plugx | 3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776

Analysis

max time kernel
154s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe
Size

373KB
MD5

b4cd8916abf1efcb87ba2cc570a9cf4a
SHA1

6457cd064d7587ce486be350e57530619397fa14
SHA256

3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776
SHA512

861c8d458c4d9c9cc9257be247c65311e78f86bc6bc088b5a918350d1c89502d0135245d69990ec40f416da8b2601fdf75687e0fb218c67b401790e95471d6fc
SSDEEP

6144:F94YVuWi4ySWFLl0XO5tbmTpLDrTARIN8CpgfqzyaZ1XZgVhrMnAgYSsq79L/3I:X4YV1i400itbmTaJfQ7/AgYSj7ZA

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 3 IoCs

resource	yara_rule
behavioral2/memory/1340-144-0x00000000021C0000-0x00000000021ED000-memory.dmp	family_plugx
behavioral2/memory/4948-158-0x0000000000870000-0x000000000089D000-memory.dmp	family_plugx
behavioral2/memory/4948-159-0x0000000000870000-0x000000000089D000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
2392	1.exe
1340	QQBrowserUpdateService.exe
3532	QQBrowserUpdateService.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe

Loads dropped DLL 2 IoCs

pid	Process
1340	QQBrowserUpdateService.exe
3532	QQBrowserUpdateService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	QQBrowserUpdateService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 41003900430042003100460044003800370034003300420037004500460035000000	QQBrowserUpdateService.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4944	WINWORD.EXE
4944	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1340	QQBrowserUpdateService.exe
1340	QQBrowserUpdateService.exe
1340	QQBrowserUpdateService.exe
1340	QQBrowserUpdateService.exe
1340	QQBrowserUpdateService.exe
1340	QQBrowserUpdateService.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
1340	QQBrowserUpdateService.exe
1340	QQBrowserUpdateService.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
1340	QQBrowserUpdateService.exe
1340	QQBrowserUpdateService.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
1340	QQBrowserUpdateService.exe
1340	QQBrowserUpdateService.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
1340	QQBrowserUpdateService.exe
1340	QQBrowserUpdateService.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
1340	QQBrowserUpdateService.exe
1340	QQBrowserUpdateService.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe
4948	msiexec.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	QQBrowserUpdateService.exe
Token: SeTcbPrivilege	1340	QQBrowserUpdateService.exe
Token: SeDebugPrivilege	4948	msiexec.exe
Token: SeTcbPrivilege	4948	msiexec.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE
4944	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 2392	504	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	79
PID 504 wrote to memory of 2392	504	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	79
PID 504 wrote to memory of 2392	504	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	79
PID 2392 wrote to memory of 1340	2392	1.exe	81
PID 2392 wrote to memory of 1340	2392	1.exe	81
PID 2392 wrote to memory of 1340	2392	1.exe	81
PID 504 wrote to memory of 4944	504	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	82
PID 504 wrote to memory of 4944	504	3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe	82
PID 1340 wrote to memory of 4948	1340	QQBrowserUpdateService.exe	97
PID 1340 wrote to memory of 4948	1340	QQBrowserUpdateService.exe	97
PID 1340 wrote to memory of 4948	1340	QQBrowserUpdateService.exe	97
PID 1340 wrote to memory of 4948	1340	QQBrowserUpdateService.exe	97
PID 1340 wrote to memory of 4948	1340	QQBrowserUpdateService.exe	97
PID 1340 wrote to memory of 4948	1340	QQBrowserUpdateService.exe	97
PID 1340 wrote to memory of 4948	1340	QQBrowserUpdateService.exe	97
PID 1340 wrote to memory of 4948	1340	QQBrowserUpdateService.exe	97

C:\Users\Admin\AppData\Local\Temp\3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe
"C:\Users\Admin\AppData\Local\Temp\3ec3efc595309d26426d53b0a3d7ab1cee97a63569d54cc8eecdb6c72bdb9776.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:504
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe
    C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\system32\msiexec.exe 209 1340
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4948
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4944

C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe
"C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe" 100 1340
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QQBrowser\PDH.dll

Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\ProgramData\QQBrowser\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\ProgramData\QQBrowser\pdh.dll

Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.doc

Filesize
93KB

MD5
076f70b8fcf18d1097b6b51191f162b5

SHA1
c7d23e0e312c3218aed1a395968dcaae1553f48a

SHA256
58c951e77bfedc6bf3d23b668a5c2a6cb9fc67345fa8beb03131ad8ceaa395b0

SHA512
216486d011b975e996148d534e6d52b5725b74b756a950be7df59d302da11af50c0dd9faf4fd0a4cddfe9841e22059488090a89e041adea4361ecb3d1cf84b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
345KB

MD5
f2c80f4b9dbeba020472c40780f99021

SHA1
164528466dab3d164163026e11f366fb3933c92c

SHA256
638a99989ab3f476de62e9eb667207a155c1ee219f9720e342f84b254d8baad7

SHA512
e27309964790bed02bc2c5f5edbf0e22bb11d5c4e0272d09e4ff5a2ef1145f9867a4df9b569bf9bfae66ba83e80598ee25a5e0637fb76b29de44226e819ac301

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
345KB

MD5
f2c80f4b9dbeba020472c40780f99021

SHA1
164528466dab3d164163026e11f366fb3933c92c

SHA256
638a99989ab3f476de62e9eb667207a155c1ee219f9720e342f84b254d8baad7

SHA512
e27309964790bed02bc2c5f5edbf0e22bb11d5c4e0272d09e4ff5a2ef1145f9867a4df9b569bf9bfae66ba83e80598ee25a5e0637fb76b29de44226e819ac301

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDH.dll

Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQBrowserUpdateService.exe

Filesize
204KB

MD5
bf8c7b6e88a049fda4ebd7407488aca6

SHA1
8b889494f25aafcef5e92b6cc7b2e0e0e217e60a

SHA256
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2

SHA512
35a72a887e4389bf7faa5ebe712d569301d03678816b2631712138628f03dd26430682a2ec656ae7167c19314f8c6dc162993789bdb0b3eca298f95c3f27da08

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdh.dll

Filesize
4KB

MD5
ee392dd013dac7effac7c4f51b4ba29a

SHA1
78c0a384b68107f0908470a8c24a4f80e531ac93

SHA256
f8a17a0d39ca2269236ac977a910c93d70367cf301b56de6754ac529e90d1b72

SHA512
c730315243cdbe337ad89207dc46611b06f6e385a18f46057dfb475b974a7dfac920d41268c43c418fd304df1314467b35ea26469949555cada73ae4892deda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdh.dll.pak

Filesize
111KB

MD5
685b3b018e2b56918ea195941bbf86f9

SHA1
ec1fffed6436a88be6a7a6b7061d364ff72c245c

SHA256
613f50eeef023471190bda9112c67db2559a36436f426bf96129e0f5dba69399

SHA512
7e8bda580ab606e4fb1f7f28f8b0651fd3f4ef62214f305e5b90aae27386652dd089cb281ce778bca6771d80f35117aa129531a0a44b842baf94e25f427b8d9a

Download Submit
memory/1340-143-0x00000000020C0000-0x00000000021C0000-memory.dmp

Filesize
1024KB

Download
memory/1340-144-0x00000000021C0000-0x00000000021ED000-memory.dmp

Filesize
180KB

Download
memory/2392-142-0x0000000000EC0000-0x0000000000F00000-memory.dmp

Filesize
256KB

Download
memory/4944-149-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/4944-151-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/4944-152-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/4944-153-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/4944-154-0x00007FF7CA1E0000-0x00007FF7CA1F0000-memory.dmp

Filesize
64KB

Download
memory/4944-155-0x00007FF7CA1E0000-0x00007FF7CA1F0000-memory.dmp

Filesize
64KB

Download
memory/4944-150-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/4944-164-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/4944-163-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/4944-162-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/4944-161-0x00007FF7CC670000-0x00007FF7CC680000-memory.dmp

Filesize
64KB

Download
memory/4948-159-0x0000000000870000-0x000000000089D000-memory.dmp

Filesize
180KB

Download
memory/4948-158-0x0000000000870000-0x000000000089D000-memory.dmp

Filesize
180KB

Download