plugx | 9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe
Size

333KB
MD5

4cf40352cbcf8120b64bb0d6b61f4a29
SHA1

fe4838673ad99d2b0ee4171a3ec9210a934c32b2
SHA256

9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a
SHA512

a3cdcf8d51f383f27b0d79ec3ecd050d7f0f2187ad04b33320999c31292f77bb5b20901271c89699b8864bc1302a8260852eb3cd53f1ab9d73e500e0ac89a2f1
SSDEEP

6144:Cz+92mhAMJ/cPl3iNGhPnYxgYhWtxiPwZyM/bz5P:CK2mhAMJ/cPl/WgHQMjzF

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 6 IoCs

resource	yara_rule
behavioral1/memory/1804-66-0x0000000000290000-0x00000000002BC000-memory.dmp	family_plugx
behavioral1/memory/1736-82-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/744-83-0x0000000000340000-0x000000000036C000-memory.dmp	family_plugx
behavioral1/memory/1084-84-0x0000000000200000-0x000000000022C000-memory.dmp	family_plugx
behavioral1/memory/1068-89-0x0000000000880000-0x00000000008AC000-memory.dmp	family_plugx
behavioral1/memory/1084-90-0x0000000000200000-0x000000000022C000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
1804	hkcmd.exe
744	hkcmd.exe
1736	hkcmd.exe

Deletes itself 1 IoCs

pid	Process
1804	hkcmd.exe

Loads dropped DLL 7 IoCs

pid	Process
1948	9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe
1948	9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe
1948	9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe
1948	9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe
1804	hkcmd.exe
744	hkcmd.exe
1736	hkcmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30003500370030004500380030003100330034003400420041003100300030000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1804	hkcmd.exe
1084	svchost.exe
1084	svchost.exe
1084	svchost.exe
1084	svchost.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1084	svchost.exe
1084	svchost.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1084	svchost.exe
1084	svchost.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1084	svchost.exe
1084	svchost.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1084	svchost.exe
1084	svchost.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1084	svchost.exe
1084	svchost.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1084	svchost.exe
1084	svchost.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1068	msiexec.exe
1084	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	hkcmd.exe
Token: SeTcbPrivilege	1804	hkcmd.exe
Token: SeDebugPrivilege	744	hkcmd.exe
Token: SeTcbPrivilege	744	hkcmd.exe
Token: SeDebugPrivilege	1736	hkcmd.exe
Token: SeTcbPrivilege	1736	hkcmd.exe
Token: SeDebugPrivilege	1084	svchost.exe
Token: SeTcbPrivilege	1084	svchost.exe
Token: SeDebugPrivilege	1068	msiexec.exe
Token: SeTcbPrivilege	1068	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1804	1948	9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe	27
PID 1948 wrote to memory of 1804	1948	9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe	27
PID 1948 wrote to memory of 1804	1948	9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe	27
PID 1948 wrote to memory of 1804	1948	9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe	27
PID 1948 wrote to memory of 1804	1948	9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe	27
PID 1948 wrote to memory of 1804	1948	9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe	27
PID 1948 wrote to memory of 1804	1948	9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe	27
PID 1736 wrote to memory of 1084	1736	hkcmd.exe	31
PID 1736 wrote to memory of 1084	1736	hkcmd.exe	31
PID 1736 wrote to memory of 1084	1736	hkcmd.exe	31
PID 1736 wrote to memory of 1084	1736	hkcmd.exe	31
PID 1736 wrote to memory of 1084	1736	hkcmd.exe	31
PID 1736 wrote to memory of 1084	1736	hkcmd.exe	31
PID 1736 wrote to memory of 1084	1736	hkcmd.exe	31
PID 1736 wrote to memory of 1084	1736	hkcmd.exe	31
PID 1736 wrote to memory of 1084	1736	hkcmd.exe	31
PID 1084 wrote to memory of 1068	1084	svchost.exe	32
PID 1084 wrote to memory of 1068	1084	svchost.exe	32
PID 1084 wrote to memory of 1068	1084	svchost.exe	32
PID 1084 wrote to memory of 1068	1084	svchost.exe	32
PID 1084 wrote to memory of 1068	1084	svchost.exe	32
PID 1084 wrote to memory of 1068	1084	svchost.exe	32
PID 1084 wrote to memory of 1068	1084	svchost.exe	32
PID 1084 wrote to memory of 1068	1084	svchost.exe	32
PID 1084 wrote to memory of 1068	1084	svchost.exe	32
PID 1084 wrote to memory of 1068	1084	svchost.exe	32
PID 1084 wrote to memory of 1068	1084	svchost.exe	32
PID 1084 wrote to memory of 1068	1084	svchost.exe	32

C:\Users\Admin\AppData\Local\Temp\9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe
"C:\Users\Admin\AppData\Local\Temp\9ba3a12dff7a578baa1834cdacfcd55b6dbea0a3c2393ae937d2a88a3064a96a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804

C:\ProgramData\Kerberos\hkcmd.exe
"C:\ProgramData\Kerberos\hkcmd.exe" 100 1804
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\ProgramData\Kerberos\hkcmd.exe
"C:\ProgramData\Kerberos\hkcmd.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1084
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Kerberos\hccutils.DLL

Filesize
41KB

MD5
55c15efa6369957c69e7c6643bc86ef2

SHA1
ce2bacdc2eeb298016d46e61f4a009b2a706a737

SHA256
7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf

SHA512
a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

Download Submit
C:\ProgramData\Kerberos\hccutils.DLL.res

Filesize
110KB

MD5
3aa819b9089cd906d6434e446bea75ba

SHA1
8e008e0eb41830841eeb4702c382a43757ad930e

SHA256
b414a5ffb5b41d46d963c22964ae3097538c0a3e7ce0e3ba235ca33de3ab717d

SHA512
c09d075044ef7b74c928238aaa1b78c952970280a68213db108d7bdc02fea24a0f6424a745dbf4fb33de93f3b8d8341b7f99e5c47dadd0fda9083e6cc596b965

Download Submit
C:\ProgramData\Kerberos\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
C:\ProgramData\Kerberos\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL

Filesize
41KB

MD5
55c15efa6369957c69e7c6643bc86ef2

SHA1
ce2bacdc2eeb298016d46e61f4a009b2a706a737

SHA256
7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf

SHA512
a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL.res

Filesize
110KB

MD5
3aa819b9089cd906d6434e446bea75ba

SHA1
8e008e0eb41830841eeb4702c382a43757ad930e

SHA256
b414a5ffb5b41d46d963c22964ae3097538c0a3e7ce0e3ba235ca33de3ab717d

SHA512
c09d075044ef7b74c928238aaa1b78c952970280a68213db108d7bdc02fea24a0f6424a745dbf4fb33de93f3b8d8341b7f99e5c47dadd0fda9083e6cc596b965

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
\ProgramData\Kerberos\hccutils.dll

Filesize
41KB

MD5
55c15efa6369957c69e7c6643bc86ef2

SHA1
ce2bacdc2eeb298016d46e61f4a009b2a706a737

SHA256
7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf

SHA512
a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

Download Submit
\ProgramData\Kerberos\hccutils.dll

Filesize
41KB

MD5
55c15efa6369957c69e7c6643bc86ef2

SHA1
ce2bacdc2eeb298016d46e61f4a009b2a706a737

SHA256
7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf

SHA512
a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.dll

Filesize
41KB

MD5
55c15efa6369957c69e7c6643bc86ef2

SHA1
ce2bacdc2eeb298016d46e61f4a009b2a706a737

SHA256
7a593f93d52d7cecf2ad81ee2df0d1354a39bb975cec25619dcbe5cee57123cf

SHA512
a6d06035f91410dc215d8ac8a22d955bd02084d3e409e81176046c9f1bbf0eff2328ab66ff90f0441004ddd7922fdd2d2c1b44f32b583ab78cb1015813d46705

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

Filesize
169KB

MD5
0d58e5f4e82539de38ba7f9b4a8dda12

SHA1
dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342

SHA256
e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d

SHA512
149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3

Download Submit
memory/744-83-0x0000000000340000-0x000000000036C000-memory.dmp

Filesize
176KB

Download
memory/1068-89-0x0000000000880000-0x00000000008AC000-memory.dmp

Filesize
176KB

Download
memory/1084-78-0x00000000000E0000-0x00000000000FA000-memory.dmp

Filesize
104KB

Download
memory/1084-84-0x0000000000200000-0x000000000022C000-memory.dmp

Filesize
176KB

Download
memory/1084-90-0x0000000000200000-0x000000000022C000-memory.dmp

Filesize
176KB

Download
memory/1736-82-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/1804-66-0x0000000000290000-0x00000000002BC000-memory.dmp

Filesize
176KB

Download
memory/1804-65-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/1948-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download