plugx | 8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6

General

Target

8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe
Size

243KB
MD5

50351229f9f28a44d2a1e947e0c752f9
SHA1

47440b25d4a5229ed3b176c58c073c432c0b8eb3
SHA256

8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6
SHA512

dfb9d230f60615f4ff16cc86d9f758305a66a1eb63abc91a61c6a2cfd339f2227a181ef057193b347f34dbe373b5d0237d9ca21aaa7209bca3e2b32daf18ac71
SSDEEP

6144:pLRA0S1lHhJNuTB9U9l0OrDvxYDTdw4myOKNGVFp:p20S1XU9qDZYDT9mjoGV

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/332-144-0x0000000000510000-0x000000000053E000-memory.dmp	family_plugx
behavioral2/memory/3148-146-0x00000000005C0000-0x00000000005EE000-memory.dmp	family_plugx
behavioral2/memory/2232-147-0x0000000000FB0000-0x0000000000FDE000-memory.dmp	family_plugx
behavioral2/memory/4352-149-0x0000000000E20000-0x0000000000E4E000-memory.dmp	family_plugx
behavioral2/memory/2232-150-0x0000000000FB0000-0x0000000000FDE000-memory.dmp	family_plugx
behavioral2/memory/4352-151-0x0000000000E20000-0x0000000000E4E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

NvDev.exeNvDev.exe

pid process

3148 NvDev.exe
332 NvDev.exe
Loads dropped DLL 2 IoCs

Processes:

NvDev.exeNvDev.exe

pid process

3148 NvDev.exe
332 NvDev.exe

pid	process
3148	NvDev.exe
332	NvDev.exe

pid	process
3148	NvDev.exe
332	NvDev.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31003900340045003600320032004300450039003400350031004500310041000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NvDev.exesvchost.exemsiexec.exe

pid	process
332	NvDev.exe
332	NvDev.exe
2232	svchost.exe
2232	svchost.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
2232	svchost.exe
2232	svchost.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
2232	svchost.exe
2232	svchost.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
2232	svchost.exe
2232	svchost.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
2232	svchost.exe
2232	svchost.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
4352	msiexec.exe
2232	svchost.exe
2232	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

2232 svchost.exe
4352 msiexec.exe

pid	process
2232	svchost.exe
4352	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

NvDev.exeNvDev.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3148	NvDev.exe
Token: SeTcbPrivilege	3148	NvDev.exe
Token: SeDebugPrivilege	332	NvDev.exe
Token: SeTcbPrivilege	332	NvDev.exe
Token: SeDebugPrivilege	2232	svchost.exe
Token: SeTcbPrivilege	2232	svchost.exe
Token: SeDebugPrivilege	4352	msiexec.exe
Token: SeTcbPrivilege	4352	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exeNvDev.exesvchost.exe

description	pid	process	target process
PID 5088 wrote to memory of 3148	5088	8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe	NvDev.exe
PID 5088 wrote to memory of 3148	5088	8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe	NvDev.exe
PID 5088 wrote to memory of 3148	5088	8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe	NvDev.exe
PID 332 wrote to memory of 2232	332	NvDev.exe	svchost.exe
PID 332 wrote to memory of 2232	332	NvDev.exe	svchost.exe
PID 332 wrote to memory of 2232	332	NvDev.exe	svchost.exe
PID 332 wrote to memory of 2232	332	NvDev.exe	svchost.exe
PID 332 wrote to memory of 2232	332	NvDev.exe	svchost.exe
PID 332 wrote to memory of 2232	332	NvDev.exe	svchost.exe
PID 332 wrote to memory of 2232	332	NvDev.exe	svchost.exe
PID 332 wrote to memory of 2232	332	NvDev.exe	svchost.exe
PID 2232 wrote to memory of 4352	2232	svchost.exe	msiexec.exe
PID 2232 wrote to memory of 4352	2232	svchost.exe	msiexec.exe
PID 2232 wrote to memory of 4352	2232	svchost.exe	msiexec.exe
PID 2232 wrote to memory of 4352	2232	svchost.exe	msiexec.exe
PID 2232 wrote to memory of 4352	2232	svchost.exe	msiexec.exe
PID 2232 wrote to memory of 4352	2232	svchost.exe	msiexec.exe
PID 2232 wrote to memory of 4352	2232	svchost.exe	msiexec.exe
PID 2232 wrote to memory of 4352	2232	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe
"C:\Users\Admin\AppData\Local\Temp\8c5659b211edfb6fa704b7db0ef8f86d5079c9abf3e0d26c0ea2c30c67cee5f6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\ProgramData\NvDev\NvDev.exe
"C:\ProgramData\NvDev\NvDev.exe" 100 5088
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\ProgramData\NvDev\NvDev.exe
"C:\ProgramData\NvDev\NvDev.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 2232
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NvDev\BOOT.LDR
Filesize
115KB

MD5
5235d3b4b8015be67712438717717c2a

SHA1
e9cb55d44001a6b90a2fd3c7a5329355b45c1117

SHA256
6585399ff3ffbe1995b0a91999a37f176a44fce282331897d24d79dfefedef83

SHA512
fc52788f89e298740063b96304813d19564c702330da65a7685be03584880ed123d3d4db70858ec76f9f8e6dc12415cf2d856822bd5f96a5792721d3fbb2aefb

Download Submit
C:\ProgramData\NvDev\NvDev.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\NvDev\NvDev.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\NvDev\NvDev.exe
Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\NvDev\NvSmartMax.dll
Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
C:\ProgramData\NvDev\NvSmartMax.dll
Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
C:\ProgramData\NvDev\NvSmartMax.dll
Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
C:\ProgramData\bug.log
Filesize
376B

MD5
b689d7d0baab1bf598e847731df9dd72

SHA1
22a0c9a2cab0019e320084b09c5025f97f60f9b3

SHA256
532d0d27bd755188d6b222fefc7bb2c6ced0222e2fb77c2f15eaba31f5bae037

SHA512
a28eac448deeee1e0511f85f216763415dba55d30a491e756bf900d115bd207928227ebb84fe1b170e98ee918876d8ddff20082effb2e27e69825b2cdaee87d4

Download Submit
memory/332-144-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/2232-143-0x0000000000000000-mapping.dmp

Download
memory/2232-147-0x0000000000FB0000-0x0000000000FDE000-memory.dmp

Filesize
184KB

Download
memory/2232-150-0x0000000000FB0000-0x0000000000FDE000-memory.dmp

Filesize
184KB

Download
memory/3148-139-0x00000000020B0000-0x00000000021B0000-memory.dmp

Filesize
1024KB

Download
memory/3148-133-0x0000000000000000-mapping.dmp

Download
memory/3148-146-0x00000000005C0000-0x00000000005EE000-memory.dmp

Filesize
184KB

Download
memory/4352-148-0x0000000000000000-mapping.dmp

Download
memory/4352-149-0x0000000000E20000-0x0000000000E4E000-memory.dmp

Filesize
184KB

Download
memory/4352-151-0x0000000000E20000-0x0000000000E4E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads