plugx | b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb

Analysis

max time kernel
156s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe
Size

227KB
MD5

2c7bad4f4a4df3025aa1345db27c7408
SHA1

93d7fe1ec1f49e1e18c052050e7ff5df4bff4b2c
SHA256

b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb
SHA512

c23e5d44ca6649d6bb1e227648a6256e9ab81ac4405e748c58bc01105244aa55c3baa592dffe300d4aaafec6663a8cd839e322fd2b3fc98aff117797b0b29d62
SSDEEP

6144:zLkD+fqCNAl8aVuMULdQrdas2gQntcgMly5CjrjZZ6AnR6e:zYD+iCNAl/HULdQrRfQnegMlcCjeAnRv

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3588-145-0x0000000000E30000-0x0000000000E5E000-memory.dmp	family_plugx
behavioral2/memory/2536-148-0x00000000022C0000-0x00000000022EE000-memory.dmp	family_plugx
behavioral2/memory/3516-149-0x0000000000C30000-0x0000000000C5E000-memory.dmp	family_plugx
behavioral2/memory/1676-151-0x0000000000D40000-0x0000000000D6E000-memory.dmp	family_plugx
behavioral2/memory/3516-152-0x0000000000C30000-0x0000000000C5E000-memory.dmp	family_plugx
behavioral2/memory/1676-153-0x0000000000D40000-0x0000000000D6E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

SOUNDMAN.exeSOUNDMAN.exe

pid process

2536 SOUNDMAN.exe
3588 SOUNDMAN.exe
Loads dropped DLL 2 IoCs

Processes:

SOUNDMAN.exeSOUNDMAN.exe

pid process

2536 SOUNDMAN.exe
3588 SOUNDMAN.exe

pid	process
2536	SOUNDMAN.exe
3588	SOUNDMAN.exe

pid	process
2536	SOUNDMAN.exe
3588	SOUNDMAN.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 46003700340031003300440043004300430039003000310046003900330037000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
3516	svchost.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
3516	svchost.exe
3516	svchost.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
3516	svchost.exe
3516	svchost.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
3516	svchost.exe
3516	svchost.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
3516	svchost.exe
3516	svchost.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe
1676	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

3516 svchost.exe
1676 msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

SOUNDMAN.exeSOUNDMAN.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2536	SOUNDMAN.exe
Token: SeTcbPrivilege	2536	SOUNDMAN.exe
Token: SeDebugPrivilege	3588	SOUNDMAN.exe
Token: SeTcbPrivilege	3588	SOUNDMAN.exe
Token: SeDebugPrivilege	3516	svchost.exe
Token: SeTcbPrivilege	3516	svchost.exe
Token: SeDebugPrivilege	1676	msiexec.exe
Token: SeTcbPrivilege	1676	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exeSOUNDMAN.exesvchost.exe

description	pid	process	target process
PID 5068 wrote to memory of 2536	5068	b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe	SOUNDMAN.exe
PID 5068 wrote to memory of 2536	5068	b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe	SOUNDMAN.exe
PID 5068 wrote to memory of 2536	5068	b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe	SOUNDMAN.exe
PID 3588 wrote to memory of 3516	3588	SOUNDMAN.exe	svchost.exe
PID 3588 wrote to memory of 3516	3588	SOUNDMAN.exe	svchost.exe
PID 3588 wrote to memory of 3516	3588	SOUNDMAN.exe	svchost.exe
PID 3588 wrote to memory of 3516	3588	SOUNDMAN.exe	svchost.exe
PID 3588 wrote to memory of 3516	3588	SOUNDMAN.exe	svchost.exe
PID 3588 wrote to memory of 3516	3588	SOUNDMAN.exe	svchost.exe
PID 3588 wrote to memory of 3516	3588	SOUNDMAN.exe	svchost.exe
PID 3588 wrote to memory of 3516	3588	SOUNDMAN.exe	svchost.exe
PID 3516 wrote to memory of 1676	3516	svchost.exe	msiexec.exe
PID 3516 wrote to memory of 1676	3516	svchost.exe	msiexec.exe
PID 3516 wrote to memory of 1676	3516	svchost.exe	msiexec.exe
PID 3516 wrote to memory of 1676	3516	svchost.exe	msiexec.exe
PID 3516 wrote to memory of 1676	3516	svchost.exe	msiexec.exe
PID 3516 wrote to memory of 1676	3516	svchost.exe	msiexec.exe
PID 3516 wrote to memory of 1676	3516	svchost.exe	msiexec.exe
PID 3516 wrote to memory of 1676	3516	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe
"C:\Users\Admin\AppData\Local\Temp\b9510e4484fa7e3034228337768176fce822162ad819539c6ca3631deac043eb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe
"C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe" 100 5068
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SOUNDMAN\HID.DLL
Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
C:\ProgramData\SOUNDMAN\HID.DLLx
Filesize
116KB

MD5
bfebe419cf071d70389dd40f511c26b6

SHA1
6802ff3f728a0c84c55aea1993101261b84ca839

SHA256
58302863ae0df9afd3bd8e2746550bf87531d8729c45bb433ee216c66b953094

SHA512
1df5d20eff499150add83444474191527158cc6ab00c67b04ccdb113116689446a2a9bb45e26f99a7e6741093e2026e15dd6c390e962591287c450d2f09883ea

Download Submit
C:\ProgramData\SOUNDMAN\HID.dll
Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
456B

MD5
c4275eb859eefcc3ab486249e3b45dd5

SHA1
22f704e2f6d26ecc2621de8513fb0ade410e2586

SHA256
14c65ed1a3516764f48780c363d035a9ec509b829137dcfd90b798c8f92ca7f9

SHA512
c186fdce19e1b41002b5e5e5590555a5224e8c0dcd1b9a9ae583949b7bb86b16f0913a4e3df91cdee3ec3c47ec82ed1f96be4ca8f330b2dfc06a17a84b54f3ae

Download Submit
C:\ProgramData\SxS\bug.log
Filesize
618B

MD5
7f2eb429d43538943b8549e1a16446e4

SHA1
86d26c45bd6559dd838b5690e908330ba2c848a1

SHA256
d3bbef58640ab7344ab30553c7656f3e9eb725ad3854036188ef5362fcf1e6f9

SHA512
2df09cbb1c47cfddd67e3370978c996a126754ba13a527c19568059b6383066284dfadeeee40afd4502d4a516433c4bcf02898a797a0f559695271d0536a9797

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\HID.DLL
Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\HID.DLLx
Filesize
116KB

MD5
bfebe419cf071d70389dd40f511c26b6

SHA1
6802ff3f728a0c84c55aea1993101261b84ca839

SHA256
58302863ae0df9afd3bd8e2746550bf87531d8729c45bb433ee216c66b953094

SHA512
1df5d20eff499150add83444474191527158cc6ab00c67b04ccdb113116689446a2a9bb45e26f99a7e6741093e2026e15dd6c390e962591287c450d2f09883ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe
Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe
Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\hid.dll
Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
memory/1676-150-0x0000000000000000-mapping.dmp

Download
memory/1676-153-0x0000000000D40000-0x0000000000D6E000-memory.dmp

Filesize
184KB

Download
memory/1676-151-0x0000000000D40000-0x0000000000D6E000-memory.dmp

Filesize
184KB

Download
memory/2536-148-0x00000000022C0000-0x00000000022EE000-memory.dmp

Filesize
184KB

Download
memory/2536-138-0x00000000021C0000-0x00000000022C0000-memory.dmp

Filesize
1024KB

Download
memory/2536-132-0x0000000000000000-mapping.dmp

Download
memory/3516-149-0x0000000000C30000-0x0000000000C5E000-memory.dmp

Filesize
184KB

Download
memory/3516-152-0x0000000000C30000-0x0000000000C5E000-memory.dmp

Filesize
184KB

Download
memory/3516-144-0x0000000000000000-mapping.dmp

Download
memory/3588-145-0x0000000000E30000-0x0000000000E5E000-memory.dmp

Filesize
184KB

Download