc3BBxu8IRhpjmmMdaz9cCDUA1CGF/rIr6WYmf:V3DI7NyDazBln0R

Score

10^/10

plugx trojan vmprotect

Malware Config

Signatures

Detects PlugX payload 8 IoCs

resource	yara_rule
behavioral2/memory/4840-143-0x0000000000A70000-0x0000000000A9D000-memory.dmp	family_plugx
behavioral2/memory/3308-152-0x0000000000F90000-0x0000000000FBD000-memory.dmp	family_plugx
behavioral2/memory/2616-155-0x0000000001060000-0x000000000108D000-memory.dmp	family_plugx
behavioral2/memory/1320-156-0x00000000014B0000-0x00000000014DD000-memory.dmp	family_plugx
behavioral2/memory/3308-157-0x0000000000F90000-0x0000000000FBD000-memory.dmp	family_plugx
behavioral2/memory/1692-159-0x00000000012D0000-0x00000000012FD000-memory.dmp	family_plugx
behavioral2/memory/1320-160-0x00000000014B0000-0x00000000014DD000-memory.dmp	family_plugx
behavioral2/memory/1692-161-0x00000000012D0000-0x00000000012FD000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
4840	ASUA.exe
3308	ASUA.exe
2616	ASUA.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4372-132-0x0000000000400000-0x00000000007DA000-memory.dmp	vmprotect
behavioral2/memory/4372-133-0x0000000000400000-0x00000000007DA000-memory.dmp	vmprotect
behavioral2/memory/4372-142-0x0000000000400000-0x00000000007DA000-memory.dmp	vmprotect

Loads dropped DLL 3 IoCs

pid	Process
4840	ASUA.exe
3308	ASUA.exe
2616	ASUA.exe

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.116.161.95
Destination IP	45.116.161.95

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\timo\ASUA.exe	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
File created	C:\Program Files\timo\logo.png	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
File created	C:\Program Files\timo\ATKEX.dll	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
File created	C:\Program Files\timo\debug.dump	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35003900460032003300410034004300350043004500440031004500370042000000	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1320	svchost.exe
1692	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4372	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
4372	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
4840	ASUA.exe
4840	ASUA.exe
4840	ASUA.exe
4840	ASUA.exe
3308	ASUA.exe
3308	ASUA.exe
1320	svchost.exe
1320	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1320	svchost.exe
1320	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1320	svchost.exe
1320	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1320	svchost.exe
1320	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1320	svchost.exe
1320	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe
1692	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1320	svchost.exe
1692	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	ASUA.exe
Token: SeTcbPrivilege	4840	ASUA.exe
Token: SeDebugPrivilege	3308	ASUA.exe
Token: SeTcbPrivilege	3308	ASUA.exe
Token: SeDebugPrivilege	2616	ASUA.exe
Token: SeTcbPrivilege	2616	ASUA.exe
Token: SeDebugPrivilege	1320	svchost.exe
Token: SeTcbPrivilege	1320	svchost.exe
Token: SeDebugPrivilege	1692	svchost.exe
Token: SeTcbPrivilege	1692	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4372	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
4372	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 4840	4372	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe	82
PID 4372 wrote to memory of 4840	4372	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe	82
PID 4372 wrote to memory of 4840	4372	057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe	82
PID 2616 wrote to memory of 1320	2616	ASUA.exe	88
PID 2616 wrote to memory of 1320	2616	ASUA.exe	88
PID 2616 wrote to memory of 1320	2616	ASUA.exe	88
PID 2616 wrote to memory of 1320	2616	ASUA.exe	88
PID 2616 wrote to memory of 1320	2616	ASUA.exe	88
PID 2616 wrote to memory of 1320	2616	ASUA.exe	88
PID 2616 wrote to memory of 1320	2616	ASUA.exe	88
PID 2616 wrote to memory of 1320	2616	ASUA.exe	88
PID 1320 wrote to memory of 1692	1320	svchost.exe	90
PID 1320 wrote to memory of 1692	1320	svchost.exe	90
PID 1320 wrote to memory of 1692	1320	svchost.exe	90
PID 1320 wrote to memory of 1692	1320	svchost.exe	90
PID 1320 wrote to memory of 1692	1320	svchost.exe	90
PID 1320 wrote to memory of 1692	1320	svchost.exe	90
PID 1320 wrote to memory of 1692	1320	svchost.exe	90
PID 1320 wrote to memory of 1692	1320	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe
"C:\Users\Admin\AppData\Local\Temp\057e908cd15f95a9768989c0455ae9a24a65c46a5022f5fa1adfe7c7a8a4b6a7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Program Files\timo\ASUA.exe
  "C:\Program Files\timo\ASUA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4840

C:\ProgramData\googleupdate\ASUA.exe
"C:\ProgramData\googleupdate\ASUA.exe" 100 4840
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\ProgramData\googleupdate\ASUA.exe
"C:\ProgramData\googleupdate\ASUA.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe 209 1320
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\timo\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\Program Files\timo\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\Program Files\timo\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\Program Files\timo\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\Program Files\timo\debug.dump

Filesize
114KB

MD5
042a5f5a88dde9b6d2e2dd77966ad666

SHA1
f6a0d53f4506e2d1b86932f35aa4d7ca1ad589f7

SHA256
9adaaef0ec5d51f3936432d6ac17a3234496c8d4c5fcfec1c036601d676c736c

SHA512
e92543c91d4f00f62900d4aca9cb40a8836cac2ca37d14bc9766440254cd58cec913209efc192b7b5fb5fe37f6881399435dd361463171a8198da6f628166158

Download Submit
C:\ProgramData\googleupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\googleupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\googleupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\googleupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\ProgramData\googleupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\ProgramData\googleupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\ProgramData\googleupdate\debug.dump

Filesize
114KB

MD5
042a5f5a88dde9b6d2e2dd77966ad666

SHA1
f6a0d53f4506e2d1b86932f35aa4d7ca1ad589f7

SHA256
9adaaef0ec5d51f3936432d6ac17a3234496c8d4c5fcfec1c036601d676c736c

SHA512
e92543c91d4f00f62900d4aca9cb40a8836cac2ca37d14bc9766440254cd58cec913209efc192b7b5fb5fe37f6881399435dd361463171a8198da6f628166158

Download Submit
memory/1320-160-0x00000000014B0000-0x00000000014DD000-memory.dmp

Filesize
180KB

Download
memory/1320-156-0x00000000014B0000-0x00000000014DD000-memory.dmp

Filesize
180KB

Download
memory/1692-161-0x00000000012D0000-0x00000000012FD000-memory.dmp

Filesize
180KB

Download
memory/1692-159-0x00000000012D0000-0x00000000012FD000-memory.dmp

Filesize
180KB

Download
memory/2616-155-0x0000000001060000-0x000000000108D000-memory.dmp

Filesize
180KB

Download
memory/3308-157-0x0000000000F90000-0x0000000000FBD000-memory.dmp

Filesize
180KB

Download
memory/3308-152-0x0000000000F90000-0x0000000000FBD000-memory.dmp

Filesize
180KB

Download
memory/4372-132-0x0000000000400000-0x00000000007DA000-memory.dmp

Filesize
3.9MB

Download
memory/4372-133-0x0000000000400000-0x00000000007DA000-memory.dmp

Filesize
3.9MB

Download
memory/4372-142-0x0000000000400000-0x00000000007DA000-memory.dmp

Filesize
3.9MB

Download
memory/4840-143-0x0000000000A70000-0x0000000000A9D000-memory.dmp

Filesize
180KB

Download
memory/4840-141-0x0000000002690000-0x0000000002790000-memory.dmp

Filesize
1024KB

Download