plugx | 677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685

Analysis

max time kernel
222s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Size

308KB
MD5

4a076785e9786324bb852dd5bc27f10b
SHA1

c6be8931dc7cdbea53c324f76e7f950996b3f26d
SHA256

677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685
SHA512

30e543bebfc0a92fc4b8a946e1fb99abd2792951c91bd62911771e4db2a23eed4e598edb14fdc96abf7b6222b75320d98397b4923c808b98eed01212be0ed38f
SSDEEP

6144:J3fJkqmWbIu2Zj5BIqJRlBzJwAXBOGOM:JdbIuETZRvxBQ

Score

10^/10

plugx persistence trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

resource	yara_rule
behavioral1/memory/1516-65-0x00000000003C0000-0x00000000003EE000-memory.dmp	family_plugx
behavioral1/memory/1516-66-0x0000000001F10000-0x0000000001F3E000-memory.dmp	family_plugx
behavioral1/memory/1512-67-0x0000000000370000-0x000000000039E000-memory.dmp	family_plugx
behavioral1/memory/1328-68-0x0000000000230000-0x000000000025E000-memory.dmp	family_plugx
behavioral1/memory/1404-74-0x0000000000440000-0x000000000046E000-memory.dmp	family_plugx
behavioral1/memory/1512-75-0x0000000000370000-0x000000000039E000-memory.dmp	family_plugx
behavioral1/memory/1404-76-0x0000000000440000-0x000000000046E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WokKStation services = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe\""	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WokKStation services = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe\""	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 38003800390030004300370039004100370043003700450046004300320045000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1512	svchost.exe
1512	svchost.exe
1512	svchost.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1512	svchost.exe
1512	svchost.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1512	svchost.exe
1512	svchost.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe
1404	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeTcbPrivilege	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeDebugPrivilege	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeTcbPrivilege	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeDebugPrivilege	1512	svchost.exe
Token: SeTcbPrivilege	1512	svchost.exe
Token: SeDebugPrivilege	1328	svchost.exe
Token: SeTcbPrivilege	1328	svchost.exe
Token: SeDebugPrivilege	1404	msiexec.exe
Token: SeTcbPrivilege	1404	msiexec.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1512	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	28
PID 1516 wrote to memory of 1512	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	28
PID 1516 wrote to memory of 1512	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	28
PID 1516 wrote to memory of 1512	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	28
PID 1516 wrote to memory of 1512	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	28
PID 1516 wrote to memory of 1512	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	28
PID 1516 wrote to memory of 1328	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	29
PID 1516 wrote to memory of 1328	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	29
PID 1516 wrote to memory of 1328	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	29
PID 1516 wrote to memory of 1328	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	29
PID 1516 wrote to memory of 1328	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	29
PID 1516 wrote to memory of 1328	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	29
PID 1516 wrote to memory of 1328	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	29
PID 1516 wrote to memory of 1328	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	29
PID 1516 wrote to memory of 1328	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	29
PID 1516 wrote to memory of 1512	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	28
PID 1516 wrote to memory of 1512	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	28
PID 1516 wrote to memory of 1512	1516	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	28
PID 1512 wrote to memory of 1404	1512	svchost.exe	30
PID 1512 wrote to memory of 1404	1512	svchost.exe	30
PID 1512 wrote to memory of 1404	1512	svchost.exe	30
PID 1512 wrote to memory of 1404	1512	svchost.exe	30
PID 1512 wrote to memory of 1404	1512	svchost.exe	30
PID 1512 wrote to memory of 1404	1512	svchost.exe	30
PID 1512 wrote to memory of 1404	1512	svchost.exe	30
PID 1512 wrote to memory of 1404	1512	svchost.exe	30
PID 1512 wrote to memory of 1404	1512	svchost.exe	30
PID 1512 wrote to memory of 1404	1512	svchost.exe	30
PID 1512 wrote to memory of 1404	1512	svchost.exe	30
PID 1512 wrote to memory of 1404	1512	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
"C:\Users\Admin\AppData\Local\Temp\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
450B

MD5
8b5155ae995961073e9089a5c9ac0c35

SHA1
adbd95cb6ae62ba474f87b7a10d1507957336290

SHA256
17b292541701c64e2192942574d7c941e5f230398aaa6dc000a0baa160426ad4

SHA512
2f0440107dc31a6e54b41ebe36f84ea302d4a77eb24423b67b14afcc554b53ef883397b1717546f5d9280a68d32185031aae46346d27be6f642a9582ff1ae7e1

Download Submit
memory/1328-68-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1404-76-0x0000000000440000-0x000000000046E000-memory.dmp

Filesize
184KB

Download
memory/1404-74-0x0000000000440000-0x000000000046E000-memory.dmp

Filesize
184KB

Download
memory/1512-67-0x0000000000370000-0x000000000039E000-memory.dmp

Filesize
184KB

Download
memory/1512-56-0x00000000000E0000-0x00000000000FB000-memory.dmp

Filesize
108KB

Download
memory/1512-75-0x0000000000370000-0x000000000039E000-memory.dmp

Filesize
184KB

Download
memory/1516-66-0x0000000001F10000-0x0000000001F3E000-memory.dmp

Filesize
184KB

Download
memory/1516-54-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1516-55-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download
memory/1516-64-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1516-65-0x00000000003C0000-0x00000000003EE000-memory.dmp

Filesize
184KB

Download