plugx | 8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6

Analysis

max time kernel
152s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe
Size

243KB
MD5

50351229f9f28a44d2a1e947e0c752f9
SHA1

47440b25d4a5229ed3b176c58c073c432c0b8eb3
SHA256

8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6
SHA512

dfb9d230f60615f4ff16cc86d9f758305a66a1eb63abc91a61c6a2cfd339f2227a181ef057193b347f34dbe373b5d0237d9ca21aaa7209bca3e2b32daf18ac71
SSDEEP

6144:pLRA0S1lHhJNuTB9U9l0OrDvxYDTdw4myOKNGVFp:p20S1XU9qDZYDT9mjoGV

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

resource	yara_rule
behavioral1/memory/1836-63-0x0000000000330000-0x000000000035E000-memory.dmp	family_plugx
behavioral1/memory/1580-68-0x0000000001CB0000-0x0000000001CDE000-memory.dmp	family_plugx
behavioral1/memory/1836-74-0x0000000000330000-0x000000000035E000-memory.dmp	family_plugx
behavioral1/memory/1432-75-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/1564-80-0x00000000002B0000-0x00000000002DE000-memory.dmp	family_plugx
behavioral1/memory/1432-81-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/1564-82-0x00000000002B0000-0x00000000002DE000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
1836	NvDev.exe
1580	NvDev.exe

Deletes itself 1 IoCs

pid	Process
1836	NvDev.exe

Loads dropped DLL 4 IoCs

pid	Process
1760	8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe
1760	8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe
1836	NvDev.exe
1580	NvDev.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 41003300420043004200300042004500450045004600380032004400430031000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	NvDev.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1432	svchost.exe
1564	msiexec.exe
1564	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	NvDev.exe
Token: SeTcbPrivilege	1836	NvDev.exe
Token: SeDebugPrivilege	1580	NvDev.exe
Token: SeTcbPrivilege	1580	NvDev.exe
Token: SeDebugPrivilege	1432	svchost.exe
Token: SeTcbPrivilege	1432	svchost.exe
Token: SeDebugPrivilege	1564	msiexec.exe
Token: SeTcbPrivilege	1564	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1836	1760	8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe	28
PID 1760 wrote to memory of 1836	1760	8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe	28
PID 1760 wrote to memory of 1836	1760	8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe	28
PID 1760 wrote to memory of 1836	1760	8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe	28
PID 1580 wrote to memory of 1432	1580	NvDev.exe	30
PID 1580 wrote to memory of 1432	1580	NvDev.exe	30
PID 1580 wrote to memory of 1432	1580	NvDev.exe	30
PID 1580 wrote to memory of 1432	1580	NvDev.exe	30
PID 1580 wrote to memory of 1432	1580	NvDev.exe	30
PID 1580 wrote to memory of 1432	1580	NvDev.exe	30
PID 1580 wrote to memory of 1432	1580	NvDev.exe	30
PID 1580 wrote to memory of 1432	1580	NvDev.exe	30
PID 1580 wrote to memory of 1432	1580	NvDev.exe	30
PID 1432 wrote to memory of 1564	1432	svchost.exe	31
PID 1432 wrote to memory of 1564	1432	svchost.exe	31
PID 1432 wrote to memory of 1564	1432	svchost.exe	31
PID 1432 wrote to memory of 1564	1432	svchost.exe	31
PID 1432 wrote to memory of 1564	1432	svchost.exe	31
PID 1432 wrote to memory of 1564	1432	svchost.exe	31
PID 1432 wrote to memory of 1564	1432	svchost.exe	31
PID 1432 wrote to memory of 1564	1432	svchost.exe	31
PID 1432 wrote to memory of 1564	1432	svchost.exe	31
PID 1432 wrote to memory of 1564	1432	svchost.exe	31
PID 1432 wrote to memory of 1564	1432	svchost.exe	31
PID 1432 wrote to memory of 1564	1432	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe
"C:\Users\Admin\AppData\Local\Temp\8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760
- C:\ProgramData\NvDev\NvDev.exe
  "C:\ProgramData\NvDev\NvDev.exe" 100 1760
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1836

C:\ProgramData\NvDev\NvDev.exe
"C:\ProgramData\NvDev\NvDev.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1432
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NvDev\BOOT.LDR

Filesize
115KB

MD5
5235d3b4b8015be67712438717717c2a

SHA1
e9cb55d44001a6b90a2fd3c7a5329355b45c1117

SHA256
6585399ff3ffbe1995b0a91999a37f176a44fce282331897d24d79dfefedef83

SHA512
fc52788f89e298740063b96304813d19564c702330da65a7685be03584880ed123d3d4db70858ec76f9f8e6dc12415cf2d856822bd5f96a5792721d3fbb2aefb

Download Submit
C:\ProgramData\NvDev\NvDev.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\NvDev\NvDev.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\NvDev\NvSmartMax.dll

Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
C:\ProgramData\bug.log

Filesize
376B

MD5
1878c3308d193318a80b94dba9dde2e3

SHA1
c73697d39a45319fd8268d0030b55e725e67e45a

SHA256
59148b01a1c06a77fb8db88c9d3739efd106d4f175a8a19887baa4a48806e764

SHA512
cefc6d2f95b29f704fd798ddb21018c4a9b1cf2c2f712edcd4745525f01a4f04688071274e9020886aec7c1c8fb89d176414ffb962e232b92ec27bf51be1af27

Download Submit
\ProgramData\NvDev\NvDev.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\ProgramData\NvDev\NvDev.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\ProgramData\NvDev\NvSmartMax.dll

Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
\ProgramData\NvDev\NvSmartMax.dll

Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
memory/1432-75-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/1432-69-0x00000000000A0000-0x00000000000BC000-memory.dmp

Filesize
112KB

Download
memory/1432-81-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/1564-80-0x00000000002B0000-0x00000000002DE000-memory.dmp

Filesize
184KB

Download
memory/1564-82-0x00000000002B0000-0x00000000002DE000-memory.dmp

Filesize
184KB

Download
memory/1580-68-0x0000000001CB0000-0x0000000001CDE000-memory.dmp

Filesize
184KB

Download
memory/1836-63-0x0000000000330000-0x000000000035E000-memory.dmp

Filesize
184KB

Download
memory/1836-62-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1836-74-0x0000000000330000-0x000000000035E000-memory.dmp

Filesize
184KB

Download
memory/1836-61-0x0000000001CE0000-0x0000000001DE0000-memory.dmp

Filesize
1024KB

Download