plugx | da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe
Size

675KB
MD5

e696b38ac71b23f50ee68da06a004af3
SHA1

480e3fe49e3acb71e1a466e8ba2d02997eaf278e
SHA256

da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e
SHA512

7373f4ae19a732058e923172482d2b15fb8bed784431b734bfd3822c29b4369bc67a94804d00d0004f9ff7781f0db5eab4c4bf0f7cdf6f97d38f44a238bd709f
SSDEEP

12288:jat0EAH49n8Bm1zXC9YWP1W/zkObvcparNFzgnfFuQvJWzcI7On1hIRlhnXqyZx:2t24V1zgYbL1fFzgfF7Wr7O1e5Tx

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 5 IoCs

resource	yara_rule
behavioral2/memory/688-141-0x0000000002130000-0x000000000215E000-memory.dmp	family_plugx
behavioral2/memory/228-142-0x0000000000BB0000-0x0000000000BDE000-memory.dmp	family_plugx
behavioral2/memory/4364-144-0x0000000002C40000-0x0000000002C6E000-memory.dmp	family_plugx
behavioral2/memory/228-145-0x0000000000BB0000-0x0000000000BDE000-memory.dmp	family_plugx
behavioral2/memory/4364-146-0x0000000002C40000-0x0000000002C6E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 1 IoCs

pid	Process
688	msseces.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe

Loads dropped DLL 1 IoCs

pid	Process
688	msseces.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	153.248.0.82
Destination IP	153.248.0.82
Destination IP	153.248.0.82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 36004200370044004600300032003000430035004200350031003400340030000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
228	svchost.exe
228	svchost.exe
228	svchost.exe
228	svchost.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
228	svchost.exe
228	svchost.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
228	svchost.exe
228	svchost.exe
4364	msiexec.exe
4364	msiexec.exe
228	svchost.exe
228	svchost.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
228	svchost.exe
228	svchost.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
228	svchost.exe
228	svchost.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe
4364	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
228	svchost.exe
4364	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	msseces.exe
Token: SeTcbPrivilege	688	msseces.exe
Token: SeDebugPrivilege	228	svchost.exe
Token: SeTcbPrivilege	228	svchost.exe
Token: SeDebugPrivilege	4364	msiexec.exe
Token: SeTcbPrivilege	4364	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 688	3464	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe	82
PID 3464 wrote to memory of 688	3464	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe	82
PID 3464 wrote to memory of 688	3464	da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe	82
PID 688 wrote to memory of 228	688	msseces.exe	84
PID 688 wrote to memory of 228	688	msseces.exe	84
PID 688 wrote to memory of 228	688	msseces.exe	84
PID 688 wrote to memory of 228	688	msseces.exe	84
PID 688 wrote to memory of 228	688	msseces.exe	84
PID 688 wrote to memory of 228	688	msseces.exe	84
PID 688 wrote to memory of 228	688	msseces.exe	84
PID 688 wrote to memory of 228	688	msseces.exe	84
PID 228 wrote to memory of 4364	228	svchost.exe	85
PID 228 wrote to memory of 4364	228	svchost.exe	85
PID 228 wrote to memory of 4364	228	svchost.exe	85
PID 228 wrote to memory of 4364	228	svchost.exe	85
PID 228 wrote to memory of 4364	228	svchost.exe	85
PID 228 wrote to memory of 4364	228	svchost.exe	85
PID 228 wrote to memory of 4364	228	svchost.exe	85
PID 228 wrote to memory of 4364	228	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe
"C:\Users\Admin\AppData\Local\Temp\da01734bacb716ac303f3018d3c4cf7fdc0784d157bb99976bd3d5a51381d34e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe
  "C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winsyslog\mPclient.dll

Filesize
36KB

MD5
184dd07bc91cc915aebf157a8b28066d

SHA1
fe906d8fa97b41df64344b688471f8489fff5ac0

SHA256
7cf636ef15ffdfec2f4d5209880183d0c44103d6557eced172124fd993a6d967

SHA512
c35adc26ac6a8189dc641324f5a301c641c8bed42e420f1b344d4bd96142324cf2203c77f24cb16ba5ed534049cab956880d1c6f9f8e77920109b4a7950cb831

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsyslog\mpclient.dll

Filesize
36KB

MD5
184dd07bc91cc915aebf157a8b28066d

SHA1
fe906d8fa97b41df64344b688471f8489fff5ac0

SHA256
7cf636ef15ffdfec2f4d5209880183d0c44103d6557eced172124fd993a6d967

SHA512
c35adc26ac6a8189dc641324f5a301c641c8bed42e420f1b344d4bd96142324cf2203c77f24cb16ba5ed534049cab956880d1c6f9f8e77920109b4a7950cb831

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.asm

Filesize
116KB

MD5
200c06f1be562a09cafab07d22838767

SHA1
f724d592c8300ce88bf77ca13a55f74d175286ff

SHA256
bf145d057e0b3cfd96da733c66344a0a07c86440d11bfc907b6bc740bb04dda7

SHA512
4002e986d43e0e6956b6c184bba3a59c8d50c320a2ac928d3cade920f64c8deed1ef530ab7fdbed040c2af928a2596903ac20965f065f64a68266f54d10cc152

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe

Filesize
951KB

MD5
e279e55c0d5f5da2e1fd268ebd12f268

SHA1
f98338fde49327cf1e357c6eb704ef55eaf48f8f

SHA256
06c40af999881699dd9b73440d2ed48f404864c3fb8ff7b36560759892caaa12

SHA512
701b6e637b70182caaf44f628cbfd116778ba70cf2668df210faae2f29cce85062127bc83e769fe7cf8050f180357b9405a62cf1cdab6f2094cfb493daae82da

Download Submit
C:\Users\Admin\AppData\Local\Temp\winsyslog\msseces.exe

Filesize
951KB

MD5
e279e55c0d5f5da2e1fd268ebd12f268

SHA1
f98338fde49327cf1e357c6eb704ef55eaf48f8f

SHA256
06c40af999881699dd9b73440d2ed48f404864c3fb8ff7b36560759892caaa12

SHA512
701b6e637b70182caaf44f628cbfd116778ba70cf2668df210faae2f29cce85062127bc83e769fe7cf8050f180357b9405a62cf1cdab6f2094cfb493daae82da

Download Submit
memory/228-142-0x0000000000BB0000-0x0000000000BDE000-memory.dmp

Filesize
184KB

Download
memory/228-145-0x0000000000BB0000-0x0000000000BDE000-memory.dmp

Filesize
184KB

Download
memory/688-138-0x00000000006C4000-0x00000000006E2000-memory.dmp

Filesize
120KB

Download
memory/688-140-0x00000000006C4000-0x00000000006E2000-memory.dmp

Filesize
120KB

Download
memory/688-141-0x0000000002130000-0x000000000215E000-memory.dmp

Filesize
184KB

Download
memory/4364-144-0x0000000002C40000-0x0000000002C6E000-memory.dmp

Filesize
184KB

Download
memory/4364-146-0x0000000002C40000-0x0000000002C6E000-memory.dmp

Filesize
184KB

Download