plugx | f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104

Analysis

max time kernel
188s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe
Size

312KB
MD5

d9f87e744dbc898212a9eaa4594301b0
SHA1

6db6a193617ad688847fab965a12a9183eeda241
SHA256

f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104
SHA512

817e4326e71795982b3b637c6236a31162af0c31e38842c4d3701aed8927d944be285d448f6308818f5a5845052bc4f7baadaeb58fceab989e38f5505018b215
SSDEEP

3072:i7xf5kQoAp3Rr3zei1tmDZ5e7H5VVTt0BTnNZfsDZYanqn+S8WTul+5OMojoc:oF5kQo01Q95kzuN2DZYa2+S8YuuOM

Score

10^/10

plugx persistence trojan

Malware Config

Signatures

Detects PlugX payload 6 IoCs

resource	yara_rule
behavioral2/memory/1120-135-0x00000000030E0000-0x000000000310E000-memory.dmp	family_plugx
behavioral2/memory/3296-136-0x0000000000EE0000-0x0000000000F0E000-memory.dmp	family_plugx
behavioral2/memory/2844-137-0x0000000001450000-0x000000000147E000-memory.dmp	family_plugx
behavioral2/memory/5076-140-0x0000000002A70000-0x0000000002A9E000-memory.dmp	family_plugx
behavioral2/memory/2844-141-0x0000000001450000-0x000000000147E000-memory.dmp	family_plugx
behavioral2/memory/5076-142-0x0000000002A70000-0x0000000002A9E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GmailBar LiveList = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe\""	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GmailBar LiveList = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe\""	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 43003600450038003800320035003500330038003200390030004200410043000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
2844	svchost.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
2844	svchost.exe
2844	svchost.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
2844	svchost.exe
2844	svchost.exe
5076	msiexec.exe
5076	msiexec.exe
2844	svchost.exe
2844	svchost.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
2844	svchost.exe
2844	svchost.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
2844	svchost.exe
2844	svchost.exe
5076	msiexec.exe
5076	msiexec.exe
2844	svchost.exe
2844	svchost.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe
5076	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2844	svchost.exe
5076	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe
Token: SeTcbPrivilege	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe
Token: SeDebugPrivilege	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe
Token: SeTcbPrivilege	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe
Token: SeDebugPrivilege	2844	svchost.exe
Token: SeDebugPrivilege	3296	svchost.exe
Token: SeTcbPrivilege	2844	svchost.exe
Token: SeTcbPrivilege	3296	svchost.exe
Token: SeDebugPrivilege	5076	msiexec.exe
Token: SeTcbPrivilege	5076	msiexec.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2844	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	80
PID 1120 wrote to memory of 3296	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	79
PID 1120 wrote to memory of 2844	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	80
PID 1120 wrote to memory of 2844	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	80
PID 1120 wrote to memory of 3296	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	79
PID 1120 wrote to memory of 3296	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	79
PID 1120 wrote to memory of 2844	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	80
PID 1120 wrote to memory of 3296	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	79
PID 1120 wrote to memory of 2844	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	80
PID 1120 wrote to memory of 3296	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	79
PID 1120 wrote to memory of 2844	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	80
PID 1120 wrote to memory of 3296	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	79
PID 1120 wrote to memory of 3296	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	79
PID 1120 wrote to memory of 2844	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	80
PID 1120 wrote to memory of 3296	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	79
PID 1120 wrote to memory of 2844	1120	f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe	80
PID 2844 wrote to memory of 5076	2844	svchost.exe	81
PID 2844 wrote to memory of 5076	2844	svchost.exe	81
PID 2844 wrote to memory of 5076	2844	svchost.exe	81
PID 2844 wrote to memory of 5076	2844	svchost.exe	81
PID 2844 wrote to memory of 5076	2844	svchost.exe	81
PID 2844 wrote to memory of 5076	2844	svchost.exe	81
PID 2844 wrote to memory of 5076	2844	svchost.exe	81
PID 2844 wrote to memory of 5076	2844	svchost.exe	81

C:\Users\Admin\AppData\Local\Temp\f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe
"C:\Users\Admin\AppData\Local\Temp\f5e444469407a3e894d368b79878a149696015ed2f666dddb49bd484f144d104.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:5076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
450B

MD5
aca7fb205321260de05ded632eed6c8f

SHA1
6c6e2a082020d85ab5d031ea30778b3a4fab7a57

SHA256
e9ed89ecfa678fab3b141a06ba59f345fa8761e4ef3f9190d5ee57d6ee25eeda

SHA512
45138a05b813fced27d02acddfeb9a73bee2629e54a2c522f63212f4b625d7adee0437bc5e40c0088214463b22cab81b8a246eee73bf9947a4a4d8f7ea1ff2d9

Download Submit
memory/1120-132-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1120-135-0x00000000030E0000-0x000000000310E000-memory.dmp

Filesize
184KB

Download
memory/2844-137-0x0000000001450000-0x000000000147E000-memory.dmp

Filesize
184KB

Download
memory/2844-141-0x0000000001450000-0x000000000147E000-memory.dmp

Filesize
184KB

Download
memory/3296-136-0x0000000000EE0000-0x0000000000F0E000-memory.dmp

Filesize
184KB

Download
memory/5076-140-0x0000000002A70000-0x0000000002A9E000-memory.dmp

Filesize
184KB

Download
memory/5076-142-0x0000000002A70000-0x0000000002A9E000-memory.dmp

Filesize
184KB

Download