plugx | 677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685

General

Target

677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Size

308KB
MD5

4a076785e9786324bb852dd5bc27f10b
SHA1

c6be8931dc7cdbea53c324f76e7f950996b3f26d
SHA256

677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685
SHA512

30e543bebfc0a92fc4b8a946e1fb99abd2792951c91bd62911771e4db2a23eed4e598edb14fdc96abf7b6222b75320d98397b4923c808b98eed01212be0ed38f
SSDEEP

6144:J3fJkqmWbIu2Zj5BIqJRlBzJwAXBOGOM:JdbIuETZRvxBQ

Score

10^/10

plugx persistence trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4212-133-0x0000000002F20000-0x0000000002F4E000-memory.dmp	family_plugx
behavioral2/memory/4212-134-0x00000000030C0000-0x00000000030EE000-memory.dmp	family_plugx
behavioral2/memory/1196-138-0x0000000000EB0000-0x0000000000EDE000-memory.dmp	family_plugx
behavioral2/memory/1356-139-0x0000000000740000-0x000000000076E000-memory.dmp	family_plugx
behavioral2/memory/1356-140-0x0000000000740000-0x000000000076E000-memory.dmp	family_plugx
behavioral2/memory/2940-143-0x0000000001570000-0x000000000159E000-memory.dmp	family_plugx
behavioral2/memory/2940-144-0x0000000001570000-0x000000000159E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WokKStation services = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe\""	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WokKStation services = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe\""	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 41003900410034003400440045004400460036004600390034003900340042000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

1356 svchost.exe
2940 msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exesvchost.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeTcbPrivilege	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeDebugPrivilege	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeTcbPrivilege	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeDebugPrivilege	1356	svchost.exe
Token: SeDebugPrivilege	1196	svchost.exe
Token: SeTcbPrivilege	1356	svchost.exe
Token: SeTcbPrivilege	1196	svchost.exe
Token: SeDebugPrivilege	2940	msiexec.exe
Token: SeTcbPrivilege	2940	msiexec.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exesvchost.exe

description	pid	process	target process
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	svchost.exe
PID 1356 wrote to memory of 2940	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 2940	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 2940	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 2940	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 2940	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 2940	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 2940	1356	svchost.exe	msiexec.exe
PID 1356 wrote to memory of 2940	1356	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
"C:\Users\Admin\AppData\Local\Temp\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log
Filesize
780B

MD5
7d2dcb623f722ab9b9ee06e497762f50

SHA1
00300ca64de1d7eac353395fe46777d76f07f96e

SHA256
b6f9a28062595bf4cf78a8b32e8e8336dc54a23b1c48c39e3dc5cb3e09652a6f

SHA512
eba1e8e3f811c4f2c4949b01779ca54d66b4f0d068a5bf0f2b34a0088872442aacb444cc1e60f74712b1b3a69f8a52a4ea41b0219160ce2c053df8eb399247ca

Download Submit
memory/1196-138-0x0000000000EB0000-0x0000000000EDE000-memory.dmp

Filesize
184KB

Download
memory/1196-136-0x0000000000000000-mapping.dmp

Download
memory/1356-135-0x0000000000000000-mapping.dmp

Download
memory/1356-139-0x0000000000740000-0x000000000076E000-memory.dmp

Filesize
184KB

Download
memory/1356-140-0x0000000000740000-0x000000000076E000-memory.dmp

Filesize
184KB

Download
memory/2940-142-0x0000000000000000-mapping.dmp

Download
memory/2940-143-0x0000000001570000-0x000000000159E000-memory.dmp

Filesize
184KB

Download
memory/2940-144-0x0000000001570000-0x000000000159E000-memory.dmp

Filesize
184KB

Download
memory/4212-134-0x00000000030C0000-0x00000000030EE000-memory.dmp

Filesize
184KB

Download
memory/4212-137-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4212-132-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4212-133-0x0000000002F20000-0x0000000002F4E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads