plugx | da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe
Size

675KB
MD5

e696b38ac71b23f50ee68da06a004af3
SHA1

480e3fe49e3acb71e1a466e8ba2d02997eaf278e
SHA256

da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e
SHA512

7373f4ae19a732058e923172482d2b15fb8bed784431b734bfd3822c29b4369bc67a94804d00d0004f9ff7781f0db5eab4c4bf0f7cdf6f97d38f44a238bd709f
SSDEEP

12288:jat0EAH49n8Bm1zXC9YWP1W/zkObvcparNFzgnfFuQvJWzcI7On1hIRlhnXqyZx:2t24V1zgYbL1fFzgfF7Wr7O1e5Tx

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 5 IoCs

resource	yara_rule
behavioral1/memory/576-66-0x00000000002A0000-0x00000000002CE000-memory.dmp	family_plugx
behavioral1/memory/1980-72-0x00000000003F0000-0x000000000041E000-memory.dmp	family_plugx
behavioral1/memory/1508-77-0x0000000000240000-0x000000000026E000-memory.dmp	family_plugx
behavioral1/memory/1980-78-0x00000000003F0000-0x000000000041E000-memory.dmp	family_plugx
behavioral1/memory/1508-79-0x0000000000240000-0x000000000026E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 1 IoCs

pid	Process
576	msseces.exe

Loads dropped DLL 5 IoCs

pid	Process
2028	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe
2028	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe
2028	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe
2028	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe
576	msseces.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	153.248.0.82
Destination IP	153.248.0.82
Destination IP	153.248.0.82
Destination IP	153.248.0.82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 39004600420043004500420030003600310038003000340046004100300036000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1980	svchost.exe
1980	svchost.exe
1980	svchost.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1508	msiexec.exe
1508	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1508	msiexec.exe
1980	svchost.exe
1980	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	msseces.exe
Token: SeTcbPrivilege	576	msseces.exe
Token: SeDebugPrivilege	1980	svchost.exe
Token: SeTcbPrivilege	1980	svchost.exe
Token: SeDebugPrivilege	1508	msiexec.exe
Token: SeTcbPrivilege	1508	msiexec.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 576	2028	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe	27
PID 2028 wrote to memory of 576	2028	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe	27
PID 2028 wrote to memory of 576	2028	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe	27
PID 2028 wrote to memory of 576	2028	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe	27
PID 2028 wrote to memory of 576	2028	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe	27
PID 2028 wrote to memory of 576	2028	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe	27
PID 2028 wrote to memory of 576	2028	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe	27
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 576 wrote to memory of 1980	576	msseces.exe	28
PID 1980 wrote to memory of 1508	1980	svchost.exe	29
PID 1980 wrote to memory of 1508	1980	svchost.exe	29
PID 1980 wrote to memory of 1508	1980	svchost.exe	29
PID 1980 wrote to memory of 1508	1980	svchost.exe	29
PID 1980 wrote to memory of 1508	1980	svchost.exe	29
PID 1980 wrote to memory of 1508	1980	svchost.exe	29
PID 1980 wrote to memory of 1508	1980	svchost.exe	29
PID 1980 wrote to memory of 1508	1980	svchost.exe	29
PID 1980 wrote to memory of 1508	1980	svchost.exe	29
PID 1980 wrote to memory of 1508	1980	svchost.exe	29
PID 1980 wrote to memory of 1508	1980	svchost.exe	29
PID 1980 wrote to memory of 1508	1980	svchost.exe	29

C:\Users\Admin\AppData\Local\Temp\da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe
"C:\Users\Admin\AppData\Local\Temp\da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe
  "C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winsyslog\mpclient.dll

Filesize
36KB

MD5
184dd07bc91cc915aebf157a8b28066d

SHA1
fe906d8fa97b41df64344b688471f8489fff5ac0

SHA256
7cf636ef15ffdfec2f4d5209880183d0c44103d6557eced172124fd993a6d967

SHA512
c35adc26ac6a8189dc641324f5a301c641c8bed42e420f1b344d4bd96142324cf2203c77f24cb16ba5ed534049cab956880d1c6f9f8e77920109b4a7950cb831

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.asm

Filesize
116KB

MD5
200c06f1be562a09cafab07d22838767

SHA1
f724d592c8300ce88bf77ca13a55f74d175286ff

SHA256
bf145d057e0b3cfd96da733c66344a0a07c86440d11bfc907b6bc740bb04dda7

SHA512
4002e986d43e0e6956b6c184bba3a59c8d50c320a2ac928d3cade920f64c8deed1ef530ab7fdbed040c2af928a2596903ac20965f065f64a68266f54d10cc152

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe

Filesize
951KB

MD5
e279e55c0d5f5da2e1fd268ebd12f268

SHA1
f98338fde49327cf1e357c6eb704ef55eaf48f8f

SHA256
06c40af999881699dd9b73440d2ed48f404864c3fb8ff7b36560759892caaa12

SHA512
701b6e637b70182caaf44f628cbfd116778ba70cf2668df210faae2f29cce85062127bc83e769fe7cf8050f180357b9405a62cf1cdab6f2094cfb493daae82da

Download Submit
\Users\Admin\AppData\Local\Temp\winsyslog\mPclient.dll

Filesize
36KB

MD5
184dd07bc91cc915aebf157a8b28066d

SHA1
fe906d8fa97b41df64344b688471f8489fff5ac0

SHA256
7cf636ef15ffdfec2f4d5209880183d0c44103d6557eced172124fd993a6d967

SHA512
c35adc26ac6a8189dc641324f5a301c641c8bed42e420f1b344d4bd96142324cf2203c77f24cb16ba5ed534049cab956880d1c6f9f8e77920109b4a7950cb831

Download Submit
\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe

Filesize
951KB

MD5
e279e55c0d5f5da2e1fd268ebd12f268

SHA1
f98338fde49327cf1e357c6eb704ef55eaf48f8f

SHA256
06c40af999881699dd9b73440d2ed48f404864c3fb8ff7b36560759892caaa12

SHA512
701b6e637b70182caaf44f628cbfd116778ba70cf2668df210faae2f29cce85062127bc83e769fe7cf8050f180357b9405a62cf1cdab6f2094cfb493daae82da

Download Submit
\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe

Filesize
951KB

MD5
e279e55c0d5f5da2e1fd268ebd12f268

SHA1
f98338fde49327cf1e357c6eb704ef55eaf48f8f

SHA256
06c40af999881699dd9b73440d2ed48f404864c3fb8ff7b36560759892caaa12

SHA512
701b6e637b70182caaf44f628cbfd116778ba70cf2668df210faae2f29cce85062127bc83e769fe7cf8050f180357b9405a62cf1cdab6f2094cfb493daae82da

Download Submit
\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe

Filesize
951KB

MD5
e279e55c0d5f5da2e1fd268ebd12f268

SHA1
f98338fde49327cf1e357c6eb704ef55eaf48f8f

SHA256
06c40af999881699dd9b73440d2ed48f404864c3fb8ff7b36560759892caaa12

SHA512
701b6e637b70182caaf44f628cbfd116778ba70cf2668df210faae2f29cce85062127bc83e769fe7cf8050f180357b9405a62cf1cdab6f2094cfb493daae82da

Download Submit
\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe

Filesize
951KB

MD5
e279e55c0d5f5da2e1fd268ebd12f268

SHA1
f98338fde49327cf1e357c6eb704ef55eaf48f8f

SHA256
06c40af999881699dd9b73440d2ed48f404864c3fb8ff7b36560759892caaa12

SHA512
701b6e637b70182caaf44f628cbfd116778ba70cf2668df210faae2f29cce85062127bc83e769fe7cf8050f180357b9405a62cf1cdab6f2094cfb493daae82da

Download Submit
memory/576-65-0x00000000004D3000-0x00000000004F1000-memory.dmp

Filesize
120KB

Download
memory/576-66-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download
memory/576-71-0x00000000004D3000-0x00000000004F1000-memory.dmp

Filesize
120KB

Download
memory/1508-77-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/1508-79-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/1980-67-0x0000000000130000-0x000000000014B000-memory.dmp

Filesize
108KB

Download
memory/1980-72-0x00000000003F0000-0x000000000041E000-memory.dmp

Filesize
184KB

Download
memory/1980-78-0x00000000003F0000-0x000000000041E000-memory.dmp

Filesize
184KB

Download
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download