plugx | b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe
Size

227KB
MD5

2c7bad4f4a4df3025aa1345db27c7408
SHA1

93d7fe1ec1f49e1e18c052050e7ff5df4bff4b2c
SHA256

b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb
SHA512

c23e5d44ca6649d6bb1e227648a6256e9ab81ac4405e748c58bc01105244aa55c3baa592dffe300d4aaafec6663a8cd839e322fd2b3fc98aff117797b0b29d62
SSDEEP

6144:zLkD+fqCNAl8aVuMULdQrdas2gQntcgMly5CjrjZZ6AnR6e:zYD+iCNAl/HULdQrRfQnegMlcCjeAnRv

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 6 IoCs

resource	yara_rule
behavioral1/memory/1124-64-0x0000000000310000-0x000000000033E000-memory.dmp	family_plugx
behavioral1/memory/284-74-0x0000000000450000-0x000000000047E000-memory.dmp	family_plugx
behavioral1/memory/1936-75-0x0000000000220000-0x000000000024E000-memory.dmp	family_plugx
behavioral1/memory/1228-81-0x0000000000240000-0x000000000026E000-memory.dmp	family_plugx
behavioral1/memory/1936-82-0x0000000000220000-0x000000000024E000-memory.dmp	family_plugx
behavioral1/memory/1228-83-0x0000000000240000-0x000000000026E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
1124	SOUNDMAN.exe
284	SOUNDMAN.exe

Deletes itself 1 IoCs

pid	Process
1936	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
1492	b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe
1492	b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe
1124	SOUNDMAN.exe
284	SOUNDMAN.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8928E753-7159-46AD-9537-4B51D0E3D632}\WpadNetworkName = "Network 2"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-6f-1a-e7-0f-fc\WpadDecisionTime = d0b7a5a76706d901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8928E753-7159-46AD-9537-4B51D0E3D632}\9e-6f-1a-e7-0f-fc	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-6f-1a-e7-0f-fc\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-6f-1a-e7-0f-fc\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-6f-1a-e7-0f-fc\WpadDecisionTime = 90c19bab6706d901	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-6f-1a-e7-0f-fc\WpadDetectedUrl	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8928E753-7159-46AD-9537-4B51D0E3D632}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8928E753-7159-46AD-9537-4B51D0E3D632}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8928E753-7159-46AD-9537-4B51D0E3D632}\WpadDecisionTime = d0b7a5a76706d901	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8928E753-7159-46AD-9537-4B51D0E3D632}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-6f-1a-e7-0f-fc	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8928E753-7159-46AD-9537-4B51D0E3D632}\WpadDecisionTime = 90c19bab6706d901	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 33004600450038004400420046003900420037003200320046003900330037000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1936	svchost.exe
1936	svchost.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1936	svchost.exe
1936	svchost.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1936	svchost.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1936	svchost.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1936	svchost.exe
1936	svchost.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1936	svchost.exe
1936	svchost.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1936	svchost.exe
1936	svchost.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1228	msiexec.exe
1936	svchost.exe
1936	svchost.exe
1228	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	SOUNDMAN.exe
Token: SeTcbPrivilege	1124	SOUNDMAN.exe
Token: SeDebugPrivilege	284	SOUNDMAN.exe
Token: SeTcbPrivilege	284	SOUNDMAN.exe
Token: SeDebugPrivilege	1936	svchost.exe
Token: SeTcbPrivilege	1936	svchost.exe
Token: SeDebugPrivilege	1228	msiexec.exe
Token: SeTcbPrivilege	1228	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1124	1492	b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe	27
PID 1492 wrote to memory of 1124	1492	b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe	27
PID 1492 wrote to memory of 1124	1492	b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe	27
PID 1492 wrote to memory of 1124	1492	b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe	27
PID 284 wrote to memory of 1936	284	SOUNDMAN.exe	29
PID 284 wrote to memory of 1936	284	SOUNDMAN.exe	29
PID 284 wrote to memory of 1936	284	SOUNDMAN.exe	29
PID 284 wrote to memory of 1936	284	SOUNDMAN.exe	29
PID 284 wrote to memory of 1936	284	SOUNDMAN.exe	29
PID 284 wrote to memory of 1936	284	SOUNDMAN.exe	29
PID 284 wrote to memory of 1936	284	SOUNDMAN.exe	29
PID 284 wrote to memory of 1936	284	SOUNDMAN.exe	29
PID 284 wrote to memory of 1936	284	SOUNDMAN.exe	29
PID 1936 wrote to memory of 1228	1936	svchost.exe	30
PID 1936 wrote to memory of 1228	1936	svchost.exe	30
PID 1936 wrote to memory of 1228	1936	svchost.exe	30
PID 1936 wrote to memory of 1228	1936	svchost.exe	30
PID 1936 wrote to memory of 1228	1936	svchost.exe	30
PID 1936 wrote to memory of 1228	1936	svchost.exe	30
PID 1936 wrote to memory of 1228	1936	svchost.exe	30
PID 1936 wrote to memory of 1228	1936	svchost.exe	30
PID 1936 wrote to memory of 1228	1936	svchost.exe	30
PID 1936 wrote to memory of 1228	1936	svchost.exe	30
PID 1936 wrote to memory of 1228	1936	svchost.exe	30
PID 1936 wrote to memory of 1228	1936	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe
"C:\Users\Admin\AppData\Local\Temp\b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe
  "C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe" 100 1492
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1124

C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:284
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Deletes itself
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SOUNDMAN\HID.DLL

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
C:\ProgramData\SOUNDMAN\HID.DLLx

Filesize
116KB

MD5
bfebe419cf071d70389dd40f511c26b6

SHA1
6802ff3f728a0c84c55aea1993101261b84ca839

SHA256
58302863ae0df9afd3bd8e2746550bf87531d8729c45bb433ee216c66b953094

SHA512
1df5d20eff499150add83444474191527158cc6ab00c67b04ccdb113116689446a2a9bb45e26f99a7e6741093e2026e15dd6c390e962591287c450d2f09883ea

Download Submit
C:\ProgramData\SOUNDMAN\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
456B

MD5
3a7f3379b19425e420a9c417511f6462

SHA1
209387965de71371f1170ea618480b41c5bca5e4

SHA256
2a2f5a56b655f6f8274a1d95e3fb04e2d3861f1ffcba18b31df78cdea73c99ab

SHA512
0f249d6064bf7c63e3784da31bd70a6df96c2c7debae92b27956b47fc6e3f9e0fd76cf0a3092145fd725363ff7fd56c25c528bc33168079a38292de894292adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\HID.DLL

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\HID.DLLx

Filesize
116KB

MD5
bfebe419cf071d70389dd40f511c26b6

SHA1
6802ff3f728a0c84c55aea1993101261b84ca839

SHA256
58302863ae0df9afd3bd8e2746550bf87531d8729c45bb433ee216c66b953094

SHA512
1df5d20eff499150add83444474191527158cc6ab00c67b04ccdb113116689446a2a9bb45e26f99a7e6741093e2026e15dd6c390e962591287c450d2f09883ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
\ProgramData\SOUNDMAN\HID.dll

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
\Users\Admin\AppData\Local\Temp\HID\hid.dll

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
memory/284-74-0x0000000000450000-0x000000000047E000-memory.dmp

Filesize
184KB

Download
memory/1124-64-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download
memory/1124-63-0x0000000001D30000-0x0000000001E30000-memory.dmp

Filesize
1024KB

Download
memory/1124-58-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1228-83-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/1228-81-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/1936-70-0x0000000000130000-0x000000000014B000-memory.dmp

Filesize
108KB

Download
memory/1936-75-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/1936-82-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download