plugx | a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b

Analysis

max time kernel
61s
max time network
89s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe
Size

347KB
MD5

e733988f97ffcd7bddae53cd194ddb56
SHA1

203d4f753ac159cbaa0637726cc2849483fdee23
SHA256

a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b
SHA512

1c436714ecbd77bd36f628d5d9d6ae0f0869dc77422bd871667f577c8b4200d62991099cbfbf4100717ae9a2bc9b812b6f4fe76329b846df3724a865fc2396e8
SSDEEP

6144:v4lRkAehaKuqT+FdR4U5LUskSB4fpweOLPtfuRK6UcdIAfUvPIHTRmon36Z:vkWAehJuqT4SPskbBHClfuRycdIpvPwC

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1000-71-0x00000000003A0000-0x00000000003D0000-memory.dmp	family_plugx
behavioral1/memory/1176-81-0x00000000001E0000-0x0000000000210000-memory.dmp	family_plugx
behavioral1/memory/1344-90-0x0000000000190000-0x00000000001C0000-memory.dmp	family_plugx
behavioral1/memory/1624-92-0x00000000001F0000-0x0000000000220000-memory.dmp	family_plugx
behavioral1/memory/1176-93-0x00000000001E0000-0x0000000000210000-memory.dmp	family_plugx
behavioral1/memory/1624-94-0x00000000001F0000-0x0000000000220000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 4 IoCs

Processes:

svchost.exeMSIDB.exeMSIDB.exeMSIDB.exe

pid process

936 svchost.exe
1000 MSIDB.exe
1176 MSIDB.exe
1344 MSIDB.exe

pid	process
936	svchost.exe
1000	MSIDB.exe
1176	MSIDB.exe
1344	MSIDB.exe

Loads dropped DLL 9 IoCs

Processes:

a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exesvchost.exeMSIDB.exeMSIDB.exeMSIDB.exe

pid	process
1668	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe
936	svchost.exe
936	svchost.exe
936	svchost.exe
936	svchost.exe
1000	MSIDB.exe
1000	MSIDB.exe
1176	MSIDB.exe
1344	MSIDB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39003200320044004300460046003900410039003400330033003600420035000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

MSIDB.exesvchost.exe

pid process

1000 MSIDB.exe
1624 svchost.exe
1624 svchost.exe
1624 svchost.exe
1624 svchost.exe

pid	process
1000	MSIDB.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

MSIDB.exeMSIDB.exeMSIDB.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1000	MSIDB.exe
Token: SeTcbPrivilege	1000	MSIDB.exe
Token: SeDebugPrivilege	1176	MSIDB.exe
Token: SeTcbPrivilege	1176	MSIDB.exe
Token: SeDebugPrivilege	1344	MSIDB.exe
Token: SeTcbPrivilege	1344	MSIDB.exe
Token: SeDebugPrivilege	1624	svchost.exe
Token: SeTcbPrivilege	1624	svchost.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exesvchost.exeMSIDB.exeMSIDB.exesvchost.exe

description	pid	process	target process
PID 1668 wrote to memory of 936	1668	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe	svchost.exe
PID 1668 wrote to memory of 936	1668	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe	svchost.exe
PID 1668 wrote to memory of 936	1668	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe	svchost.exe
PID 1668 wrote to memory of 936	1668	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe	svchost.exe
PID 1668 wrote to memory of 936	1668	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe	svchost.exe
PID 1668 wrote to memory of 936	1668	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe	svchost.exe
PID 1668 wrote to memory of 936	1668	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe	svchost.exe
PID 936 wrote to memory of 1000	936	svchost.exe	MSIDB.exe
PID 936 wrote to memory of 1000	936	svchost.exe	MSIDB.exe
PID 936 wrote to memory of 1000	936	svchost.exe	MSIDB.exe
PID 936 wrote to memory of 1000	936	svchost.exe	MSIDB.exe
PID 936 wrote to memory of 1000	936	svchost.exe	MSIDB.exe
PID 936 wrote to memory of 1000	936	svchost.exe	MSIDB.exe
PID 936 wrote to memory of 1000	936	svchost.exe	MSIDB.exe
PID 1000 wrote to memory of 1176	1000	MSIDB.exe	MSIDB.exe
PID 1000 wrote to memory of 1176	1000	MSIDB.exe	MSIDB.exe
PID 1000 wrote to memory of 1176	1000	MSIDB.exe	MSIDB.exe
PID 1000 wrote to memory of 1176	1000	MSIDB.exe	MSIDB.exe
PID 1000 wrote to memory of 1176	1000	MSIDB.exe	MSIDB.exe
PID 1000 wrote to memory of 1176	1000	MSIDB.exe	MSIDB.exe
PID 1000 wrote to memory of 1176	1000	MSIDB.exe	MSIDB.exe
PID 1344 wrote to memory of 1624	1344	MSIDB.exe	svchost.exe
PID 1344 wrote to memory of 1624	1344	MSIDB.exe	svchost.exe
PID 1344 wrote to memory of 1624	1344	MSIDB.exe	svchost.exe
PID 1344 wrote to memory of 1624	1344	MSIDB.exe	svchost.exe
PID 1344 wrote to memory of 1624	1344	MSIDB.exe	svchost.exe
PID 1344 wrote to memory of 1624	1344	MSIDB.exe	svchost.exe
PID 1344 wrote to memory of 1624	1344	MSIDB.exe	svchost.exe
PID 1344 wrote to memory of 1624	1344	MSIDB.exe	svchost.exe
PID 1344 wrote to memory of 1624	1344	MSIDB.exe	svchost.exe
PID 1624 wrote to memory of 1236	1624	svchost.exe	msiexec.exe
PID 1624 wrote to memory of 1236	1624	svchost.exe	msiexec.exe
PID 1624 wrote to memory of 1236	1624	svchost.exe	msiexec.exe
PID 1624 wrote to memory of 1236	1624	svchost.exe	msiexec.exe
PID 1624 wrote to memory of 1236	1624	svchost.exe	msiexec.exe
PID 1624 wrote to memory of 1236	1624	svchost.exe	msiexec.exe
PID 1624 wrote to memory of 1236	1624	svchost.exe	msiexec.exe
PID 1624 wrote to memory of 1236	1624	svchost.exe	msiexec.exe
PID 1624 wrote to memory of 1236	1624	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe
"C:\Users\Admin\AppData\Local\Temp\a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\ProgramData\Wins\MSIDB.exe
"C:\ProgramData\Wins\MSIDB.exe" 100 1000
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\ProgramData\Wins\MSIDB.exe
"C:\ProgramData\Wins\MSIDB.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1624
3⤵
PID:1236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log
Filesize
622B

MD5
9947b6505b15dae2c9371a0ff0f0a821

SHA1
24313cde9157179d4ac8eeee3bd8a8ec770299fb

SHA256
467471a38159c118ac167742d86d5a683474e395cdc4fd18b3071663588f8b8a

SHA512
531afaec55af85daee0099e2664215255c1d77807099321bb49a12921a512938728a86eaf393f875733810c6d8a07ca6ec8c74b50c660160e34eebbb7df49dd7

Download Submit
C:\ProgramData\Wins\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
C:\ProgramData\Wins\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
C:\ProgramData\Wins\msi.dll
Filesize
45KB

MD5
03d6a61a54eca4d39f4e786315366d18

SHA1
fc1b6fa613af321bd66bddd02707c9a7926bca36

SHA256
0efc9e2fb1508176de73e32cf8dc85efb4cfb4d7cf15f4468163239b03a0d8a2

SHA512
efcf4a20fbfaf75e4d8b02cdb9c58316ea377736d57d0a28d672d052a982ce2984db3ae64d14aab599a6f0542904a1b710ed0091c6b8d29ce31f6fc7b41d1767

Download Submit
C:\ProgramData\Wins\msi.dll.iso
Filesize
120KB

MD5
55d8e04cd7ab9acd1117cb3ce3504c08

SHA1
d487375b9f45b592d283a45d380c7a5d0beaca2b

SHA256
726d05611e84adc80f3ffb3a8a703e359c1bf9d198448e108e6ce3e5a13f0489

SHA512
c104b93709649d88d5a03d0ce678657895ad1294263c869bc1a2a38f1f24fa167fc41eed4e4ff0517b811c069ec35f7fe1efdd6179f6be9e1f6ef33d48f02521

Download Submit
C:\ProgramData\svchost.exe
Filesize
289KB

MD5
3b6a24fece46501f1ae9e7a366c57906

SHA1
7bb323f9f013d9d300596d29c5bc291f2328bfd7

SHA256
6f7ea82f4aca28beb614e4a452136a85a8f17ef72fc58730a201efd9d75f0d21

SHA512
dae718b2ad5d1781d57fae0396e97805c29603eb19ea7124a4925b8150a5a4e4f6d6c68b5d46cce67eb50fcf43f97c44acf4fdcc9ab11aabf79ad866d443afd8

Download Submit
C:\ProgramData\svchost.exe
Filesize
289KB

MD5
3b6a24fece46501f1ae9e7a366c57906

SHA1
7bb323f9f013d9d300596d29c5bc291f2328bfd7

SHA256
6f7ea82f4aca28beb614e4a452136a85a8f17ef72fc58730a201efd9d75f0d21

SHA512
dae718b2ad5d1781d57fae0396e97805c29603eb19ea7124a4925b8150a5a4e4f6d6c68b5d46cce67eb50fcf43f97c44acf4fdcc9ab11aabf79ad866d443afd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll
Filesize
45KB

MD5
03d6a61a54eca4d39f4e786315366d18

SHA1
fc1b6fa613af321bd66bddd02707c9a7926bca36

SHA256
0efc9e2fb1508176de73e32cf8dc85efb4cfb4d7cf15f4468163239b03a0d8a2

SHA512
efcf4a20fbfaf75e4d8b02cdb9c58316ea377736d57d0a28d672d052a982ce2984db3ae64d14aab599a6f0542904a1b710ed0091c6b8d29ce31f6fc7b41d1767

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll.iso
Filesize
120KB

MD5
55d8e04cd7ab9acd1117cb3ce3504c08

SHA1
d487375b9f45b592d283a45d380c7a5d0beaca2b

SHA256
726d05611e84adc80f3ffb3a8a703e359c1bf9d198448e108e6ce3e5a13f0489

SHA512
c104b93709649d88d5a03d0ce678657895ad1294263c869bc1a2a38f1f24fa167fc41eed4e4ff0517b811c069ec35f7fe1efdd6179f6be9e1f6ef33d48f02521

Download Submit
\ProgramData\Wins\MSI.dll
Filesize
45KB

MD5
03d6a61a54eca4d39f4e786315366d18

SHA1
fc1b6fa613af321bd66bddd02707c9a7926bca36

SHA256
0efc9e2fb1508176de73e32cf8dc85efb4cfb4d7cf15f4468163239b03a0d8a2

SHA512
efcf4a20fbfaf75e4d8b02cdb9c58316ea377736d57d0a28d672d052a982ce2984db3ae64d14aab599a6f0542904a1b710ed0091c6b8d29ce31f6fc7b41d1767

Download Submit
\ProgramData\Wins\MSI.dll
Filesize
45KB

MD5
03d6a61a54eca4d39f4e786315366d18

SHA1
fc1b6fa613af321bd66bddd02707c9a7926bca36

SHA256
0efc9e2fb1508176de73e32cf8dc85efb4cfb4d7cf15f4468163239b03a0d8a2

SHA512
efcf4a20fbfaf75e4d8b02cdb9c58316ea377736d57d0a28d672d052a982ce2984db3ae64d14aab599a6f0542904a1b710ed0091c6b8d29ce31f6fc7b41d1767

Download Submit
\ProgramData\Wins\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
\ProgramData\svchost.exe
Filesize
289KB

MD5
3b6a24fece46501f1ae9e7a366c57906

SHA1
7bb323f9f013d9d300596d29c5bc291f2328bfd7

SHA256
6f7ea82f4aca28beb614e4a452136a85a8f17ef72fc58730a201efd9d75f0d21

SHA512
dae718b2ad5d1781d57fae0396e97805c29603eb19ea7124a4925b8150a5a4e4f6d6c68b5d46cce67eb50fcf43f97c44acf4fdcc9ab11aabf79ad866d443afd8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\MSI.dll
Filesize
45KB

MD5
03d6a61a54eca4d39f4e786315366d18

SHA1
fc1b6fa613af321bd66bddd02707c9a7926bca36

SHA256
0efc9e2fb1508176de73e32cf8dc85efb4cfb4d7cf15f4468163239b03a0d8a2

SHA512
efcf4a20fbfaf75e4d8b02cdb9c58316ea377736d57d0a28d672d052a982ce2984db3ae64d14aab599a6f0542904a1b710ed0091c6b8d29ce31f6fc7b41d1767

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
memory/936-56-0x0000000000000000-mapping.dmp

Download
memory/1000-64-0x0000000000000000-mapping.dmp

Download
memory/1000-70-0x0000000001CD0000-0x0000000001DD0000-memory.dmp

Filesize
1024KB

Download
memory/1000-71-0x00000000003A0000-0x00000000003D0000-memory.dmp

Filesize
192KB

Download
memory/1176-74-0x0000000000000000-mapping.dmp

Download
memory/1176-81-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/1176-93-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/1344-90-0x0000000000190000-0x00000000001C0000-memory.dmp

Filesize
192KB

Download
memory/1624-86-0x0000000000130000-0x000000000014D000-memory.dmp

Filesize
116KB

Download
memory/1624-88-0x0000000000000000-mapping.dmp

Download
memory/1624-92-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/1624-94-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/1668-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download