plugx | a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b

Analysis

max time kernel
152s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe
Size

347KB
MD5

e733988f97ffcd7bddae53cd194ddb56
SHA1

203d4f753ac159cbaa0637726cc2849483fdee23
SHA256

a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b
SHA512

1c436714ecbd77bd36f628d5d9d6ae0f0869dc77422bd871667f577c8b4200d62991099cbfbf4100717ae9a2bc9b812b6f4fe76329b846df3724a865fc2396e8
SSDEEP

6144:v4lRkAehaKuqT+FdR4U5LUskSB4fpweOLPtfuRK6UcdIAfUvPIHTRmon36Z:vkWAehJuqT4SPskbBHClfuRycdIpvPwC

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3068-142-0x00000000029A0000-0x00000000029D0000-memory.dmp	family_plugx
behavioral2/memory/1968-153-0x00000000026F0000-0x0000000002720000-memory.dmp	family_plugx
behavioral2/memory/2316-154-0x0000000000FB0000-0x0000000000FE0000-memory.dmp	family_plugx
behavioral2/memory/4192-157-0x00000000015E0000-0x0000000001610000-memory.dmp	family_plugx
behavioral2/memory/1968-158-0x00000000026F0000-0x0000000002720000-memory.dmp	family_plugx
behavioral2/memory/4192-159-0x00000000015E0000-0x0000000001610000-memory.dmp	family_plugx
behavioral2/memory/1468-161-0x0000000000B30000-0x0000000000B60000-memory.dmp	family_plugx
behavioral2/memory/1468-162-0x0000000000B30000-0x0000000000B60000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 4 IoCs

Processes:

svchost.exeMSIDB.exeMSIDB.exeMSIDB.exe

pid process

1972 svchost.exe
3068 MSIDB.exe
1968 MSIDB.exe
2316 MSIDB.exe

pid	process
1972	svchost.exe
3068	MSIDB.exe
1968	MSIDB.exe
2316	MSIDB.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe

Loads dropped DLL 3 IoCs

Processes:

MSIDB.exeMSIDB.exeMSIDB.exe

pid process

3068 MSIDB.exe
1968 MSIDB.exe
2316 MSIDB.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42003600330033003700330038003800420046003500300037004300320039000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MSIDB.exesvchost.exemsiexec.exe

pid	process
3068	MSIDB.exe
3068	MSIDB.exe
4192	svchost.exe
4192	svchost.exe
4192	svchost.exe
4192	svchost.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
4192	svchost.exe
4192	svchost.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
4192	svchost.exe
4192	svchost.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
4192	svchost.exe
4192	svchost.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
4192	svchost.exe
4192	svchost.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe
1468	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

4192 svchost.exe

pid	process
4192	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

MSIDB.exeMSIDB.exeMSIDB.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3068	MSIDB.exe
Token: SeTcbPrivilege	3068	MSIDB.exe
Token: SeDebugPrivilege	1968	MSIDB.exe
Token: SeTcbPrivilege	1968	MSIDB.exe
Token: SeDebugPrivilege	2316	MSIDB.exe
Token: SeTcbPrivilege	2316	MSIDB.exe
Token: SeDebugPrivilege	4192	svchost.exe
Token: SeTcbPrivilege	4192	svchost.exe
Token: SeDebugPrivilege	1468	msiexec.exe
Token: SeTcbPrivilege	1468	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exesvchost.exeMSIDB.exeMSIDB.exesvchost.exe

description	pid	process	target process
PID 628 wrote to memory of 1972	628	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe	svchost.exe
PID 628 wrote to memory of 1972	628	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe	svchost.exe
PID 628 wrote to memory of 1972	628	a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe	svchost.exe
PID 1972 wrote to memory of 3068	1972	svchost.exe	MSIDB.exe
PID 1972 wrote to memory of 3068	1972	svchost.exe	MSIDB.exe
PID 1972 wrote to memory of 3068	1972	svchost.exe	MSIDB.exe
PID 3068 wrote to memory of 1968	3068	MSIDB.exe	MSIDB.exe
PID 3068 wrote to memory of 1968	3068	MSIDB.exe	MSIDB.exe
PID 3068 wrote to memory of 1968	3068	MSIDB.exe	MSIDB.exe
PID 2316 wrote to memory of 4192	2316	MSIDB.exe	svchost.exe
PID 2316 wrote to memory of 4192	2316	MSIDB.exe	svchost.exe
PID 2316 wrote to memory of 4192	2316	MSIDB.exe	svchost.exe
PID 2316 wrote to memory of 4192	2316	MSIDB.exe	svchost.exe
PID 2316 wrote to memory of 4192	2316	MSIDB.exe	svchost.exe
PID 2316 wrote to memory of 4192	2316	MSIDB.exe	svchost.exe
PID 2316 wrote to memory of 4192	2316	MSIDB.exe	svchost.exe
PID 2316 wrote to memory of 4192	2316	MSIDB.exe	svchost.exe
PID 4192 wrote to memory of 1468	4192	svchost.exe	msiexec.exe
PID 4192 wrote to memory of 1468	4192	svchost.exe	msiexec.exe
PID 4192 wrote to memory of 1468	4192	svchost.exe	msiexec.exe
PID 4192 wrote to memory of 1468	4192	svchost.exe	msiexec.exe
PID 4192 wrote to memory of 1468	4192	svchost.exe	msiexec.exe
PID 4192 wrote to memory of 1468	4192	svchost.exe	msiexec.exe
PID 4192 wrote to memory of 1468	4192	svchost.exe	msiexec.exe
PID 4192 wrote to memory of 1468	4192	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe
"C:\Users\Admin\AppData\Local\Temp\a97959fee0a1ea94a23fa46faed2d786ebfc7db2e1401e843ee36d7e26f7bd7b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:628

C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\ProgramData\Wins\MSIDB.exe
"C:\ProgramData\Wins\MSIDB.exe" 100 3068
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\ProgramData\Wins\MSIDB.exe
"C:\ProgramData\Wins\MSIDB.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 4192
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log
Filesize
622B

MD5
841e1191c77c5a7ff4241075f9325b24

SHA1
69adc14a15336cd0b5a3cbc1b9f4f0e2c7786b40

SHA256
eba96fd26a6541b557c6c597f9a1bb3f7ed5f7995c2eded189892532d898ea97

SHA512
ee29eee6830264b94dffa36790a1823c043aca83d061fdfa4cdb6ef2f467479666bdc48083c0d66ba1f4e88cbc605b2cf1363c5de36eb756e037b129302b7d2d

Download Submit
C:\ProgramData\Wins\MSI.dll
Filesize
45KB

MD5
03d6a61a54eca4d39f4e786315366d18

SHA1
fc1b6fa613af321bd66bddd02707c9a7926bca36

SHA256
0efc9e2fb1508176de73e32cf8dc85efb4cfb4d7cf15f4468163239b03a0d8a2

SHA512
efcf4a20fbfaf75e4d8b02cdb9c58316ea377736d57d0a28d672d052a982ce2984db3ae64d14aab599a6f0542904a1b710ed0091c6b8d29ce31f6fc7b41d1767

Download Submit
C:\ProgramData\Wins\MSI.dll
Filesize
45KB

MD5
03d6a61a54eca4d39f4e786315366d18

SHA1
fc1b6fa613af321bd66bddd02707c9a7926bca36

SHA256
0efc9e2fb1508176de73e32cf8dc85efb4cfb4d7cf15f4468163239b03a0d8a2

SHA512
efcf4a20fbfaf75e4d8b02cdb9c58316ea377736d57d0a28d672d052a982ce2984db3ae64d14aab599a6f0542904a1b710ed0091c6b8d29ce31f6fc7b41d1767

Download Submit
C:\ProgramData\Wins\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
C:\ProgramData\Wins\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
C:\ProgramData\Wins\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
C:\ProgramData\Wins\msi.dll
Filesize
45KB

MD5
03d6a61a54eca4d39f4e786315366d18

SHA1
fc1b6fa613af321bd66bddd02707c9a7926bca36

SHA256
0efc9e2fb1508176de73e32cf8dc85efb4cfb4d7cf15f4468163239b03a0d8a2

SHA512
efcf4a20fbfaf75e4d8b02cdb9c58316ea377736d57d0a28d672d052a982ce2984db3ae64d14aab599a6f0542904a1b710ed0091c6b8d29ce31f6fc7b41d1767

Download Submit
C:\ProgramData\Wins\msi.dll.iso
Filesize
120KB

MD5
55d8e04cd7ab9acd1117cb3ce3504c08

SHA1
d487375b9f45b592d283a45d380c7a5d0beaca2b

SHA256
726d05611e84adc80f3ffb3a8a703e359c1bf9d198448e108e6ce3e5a13f0489

SHA512
c104b93709649d88d5a03d0ce678657895ad1294263c869bc1a2a38f1f24fa167fc41eed4e4ff0517b811c069ec35f7fe1efdd6179f6be9e1f6ef33d48f02521

Download Submit
C:\ProgramData\svchost.exe
Filesize
289KB

MD5
3b6a24fece46501f1ae9e7a366c57906

SHA1
7bb323f9f013d9d300596d29c5bc291f2328bfd7

SHA256
6f7ea82f4aca28beb614e4a452136a85a8f17ef72fc58730a201efd9d75f0d21

SHA512
dae718b2ad5d1781d57fae0396e97805c29603eb19ea7124a4925b8150a5a4e4f6d6c68b5d46cce67eb50fcf43f97c44acf4fdcc9ab11aabf79ad866d443afd8

Download Submit
C:\ProgramData\svchost.exe
Filesize
289KB

MD5
3b6a24fece46501f1ae9e7a366c57906

SHA1
7bb323f9f013d9d300596d29c5bc291f2328bfd7

SHA256
6f7ea82f4aca28beb614e4a452136a85a8f17ef72fc58730a201efd9d75f0d21

SHA512
dae718b2ad5d1781d57fae0396e97805c29603eb19ea7124a4925b8150a5a4e4f6d6c68b5d46cce67eb50fcf43f97c44acf4fdcc9ab11aabf79ad866d443afd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSI.dll
Filesize
45KB

MD5
03d6a61a54eca4d39f4e786315366d18

SHA1
fc1b6fa613af321bd66bddd02707c9a7926bca36

SHA256
0efc9e2fb1508176de73e32cf8dc85efb4cfb4d7cf15f4468163239b03a0d8a2

SHA512
efcf4a20fbfaf75e4d8b02cdb9c58316ea377736d57d0a28d672d052a982ce2984db3ae64d14aab599a6f0542904a1b710ed0091c6b8d29ce31f6fc7b41d1767

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
Filesize
152KB

MD5
211494b619971b7fa34c456116a70adb

SHA1
0da44929534dc7104f8b661280586f4021bbb896

SHA256
cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4

SHA512
13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll
Filesize
45KB

MD5
03d6a61a54eca4d39f4e786315366d18

SHA1
fc1b6fa613af321bd66bddd02707c9a7926bca36

SHA256
0efc9e2fb1508176de73e32cf8dc85efb4cfb4d7cf15f4468163239b03a0d8a2

SHA512
efcf4a20fbfaf75e4d8b02cdb9c58316ea377736d57d0a28d672d052a982ce2984db3ae64d14aab599a6f0542904a1b710ed0091c6b8d29ce31f6fc7b41d1767

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll.iso
Filesize
120KB

MD5
55d8e04cd7ab9acd1117cb3ce3504c08

SHA1
d487375b9f45b592d283a45d380c7a5d0beaca2b

SHA256
726d05611e84adc80f3ffb3a8a703e359c1bf9d198448e108e6ce3e5a13f0489

SHA512
c104b93709649d88d5a03d0ce678657895ad1294263c869bc1a2a38f1f24fa167fc41eed4e4ff0517b811c069ec35f7fe1efdd6179f6be9e1f6ef33d48f02521

Download Submit
memory/1468-162-0x0000000000B30000-0x0000000000B60000-memory.dmp

Filesize
192KB

Download
memory/1468-161-0x0000000000B30000-0x0000000000B60000-memory.dmp

Filesize
192KB

Download
memory/1468-160-0x0000000000000000-mapping.dmp

Download
memory/1968-158-0x00000000026F0000-0x0000000002720000-memory.dmp

Filesize
192KB

Download
memory/1968-143-0x0000000000000000-mapping.dmp

Download
memory/1968-153-0x00000000026F0000-0x0000000002720000-memory.dmp

Filesize
192KB

Download
memory/1972-132-0x0000000000000000-mapping.dmp

Download
memory/2316-154-0x0000000000FB0000-0x0000000000FE0000-memory.dmp

Filesize
192KB

Download
memory/3068-135-0x0000000000000000-mapping.dmp

Download
memory/3068-141-0x0000000002870000-0x0000000002970000-memory.dmp

Filesize
1024KB

Download
memory/3068-142-0x00000000029A0000-0x00000000029D0000-memory.dmp

Filesize
192KB

Download
memory/4192-157-0x00000000015E0000-0x0000000001610000-memory.dmp

Filesize
192KB

Download
memory/4192-155-0x0000000000000000-mapping.dmp

Download
memory/4192-159-0x00000000015E0000-0x0000000001610000-memory.dmp

Filesize
192KB

Download