plugx | 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3

General

Target

6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
Size

2.0MB
MD5

0f6b00b0c5a26a5aa8942ae356329945
SHA1

1f412a62f50ff71f0b2b2f54aaa980962ebfd8a4
SHA256

6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3
SHA512

e8c6ff3952b6b1066d113ce8b1e76ed20ec8eb5511045f374706fa2a44cf7b6d096e56a01e2318b872de4a5530872132053f13836d8ff4ffa75396a1ee4b34d9
SSDEEP

49152:Na175O/mZxrkaH1EN5/yxnxEil7F8vSZBWwj186KQGwi38KQrF+FO7p1FzohbJq:uO/mZxbHW7yxnxECF8vSZBW+Pbi38KQs

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2112-149-0x0000000003530000-0x000000000355E000-memory.dmp	family_plugx
behavioral2/memory/2676-150-0x0000000001320000-0x000000000134E000-memory.dmp	family_plugx
behavioral2/memory/820-152-0x0000000000DD0000-0x0000000000DFE000-memory.dmp	family_plugx
behavioral2/memory/2676-153-0x0000000001320000-0x000000000134E000-memory.dmp	family_plugx
behavioral2/memory/820-154-0x0000000000DD0000-0x0000000000DFE000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 1 IoCs

Processes:

rudiment.exe

pid process

2112 rudiment.exe
Drops startup file 1 IoCs

Processes:

rudiment.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meekness.lnk rudiment.exe
Loads dropped DLL 1 IoCs

Processes:

rudiment.exe

pid process

2112 rudiment.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2112	rudiment.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meekness.lnk	rudiment.exe

pid	process
2112	rudiment.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 31004100310044003600410038003300330038003900440033004200380041000000	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

776 WINWORD.EXE
776 WINWORD.EXE

pid	process
776	WINWORD.EXE
776	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exesvchost.exemsiexec.exe

pid	process
4248	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
4248	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
2676	svchost.exe
2676	svchost.exe
2676	svchost.exe
2676	svchost.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
2676	svchost.exe
2676	svchost.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
2676	svchost.exe
2676	svchost.exe
820	msiexec.exe
820	msiexec.exe
2676	svchost.exe
2676	svchost.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
2676	svchost.exe
2676	svchost.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
2676	svchost.exe
2676	svchost.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe
820	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

2676 svchost.exe
820 msiexec.exe

pid	process
2676	svchost.exe
820	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

rudiment.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2112	rudiment.exe
Token: SeTcbPrivilege	2112	rudiment.exe
Token: SeDebugPrivilege	2676	svchost.exe
Token: SeTcbPrivilege	2676	svchost.exe
Token: SeDebugPrivilege	820	msiexec.exe
Token: SeTcbPrivilege	820	msiexec.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exeWINWORD.EXE

pid	process
4248	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
4248	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE
776	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exerudiment.exesvchost.exe

description	pid	process	target process
PID 4248 wrote to memory of 2112	4248	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe	rudiment.exe
PID 4248 wrote to memory of 2112	4248	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe	rudiment.exe
PID 4248 wrote to memory of 2112	4248	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe	rudiment.exe
PID 2112 wrote to memory of 2676	2112	rudiment.exe	svchost.exe
PID 2112 wrote to memory of 2676	2112	rudiment.exe	svchost.exe
PID 2112 wrote to memory of 2676	2112	rudiment.exe	svchost.exe
PID 2112 wrote to memory of 2676	2112	rudiment.exe	svchost.exe
PID 2112 wrote to memory of 2676	2112	rudiment.exe	svchost.exe
PID 2112 wrote to memory of 2676	2112	rudiment.exe	svchost.exe
PID 2112 wrote to memory of 2676	2112	rudiment.exe	svchost.exe
PID 2112 wrote to memory of 2676	2112	rudiment.exe	svchost.exe
PID 2676 wrote to memory of 820	2676	svchost.exe	msiexec.exe
PID 2676 wrote to memory of 820	2676	svchost.exe	msiexec.exe
PID 2676 wrote to memory of 820	2676	svchost.exe	msiexec.exe
PID 2676 wrote to memory of 820	2676	svchost.exe	msiexec.exe
PID 2676 wrote to memory of 820	2676	svchost.exe	msiexec.exe
PID 2676 wrote to memory of 820	2676	svchost.exe	msiexec.exe
PID 2676 wrote to memory of 820	2676	svchost.exe	msiexec.exe
PID 2676 wrote to memory of 820	2676	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
"C:\Users\Admin\AppData\Local\Temp\6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248

C:\Users\Admin\AppData\Local\Temp\rudiment.exe
C:\Users\Admin\AppData\Local\Temp\rudiment.exe
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\psychiatry.dat
Filesize
116KB

MD5
6fad1eb852a177ecf4d324938667bad3

SHA1
2c340ccb03f23f651248057cce45ed1f8e82538a

SHA256
0a47b39e71fd6ba4e452491b52338a1578a8604a9bd298e6fa65488ab3f4f4e2

SHA512
86ff8519b96f6203e2ae3db3b5756a76fc9d4d72d3e383971e2bebbc8bf8e891fb503b94071f9b0351edd2cde32998a6d1cd1fcb76a0b407e60d9f180e1af506

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudiment.exe
Filesize
47KB

MD5
b5bdaba69689e8be57ce78bb6845e4f0

SHA1
573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

SHA256
1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

SHA512
e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudiment.exe
Filesize
47KB

MD5
b5bdaba69689e8be57ce78bb6845e4f0

SHA1
573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

SHA256
1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

SHA512
e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsodscpl.DLL
Filesize
112KB

MD5
cd03ef37cc82c578e7ef424e8199489a

SHA1
c059125dde026fb888357e7422fb1581611ada8f

SHA256
ec844e5fd297a3ff064e0be3c79885de21ba141d137f36b23677246623cdfc00

SHA512
a5a7832f44a9934d71044f9e1015590196f36a8bd660d85a1207415c43b1288e828bf14269468962868c425fb16ce797afc566a571e9b6b94726600d38d14b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsodscpl.dll
Filesize
112KB

MD5
cd03ef37cc82c578e7ef424e8199489a

SHA1
c059125dde026fb888357e7422fb1581611ada8f

SHA256
ec844e5fd297a3ff064e0be3c79885de21ba141d137f36b23677246623cdfc00

SHA512
a5a7832f44a9934d71044f9e1015590196f36a8bd660d85a1207415c43b1288e828bf14269468962868c425fb16ce797afc566a571e9b6b94726600d38d14b9e

Download Submit
memory/776-137-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmp

Filesize
64KB

Download
memory/776-139-0x00007FFE5D230000-0x00007FFE5D240000-memory.dmp

Filesize
64KB

Download
memory/776-140-0x00007FFE5D230000-0x00007FFE5D240000-memory.dmp

Filesize
64KB

Download
memory/776-138-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmp

Filesize
64KB

Download
memory/776-136-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmp

Filesize
64KB

Download
memory/776-135-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmp

Filesize
64KB

Download
memory/776-134-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmp

Filesize
64KB

Download
memory/820-151-0x0000000000000000-mapping.dmp

Download
memory/820-152-0x0000000000DD0000-0x0000000000DFE000-memory.dmp

Filesize
184KB

Download
memory/820-154-0x0000000000DD0000-0x0000000000DFE000-memory.dmp

Filesize
184KB

Download
memory/2112-141-0x0000000000000000-mapping.dmp

Download
memory/2112-149-0x0000000003530000-0x000000000355E000-memory.dmp

Filesize
184KB

Download
memory/2676-148-0x0000000000000000-mapping.dmp

Download
memory/2676-150-0x0000000001320000-0x000000000134E000-memory.dmp

Filesize
184KB

Download
memory/2676-153-0x0000000001320000-0x000000000134E000-memory.dmp

Filesize
184KB

Download
memory/4248-132-0x0000000000840000-0x0000000000A43000-memory.dmp

Filesize
2.0MB

Download
memory/4248-133-0x0000000000840000-0x0000000000A43000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads