plugx | 677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685

Analysis

max time kernel
152s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Size

308KB
MD5

4a076785e9786324bb852dd5bc27f10b
SHA1

c6be8931dc7cdbea53c324f76e7f950996b3f26d
SHA256

677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685
SHA512

30e543bebfc0a92fc4b8a946e1fb99abd2792951c91bd62911771e4db2a23eed4e598edb14fdc96abf7b6222b75320d98397b4923c808b98eed01212be0ed38f
SSDEEP

6144:J3fJkqmWbIu2Zj5BIqJRlBzJwAXBOGOM:JdbIuETZRvxBQ

Score

10^/10

plugx persistence trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

resource	yara_rule
behavioral2/memory/4212-133-0x0000000002F20000-0x0000000002F4E000-memory.dmp	family_plugx
behavioral2/memory/4212-134-0x00000000030C0000-0x00000000030EE000-memory.dmp	family_plugx
behavioral2/memory/1196-138-0x0000000000EB0000-0x0000000000EDE000-memory.dmp	family_plugx
behavioral2/memory/1356-139-0x0000000000740000-0x000000000076E000-memory.dmp	family_plugx
behavioral2/memory/1356-140-0x0000000000740000-0x000000000076E000-memory.dmp	family_plugx
behavioral2/memory/2940-143-0x0000000001570000-0x000000000159E000-memory.dmp	family_plugx
behavioral2/memory/2940-144-0x0000000001570000-0x000000000159E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WokKStation services = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe\""	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WokKStation services = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe\""	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 41003900410034003400440045004400460036004600390034003900340042000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
2940	msiexec.exe
2940	msiexec.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1356	svchost.exe
2940	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeTcbPrivilege	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeDebugPrivilege	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeTcbPrivilege	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
Token: SeDebugPrivilege	1356	svchost.exe
Token: SeDebugPrivilege	1196	svchost.exe
Token: SeTcbPrivilege	1356	svchost.exe
Token: SeTcbPrivilege	1196	svchost.exe
Token: SeDebugPrivilege	2940	msiexec.exe
Token: SeTcbPrivilege	2940	msiexec.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	80
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	80
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	80
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	81
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	81
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	81
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	80
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	80
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	80
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	81
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	81
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	80
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	81
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	81
PID 4212 wrote to memory of 1356	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	81
PID 4212 wrote to memory of 1196	4212	677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe	80
PID 1356 wrote to memory of 2940	1356	svchost.exe	83
PID 1356 wrote to memory of 2940	1356	svchost.exe	83
PID 1356 wrote to memory of 2940	1356	svchost.exe	83
PID 1356 wrote to memory of 2940	1356	svchost.exe	83
PID 1356 wrote to memory of 2940	1356	svchost.exe	83
PID 1356 wrote to memory of 2940	1356	svchost.exe	83
PID 1356 wrote to memory of 2940	1356	svchost.exe	83
PID 1356 wrote to memory of 2940	1356	svchost.exe	83

C:\Users\Admin\AppData\Local\Temp\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe
"C:\Users\Admin\AppData\Local\Temp\677cbeea7c87e4e03da87d71137897b200e2b0170950ddc958a72c09674b1685.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
780B

MD5
7d2dcb623f722ab9b9ee06e497762f50

SHA1
00300ca64de1d7eac353395fe46777d76f07f96e

SHA256
b6f9a28062595bf4cf78a8b32e8e8336dc54a23b1c48c39e3dc5cb3e09652a6f

SHA512
eba1e8e3f811c4f2c4949b01779ca54d66b4f0d068a5bf0f2b34a0088872442aacb444cc1e60f74712b1b3a69f8a52a4ea41b0219160ce2c053df8eb399247ca

Download Submit
memory/1196-138-0x0000000000EB0000-0x0000000000EDE000-memory.dmp

Filesize
184KB

Download
memory/1356-139-0x0000000000740000-0x000000000076E000-memory.dmp

Filesize
184KB

Download
memory/1356-140-0x0000000000740000-0x000000000076E000-memory.dmp

Filesize
184KB

Download
memory/2940-143-0x0000000001570000-0x000000000159E000-memory.dmp

Filesize
184KB

Download
memory/2940-144-0x0000000001570000-0x000000000159E000-memory.dmp

Filesize
184KB

Download
memory/4212-134-0x00000000030C0000-0x00000000030EE000-memory.dmp

Filesize
184KB

Download
memory/4212-137-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4212-132-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4212-133-0x0000000002F20000-0x0000000002F4E000-memory.dmp

Filesize
184KB

Download