plugx | fadede77c634e440187aaf67f38e0dc457d06a4674ecede40cdb1c27fd6eec26

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fadede77c634e440187aaf67f38e0dc457d06a4674ecede40cdb1c27fd6eec26.exe
Size

244KB
MD5

6b7f62c10ee3cf825fb13f025d098c68
SHA1

a02aa5f30090f23e5e8fbd3bc1232058cd8d9490
SHA256

fadede77c634e440187aaf67f38e0dc457d06a4674ecede40cdb1c27fd6eec26
SHA512

d1d11956d1bab0f17be184872e0ab20cb100cdf1594b6f0ae2d286e6c217410e20fc92f15a06714b4b6c41e3b6165eb60ecc7301fb7596a0456e3e3a8e8664e6
SSDEEP

6144:Yu2urzh9xu/XkaudPdVJI1G/YA0xPl4aX5D8owFA9jES:Yutrzh9xOXkJdIQ/EX44JU61

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

resource	yara_rule
behavioral2/memory/1712-139-0x0000000000570000-0x00000000005A0000-memory.dmp	family_plugx
behavioral2/memory/4116-150-0x0000000000E30000-0x0000000000E60000-memory.dmp	family_plugx
behavioral2/memory/2888-152-0x00000000007C0000-0x00000000007F0000-memory.dmp	family_plugx
behavioral2/memory/4764-153-0x0000000001070000-0x00000000010A0000-memory.dmp	family_plugx
behavioral2/memory/4764-155-0x0000000001070000-0x00000000010A0000-memory.dmp	family_plugx
behavioral2/memory/4568-156-0x0000000000E30000-0x0000000000E60000-memory.dmp	family_plugx
behavioral2/memory/4568-157-0x0000000000E30000-0x0000000000E60000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
1712	NvSmart.exe
2888	NvSmart.exe
4116	NvSmart.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fadede77c634e440187aaf67f38e0dc457d06a4674ecede40cdb1c27fd6eec26.exe

Loads dropped DLL 3 IoCs

pid	Process
1712	NvSmart.exe
2888	NvSmart.exe
4116	NvSmart.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39004400390044004200450032004100460030003100320036004300300037000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	NvSmart.exe
1712	NvSmart.exe
4764	svchost.exe
4764	svchost.exe
4764	svchost.exe
4764	svchost.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4764	svchost.exe
4764	svchost.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4764	svchost.exe
4764	svchost.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4764	svchost.exe
4764	svchost.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4764	svchost.exe
4764	svchost.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe
4568	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4764	svchost.exe
4568	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	NvSmart.exe
Token: SeTcbPrivilege	1712	NvSmart.exe
Token: SeDebugPrivilege	2888	NvSmart.exe
Token: SeTcbPrivilege	2888	NvSmart.exe
Token: SeDebugPrivilege	4116	NvSmart.exe
Token: SeTcbPrivilege	4116	NvSmart.exe
Token: SeDebugPrivilege	4764	svchost.exe
Token: SeTcbPrivilege	4764	svchost.exe
Token: SeDebugPrivilege	4568	msiexec.exe
Token: SeTcbPrivilege	4568	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 1712	2772	fadede77c634e440187aaf67f38e0dc457d06a4674ecede40cdb1c27fd6eec26.exe	80
PID 2772 wrote to memory of 1712	2772	fadede77c634e440187aaf67f38e0dc457d06a4674ecede40cdb1c27fd6eec26.exe	80
PID 2772 wrote to memory of 1712	2772	fadede77c634e440187aaf67f38e0dc457d06a4674ecede40cdb1c27fd6eec26.exe	80
PID 4116 wrote to memory of 4764	4116	NvSmart.exe	83
PID 4116 wrote to memory of 4764	4116	NvSmart.exe	83
PID 4116 wrote to memory of 4764	4116	NvSmart.exe	83
PID 4116 wrote to memory of 4764	4116	NvSmart.exe	83
PID 4116 wrote to memory of 4764	4116	NvSmart.exe	83
PID 4116 wrote to memory of 4764	4116	NvSmart.exe	83
PID 4116 wrote to memory of 4764	4116	NvSmart.exe	83
PID 4116 wrote to memory of 4764	4116	NvSmart.exe	83
PID 4764 wrote to memory of 4568	4764	svchost.exe	84
PID 4764 wrote to memory of 4568	4764	svchost.exe	84
PID 4764 wrote to memory of 4568	4764	svchost.exe	84
PID 4764 wrote to memory of 4568	4764	svchost.exe	84
PID 4764 wrote to memory of 4568	4764	svchost.exe	84
PID 4764 wrote to memory of 4568	4764	svchost.exe	84
PID 4764 wrote to memory of 4568	4764	svchost.exe	84
PID 4764 wrote to memory of 4568	4764	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\fadede77c634e440187aaf67f38e0dc457d06a4674ecede40cdb1c27fd6eec26.exe
"C:\Users\Admin\AppData\Local\Temp\fadede77c634e440187aaf67f38e0dc457d06a4674ecede40cdb1c27fd6eec26.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmart.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmart.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712

C:\ProgramData\SxS\NvSmart.exe
"C:\ProgramData\SxS\NvSmart.exe" 100 1712
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\ProgramData\SxS\NvSmart.exe
"C:\ProgramData\SxS\NvSmart.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 4764
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\NvSmart.dat

Filesize
120KB

MD5
ead5dc8c297cc83e4a3e1613abd266b9

SHA1
f966bde53443337541479dac38dae7289ff86462

SHA256
4456543fd3ef86ff8bebd8a44685629642cb9f6ff63f5dfdcd545958253d186e

SHA512
db75db6879457a406517791d484c19d891c360df28ac16b98a2145684977fafab2ca6c7b9b055fff1f3497d7c0716938e56dde580577c4a838178f5cb5834526

Download Submit
C:\ProgramData\SxS\NvSmart.exe

Filesize
46KB

MD5
303defda5824ba9ce01d719674477c2a

SHA1
1d95abad70b990f79750516d768572ca05f9a4c1

SHA256
d4faf0e2e34ebcfbfa0e73efeec193c28cdc101dea83c6556f4d7c1f0f1a45eb

SHA512
4022cef15f2f3709f7ccf1edb1f5bb3c3c2ade8a160c54835ea2b2720afbbec25dae7ff7a9d3371e9ec5b3b38a5bcc1c9136b9fb073cacbc51a42140147108f4

Download Submit
C:\ProgramData\SxS\NvSmart.exe

Filesize
46KB

MD5
303defda5824ba9ce01d719674477c2a

SHA1
1d95abad70b990f79750516d768572ca05f9a4c1

SHA256
d4faf0e2e34ebcfbfa0e73efeec193c28cdc101dea83c6556f4d7c1f0f1a45eb

SHA512
4022cef15f2f3709f7ccf1edb1f5bb3c3c2ade8a160c54835ea2b2720afbbec25dae7ff7a9d3371e9ec5b3b38a5bcc1c9136b9fb073cacbc51a42140147108f4

Download Submit
C:\ProgramData\SxS\NvSmart.exe

Filesize
46KB

MD5
303defda5824ba9ce01d719674477c2a

SHA1
1d95abad70b990f79750516d768572ca05f9a4c1

SHA256
d4faf0e2e34ebcfbfa0e73efeec193c28cdc101dea83c6556f4d7c1f0f1a45eb

SHA512
4022cef15f2f3709f7ccf1edb1f5bb3c3c2ade8a160c54835ea2b2720afbbec25dae7ff7a9d3371e9ec5b3b38a5bcc1c9136b9fb073cacbc51a42140147108f4

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
11KB

MD5
1fab1cd41b73e9a485c4237307c72d24

SHA1
f48a4e1cafbf00c33221c605dc2f843dba74f903

SHA256
c164b75b738f3d85c27016b4cc9515d8dd5d12f16175e31fac2b13c5c2737fef

SHA512
70dd3d214dd2871364253775a404c35ae91db388108e8577d49de368a93f15ce542aa1c5408e1b4640371999d09e186741a911ed39f044320fd7ee04b7eeab85

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
11KB

MD5
1fab1cd41b73e9a485c4237307c72d24

SHA1
f48a4e1cafbf00c33221c605dc2f843dba74f903

SHA256
c164b75b738f3d85c27016b4cc9515d8dd5d12f16175e31fac2b13c5c2737fef

SHA512
70dd3d214dd2871364253775a404c35ae91db388108e8577d49de368a93f15ce542aa1c5408e1b4640371999d09e186741a911ed39f044320fd7ee04b7eeab85

Download Submit
C:\ProgramData\SxS\NvSmartMax.dll

Filesize
11KB

MD5
1fab1cd41b73e9a485c4237307c72d24

SHA1
f48a4e1cafbf00c33221c605dc2f843dba74f903

SHA256
c164b75b738f3d85c27016b4cc9515d8dd5d12f16175e31fac2b13c5c2737fef

SHA512
70dd3d214dd2871364253775a404c35ae91db388108e8577d49de368a93f15ce542aa1c5408e1b4640371999d09e186741a911ed39f044320fd7ee04b7eeab85

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
828B

MD5
7d897c190e0981091aab980b654cd68a

SHA1
36f9d855fa996d0c9b9c67338ec633cc8fc56e68

SHA256
1487d6922b656a86a0d38cfb78891d469389daf111d4253778847fa66a25e227

SHA512
8e81ab3b2f656cd3f61e0a1a35e451b59fa42c88ce769b204eaa7ac72f7ddfbaae00672fdd7ed9297224f541bb1d495c8a5bbafca7b5e004f9fc71be0515128e

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
970B

MD5
a2bae659cd45e52210eea2aae78be0a3

SHA1
72ceaac6638db0832b2fa023acc18e300fdfaffa

SHA256
38aada52a3d2a60e0753eb23babfdb9a16c8253cf0d5d38a127ba1ff9865c50b

SHA512
b650f8b0cd59b4e78d94715c3209964964f48565e57f1a39638bcf12036b00a12a5ef4279bd7bd4a61be2a202218b735c73d76c38b1325056548c8d22c3c12ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmart.dat

Filesize
120KB

MD5
ead5dc8c297cc83e4a3e1613abd266b9

SHA1
f966bde53443337541479dac38dae7289ff86462

SHA256
4456543fd3ef86ff8bebd8a44685629642cb9f6ff63f5dfdcd545958253d186e

SHA512
db75db6879457a406517791d484c19d891c360df28ac16b98a2145684977fafab2ca6c7b9b055fff1f3497d7c0716938e56dde580577c4a838178f5cb5834526

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmart.exe

Filesize
46KB

MD5
303defda5824ba9ce01d719674477c2a

SHA1
1d95abad70b990f79750516d768572ca05f9a4c1

SHA256
d4faf0e2e34ebcfbfa0e73efeec193c28cdc101dea83c6556f4d7c1f0f1a45eb

SHA512
4022cef15f2f3709f7ccf1edb1f5bb3c3c2ade8a160c54835ea2b2720afbbec25dae7ff7a9d3371e9ec5b3b38a5bcc1c9136b9fb073cacbc51a42140147108f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmart.exe

Filesize
46KB

MD5
303defda5824ba9ce01d719674477c2a

SHA1
1d95abad70b990f79750516d768572ca05f9a4c1

SHA256
d4faf0e2e34ebcfbfa0e73efeec193c28cdc101dea83c6556f4d7c1f0f1a45eb

SHA512
4022cef15f2f3709f7ccf1edb1f5bb3c3c2ade8a160c54835ea2b2720afbbec25dae7ff7a9d3371e9ec5b3b38a5bcc1c9136b9fb073cacbc51a42140147108f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
11KB

MD5
1fab1cd41b73e9a485c4237307c72d24

SHA1
f48a4e1cafbf00c33221c605dc2f843dba74f903

SHA256
c164b75b738f3d85c27016b4cc9515d8dd5d12f16175e31fac2b13c5c2737fef

SHA512
70dd3d214dd2871364253775a404c35ae91db388108e8577d49de368a93f15ce542aa1c5408e1b4640371999d09e186741a911ed39f044320fd7ee04b7eeab85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
11KB

MD5
1fab1cd41b73e9a485c4237307c72d24

SHA1
f48a4e1cafbf00c33221c605dc2f843dba74f903

SHA256
c164b75b738f3d85c27016b4cc9515d8dd5d12f16175e31fac2b13c5c2737fef

SHA512
70dd3d214dd2871364253775a404c35ae91db388108e8577d49de368a93f15ce542aa1c5408e1b4640371999d09e186741a911ed39f044320fd7ee04b7eeab85

Download Submit
memory/1712-138-0x0000000002070000-0x0000000002170000-memory.dmp

Filesize
1024KB

Download
memory/1712-139-0x0000000000570000-0x00000000005A0000-memory.dmp

Filesize
192KB

Download
memory/2888-152-0x00000000007C0000-0x00000000007F0000-memory.dmp

Filesize
192KB

Download
memory/4116-150-0x0000000000E30000-0x0000000000E60000-memory.dmp

Filesize
192KB

Download
memory/4568-156-0x0000000000E30000-0x0000000000E60000-memory.dmp

Filesize
192KB

Download
memory/4568-157-0x0000000000E30000-0x0000000000E60000-memory.dmp

Filesize
192KB

Download
memory/4764-153-0x0000000001070000-0x00000000010A0000-memory.dmp

Filesize
192KB

Download
memory/4764-155-0x0000000001070000-0x00000000010A0000-memory.dmp

Filesize
192KB

Download