plugx | afe40fb3150b18dbc4b46d09e57b7e30eb303969d7e5aca5315bf12788446be2

General

Target

QQPhotoDrawUpdateSvr.exe
Size

475KB
MD5

3a28d2e788b3a2aa2b159cbe87a41a5e
SHA1

f2525cb3dd708c9c8f13a28951ac583ca6ebcb05
SHA256

fe5f8f5d25c3889449de2e709bedd408d24bec46d3fa1a488745c4d79c988fab
SHA512

e35b2126a230edd752e4eef93a8bc441068d817826f15f006e2c87c765e60c9694c30ec84c66d2c2f526fa3d8b0f90b2f5e4a10e80ecbfc6b4fb40ae4e37bcfb
SSDEEP

6144:c3sPbRwlW0Yc6fXjTEBNuIbFOXkYmge0+hV+h:c3sPbRC6kaIAXkGkVk

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 6 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1616-70-0x0000000001C30000-0x0000000001C65000-memory.dmp	family_plugx
behavioral3/memory/1784-71-0x0000000000380000-0x00000000003B5000-memory.dmp	family_plugx
behavioral3/memory/1920-72-0x0000000000680000-0x00000000006B5000-memory.dmp	family_plugx
behavioral3/memory/1980-73-0x00000000001D0000-0x0000000000205000-memory.dmp	family_plugx
behavioral3/memory/1672-78-0x0000000000750000-0x0000000000785000-memory.dmp	family_plugx
behavioral3/memory/1980-79-0x00000000001D0000-0x0000000000205000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

QQPhotoDrawUpdateSvr.exeQQPhotoDrawUpdateSvr.exe

pid process

1920 QQPhotoDrawUpdateSvr.exe
1616 QQPhotoDrawUpdateSvr.exe
Deletes itself 1 IoCs

Processes:

QQPhotoDrawUpdateSvr.exe

pid process

1920 QQPhotoDrawUpdateSvr.exe
Loads dropped DLL 2 IoCs

Processes:

QQPhotoDrawUpdateSvr.exeQQPhotoDrawUpdateSvr.exe

pid process

1920 QQPhotoDrawUpdateSvr.exe
1616 QQPhotoDrawUpdateSvr.exe

pid	process
1920	QQPhotoDrawUpdateSvr.exe
1616	QQPhotoDrawUpdateSvr.exe

pid	process
1920	QQPhotoDrawUpdateSvr.exe

pid	process
1920	QQPhotoDrawUpdateSvr.exe
1616	QQPhotoDrawUpdateSvr.exe

Drops file in Program Files directory 7 IoCs

Processes:

QQPhotoDrawUpdateSvr.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\curllib.dll	QQPhotoDrawUpdateSvr.exe
File opened for modification	C:\Program Files (x86)\Common Files	QQPhotoDrawUpdateSvr.exe
File opened for modification	C:\Program Files (x86)\Common Files\CamMute.swf	QQPhotoDrawUpdateSvr.exe
File created	C:\Program Files (x86)\Common Files\CamMute.swf	QQPhotoDrawUpdateSvr.exe
File opened for modification	C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe	QQPhotoDrawUpdateSvr.exe
File created	C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe	QQPhotoDrawUpdateSvr.exe
File opened for modification	C:\Program Files (x86)\Common Files\curllib.dll	QQPhotoDrawUpdateSvr.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 37004400410031003300380037004600440046003500330035003000300034000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
1980	svchost.exe
1980	svchost.exe
1980	svchost.exe
1980	svchost.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1980	svchost.exe
1980	svchost.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1672	msiexec.exe
1980	svchost.exe
1980	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

QQPhotoDrawUpdateSvr.exeQQPhotoDrawUpdateSvr.exeQQPhotoDrawUpdateSvr.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1784	QQPhotoDrawUpdateSvr.exe
Token: SeTcbPrivilege	1784	QQPhotoDrawUpdateSvr.exe
Token: SeDebugPrivilege	1920	QQPhotoDrawUpdateSvr.exe
Token: SeTcbPrivilege	1920	QQPhotoDrawUpdateSvr.exe
Token: SeDebugPrivilege	1616	QQPhotoDrawUpdateSvr.exe
Token: SeTcbPrivilege	1616	QQPhotoDrawUpdateSvr.exe
Token: SeDebugPrivilege	1980	svchost.exe
Token: SeTcbPrivilege	1980	svchost.exe
Token: SeDebugPrivilege	1672	msiexec.exe
Token: SeTcbPrivilege	1672	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

QQPhotoDrawUpdateSvr.exesvchost.exe

description	pid	process	target process
PID 1616 wrote to memory of 1980	1616	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 1616 wrote to memory of 1980	1616	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 1616 wrote to memory of 1980	1616	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 1616 wrote to memory of 1980	1616	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 1616 wrote to memory of 1980	1616	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 1616 wrote to memory of 1980	1616	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 1616 wrote to memory of 1980	1616	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 1616 wrote to memory of 1980	1616	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 1616 wrote to memory of 1980	1616	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe
PID 1980 wrote to memory of 1672	1980	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\QQPhotoDrawUpdateSvr.exe
"C:\Users\Admin\AppData\Local\Temp\QQPhotoDrawUpdateSvr.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe
"C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe" 100 1784
1⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe
"C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1980
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\CamMute.swf

Filesize
146KB

MD5
4ae94a2da16ad5ad5efc4cc13f307492

SHA1
2e049ddbbe6fe5f72ea98350739091ba88817c68

SHA256
826716e9d34cd8f0c6ed461b704f3081e8444b30236616ee1f1aec5ec1e2e1b3

SHA512
413ef4ca0b81bee6da8348f8d99de2d11be0d8afb51addb2f02a1fce90fdaddcd67e83e82c61309707f9df74bd18e45a85552c0fe876112d08769fa9c86b845a

Download Submit
C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe

Filesize
475KB

MD5
3a28d2e788b3a2aa2b159cbe87a41a5e

SHA1
f2525cb3dd708c9c8f13a28951ac583ca6ebcb05

SHA256
fe5f8f5d25c3889449de2e709bedd408d24bec46d3fa1a488745c4d79c988fab

SHA512
e35b2126a230edd752e4eef93a8bc441068d817826f15f006e2c87c765e60c9694c30ec84c66d2c2f526fa3d8b0f90b2f5e4a10e80ecbfc6b4fb40ae4e37bcfb

Download Submit
C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe

Filesize
475KB

MD5
3a28d2e788b3a2aa2b159cbe87a41a5e

SHA1
f2525cb3dd708c9c8f13a28951ac583ca6ebcb05

SHA256
fe5f8f5d25c3889449de2e709bedd408d24bec46d3fa1a488745c4d79c988fab

SHA512
e35b2126a230edd752e4eef93a8bc441068d817826f15f006e2c87c765e60c9694c30ec84c66d2c2f526fa3d8b0f90b2f5e4a10e80ecbfc6b4fb40ae4e37bcfb

Download Submit
C:\Program Files (x86)\Common Files\curllib.dll

Filesize
33KB

MD5
8b93812bde3ebbb526bc4005f530625a

SHA1
6024513b704a4ecd310f344837e344f1ed8d3cdb

SHA256
504f7602a6d39219ea11a7bd4a718acd63cba08171e4f0f8c692e6c30ce5c82f

SHA512
ebd2fd7adb96d49492ef2e1665a0dda1c6ad129cdd60e6a33824e81e2f7cba029d903255c982499162989be492e9319f6b2eb84c07ae821605e9589d7c8d014a

Download Submit
\Program Files (x86)\Common Files\curllib.dll

Filesize
33KB

MD5
8b93812bde3ebbb526bc4005f530625a

SHA1
6024513b704a4ecd310f344837e344f1ed8d3cdb

SHA256
504f7602a6d39219ea11a7bd4a718acd63cba08171e4f0f8c692e6c30ce5c82f

SHA512
ebd2fd7adb96d49492ef2e1665a0dda1c6ad129cdd60e6a33824e81e2f7cba029d903255c982499162989be492e9319f6b2eb84c07ae821605e9589d7c8d014a

Download Submit
\Program Files (x86)\Common Files\curllib.dll

Filesize
33KB

MD5
8b93812bde3ebbb526bc4005f530625a

SHA1
6024513b704a4ecd310f344837e344f1ed8d3cdb

SHA256
504f7602a6d39219ea11a7bd4a718acd63cba08171e4f0f8c692e6c30ce5c82f

SHA512
ebd2fd7adb96d49492ef2e1665a0dda1c6ad129cdd60e6a33824e81e2f7cba029d903255c982499162989be492e9319f6b2eb84c07ae821605e9589d7c8d014a

Download Submit
memory/1616-70-0x0000000001C30000-0x0000000001C65000-memory.dmp

Filesize
212KB

Download
memory/1672-78-0x0000000000750000-0x0000000000785000-memory.dmp

Filesize
212KB

Download
memory/1672-76-0x0000000000000000-mapping.dmp

Download
memory/1784-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1784-55-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/1784-71-0x0000000000380000-0x00000000003B5000-memory.dmp

Filesize
212KB

Download
memory/1920-72-0x0000000000680000-0x00000000006B5000-memory.dmp

Filesize
212KB

Download
memory/1980-73-0x00000000001D0000-0x0000000000205000-memory.dmp

Filesize
212KB

Download
memory/1980-68-0x0000000000000000-mapping.dmp

Download
memory/1980-66-0x00000000000A0000-0x00000000000C3000-memory.dmp

Filesize
140KB

Download
memory/1980-79-0x00000000001D0000-0x0000000000205000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads