plugx | afe40fb3150b18dbc4b46d09e57b7e30eb303969d7e5aca5315bf12788446be2

General

Target

QQPhotoDrawUpdateSvr.exe
Size

475KB
MD5

3a28d2e788b3a2aa2b159cbe87a41a5e
SHA1

f2525cb3dd708c9c8f13a28951ac583ca6ebcb05
SHA256

fe5f8f5d25c3889449de2e709bedd408d24bec46d3fa1a488745c4d79c988fab
SHA512

e35b2126a230edd752e4eef93a8bc441068d817826f15f006e2c87c765e60c9694c30ec84c66d2c2f526fa3d8b0f90b2f5e4a10e80ecbfc6b4fb40ae4e37bcfb
SSDEEP

6144:c3sPbRwlW0Yc6fXjTEBNuIbFOXkYmge0+hV+h:c3sPbRC6kaIAXkGkVk

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

Processes:

resource	yara_rule
behavioral4/memory/2064-143-0x0000000000F30000-0x0000000000F65000-memory.dmp	family_plugx
behavioral4/memory/3704-144-0x0000000000AA0000-0x0000000000AD5000-memory.dmp	family_plugx
behavioral4/memory/1476-145-0x0000000000A90000-0x0000000000AC5000-memory.dmp	family_plugx
behavioral4/memory/3304-146-0x00000000015B0000-0x00000000015E5000-memory.dmp	family_plugx
behavioral4/memory/4400-148-0x0000000002320000-0x0000000002355000-memory.dmp	family_plugx
behavioral4/memory/3304-149-0x00000000015B0000-0x00000000015E5000-memory.dmp	family_plugx
behavioral4/memory/4400-150-0x0000000002320000-0x0000000002355000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

QQPhotoDrawUpdateSvr.exeQQPhotoDrawUpdateSvr.exe

pid process

1476 QQPhotoDrawUpdateSvr.exe
2064 QQPhotoDrawUpdateSvr.exe
Loads dropped DLL 2 IoCs

Processes:

QQPhotoDrawUpdateSvr.exeQQPhotoDrawUpdateSvr.exe

pid process

1476 QQPhotoDrawUpdateSvr.exe
2064 QQPhotoDrawUpdateSvr.exe

pid	process
1476	QQPhotoDrawUpdateSvr.exe
2064	QQPhotoDrawUpdateSvr.exe

pid	process
1476	QQPhotoDrawUpdateSvr.exe
2064	QQPhotoDrawUpdateSvr.exe

Drops file in Program Files directory 7 IoCs

Processes:

QQPhotoDrawUpdateSvr.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\curllib.dll	QQPhotoDrawUpdateSvr.exe
File opened for modification	C:\Program Files (x86)\Common Files	QQPhotoDrawUpdateSvr.exe
File opened for modification	C:\Program Files (x86)\Common Files\CamMute.swf	QQPhotoDrawUpdateSvr.exe
File created	C:\Program Files (x86)\Common Files\CamMute.swf	QQPhotoDrawUpdateSvr.exe
File opened for modification	C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe	QQPhotoDrawUpdateSvr.exe
File created	C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe	QQPhotoDrawUpdateSvr.exe
File opened for modification	C:\Program Files (x86)\Common Files\curllib.dll	QQPhotoDrawUpdateSvr.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 41004200370031004400430039003000430039003600340046004300410036000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exemsiexec.exe

pid	process
3304	svchost.exe
3304	svchost.exe
3304	svchost.exe
3304	svchost.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
3304	svchost.exe
3304	svchost.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
3304	svchost.exe
3304	svchost.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
3304	svchost.exe
3304	svchost.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
3304	svchost.exe
3304	svchost.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
4400	msiexec.exe
3304	svchost.exe
3304	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

3304 svchost.exe
4400 msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

QQPhotoDrawUpdateSvr.exeQQPhotoDrawUpdateSvr.exeQQPhotoDrawUpdateSvr.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3704	QQPhotoDrawUpdateSvr.exe
Token: SeTcbPrivilege	3704	QQPhotoDrawUpdateSvr.exe
Token: SeDebugPrivilege	1476	QQPhotoDrawUpdateSvr.exe
Token: SeTcbPrivilege	1476	QQPhotoDrawUpdateSvr.exe
Token: SeDebugPrivilege	2064	QQPhotoDrawUpdateSvr.exe
Token: SeTcbPrivilege	2064	QQPhotoDrawUpdateSvr.exe
Token: SeDebugPrivilege	3304	svchost.exe
Token: SeTcbPrivilege	3304	svchost.exe
Token: SeDebugPrivilege	4400	msiexec.exe
Token: SeTcbPrivilege	4400	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

QQPhotoDrawUpdateSvr.exesvchost.exe

description	pid	process	target process
PID 2064 wrote to memory of 3304	2064	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 2064 wrote to memory of 3304	2064	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 2064 wrote to memory of 3304	2064	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 2064 wrote to memory of 3304	2064	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 2064 wrote to memory of 3304	2064	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 2064 wrote to memory of 3304	2064	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 2064 wrote to memory of 3304	2064	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 2064 wrote to memory of 3304	2064	QQPhotoDrawUpdateSvr.exe	svchost.exe
PID 3304 wrote to memory of 4400	3304	svchost.exe	msiexec.exe
PID 3304 wrote to memory of 4400	3304	svchost.exe	msiexec.exe
PID 3304 wrote to memory of 4400	3304	svchost.exe	msiexec.exe
PID 3304 wrote to memory of 4400	3304	svchost.exe	msiexec.exe
PID 3304 wrote to memory of 4400	3304	svchost.exe	msiexec.exe
PID 3304 wrote to memory of 4400	3304	svchost.exe	msiexec.exe
PID 3304 wrote to memory of 4400	3304	svchost.exe	msiexec.exe
PID 3304 wrote to memory of 4400	3304	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\QQPhotoDrawUpdateSvr.exe
"C:\Users\Admin\AppData\Local\Temp\QQPhotoDrawUpdateSvr.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe
"C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe" 100 3704
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe
"C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 3304
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\CamMute.swf

Filesize
146KB

MD5
4ae94a2da16ad5ad5efc4cc13f307492

SHA1
2e049ddbbe6fe5f72ea98350739091ba88817c68

SHA256
826716e9d34cd8f0c6ed461b704f3081e8444b30236616ee1f1aec5ec1e2e1b3

SHA512
413ef4ca0b81bee6da8348f8d99de2d11be0d8afb51addb2f02a1fce90fdaddcd67e83e82c61309707f9df74bd18e45a85552c0fe876112d08769fa9c86b845a

Download Submit
C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe

Filesize
475KB

MD5
3a28d2e788b3a2aa2b159cbe87a41a5e

SHA1
f2525cb3dd708c9c8f13a28951ac583ca6ebcb05

SHA256
fe5f8f5d25c3889449de2e709bedd408d24bec46d3fa1a488745c4d79c988fab

SHA512
e35b2126a230edd752e4eef93a8bc441068d817826f15f006e2c87c765e60c9694c30ec84c66d2c2f526fa3d8b0f90b2f5e4a10e80ecbfc6b4fb40ae4e37bcfb

Download Submit
C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe

Filesize
475KB

MD5
3a28d2e788b3a2aa2b159cbe87a41a5e

SHA1
f2525cb3dd708c9c8f13a28951ac583ca6ebcb05

SHA256
fe5f8f5d25c3889449de2e709bedd408d24bec46d3fa1a488745c4d79c988fab

SHA512
e35b2126a230edd752e4eef93a8bc441068d817826f15f006e2c87c765e60c9694c30ec84c66d2c2f526fa3d8b0f90b2f5e4a10e80ecbfc6b4fb40ae4e37bcfb

Download Submit
C:\Program Files (x86)\Common Files\QQPhotoDrawUpdateSvr.exe

Filesize
475KB

MD5
3a28d2e788b3a2aa2b159cbe87a41a5e

SHA1
f2525cb3dd708c9c8f13a28951ac583ca6ebcb05

SHA256
fe5f8f5d25c3889449de2e709bedd408d24bec46d3fa1a488745c4d79c988fab

SHA512
e35b2126a230edd752e4eef93a8bc441068d817826f15f006e2c87c765e60c9694c30ec84c66d2c2f526fa3d8b0f90b2f5e4a10e80ecbfc6b4fb40ae4e37bcfb

Download Submit
C:\Program Files (x86)\Common Files\curllib.dll

Filesize
33KB

MD5
8b93812bde3ebbb526bc4005f530625a

SHA1
6024513b704a4ecd310f344837e344f1ed8d3cdb

SHA256
504f7602a6d39219ea11a7bd4a718acd63cba08171e4f0f8c692e6c30ce5c82f

SHA512
ebd2fd7adb96d49492ef2e1665a0dda1c6ad129cdd60e6a33824e81e2f7cba029d903255c982499162989be492e9319f6b2eb84c07ae821605e9589d7c8d014a

Download Submit
C:\Program Files (x86)\Common Files\curllib.dll

Filesize
33KB

MD5
8b93812bde3ebbb526bc4005f530625a

SHA1
6024513b704a4ecd310f344837e344f1ed8d3cdb

SHA256
504f7602a6d39219ea11a7bd4a718acd63cba08171e4f0f8c692e6c30ce5c82f

SHA512
ebd2fd7adb96d49492ef2e1665a0dda1c6ad129cdd60e6a33824e81e2f7cba029d903255c982499162989be492e9319f6b2eb84c07ae821605e9589d7c8d014a

Download Submit
C:\Program Files (x86)\Common Files\curllib.dll

Filesize
33KB

MD5
8b93812bde3ebbb526bc4005f530625a

SHA1
6024513b704a4ecd310f344837e344f1ed8d3cdb

SHA256
504f7602a6d39219ea11a7bd4a718acd63cba08171e4f0f8c692e6c30ce5c82f

SHA512
ebd2fd7adb96d49492ef2e1665a0dda1c6ad129cdd60e6a33824e81e2f7cba029d903255c982499162989be492e9319f6b2eb84c07ae821605e9589d7c8d014a

Download Submit
memory/1476-145-0x0000000000A90000-0x0000000000AC5000-memory.dmp

Filesize
212KB

Download
memory/2064-143-0x0000000000F30000-0x0000000000F65000-memory.dmp

Filesize
212KB

Download
memory/3304-142-0x0000000000000000-mapping.dmp

Download
memory/3304-146-0x00000000015B0000-0x00000000015E5000-memory.dmp

Filesize
212KB

Download
memory/3304-149-0x00000000015B0000-0x00000000015E5000-memory.dmp

Filesize
212KB

Download
memory/3704-144-0x0000000000AA0000-0x0000000000AD5000-memory.dmp

Filesize
212KB

Download
memory/3704-132-0x00000000023C0000-0x00000000024C0000-memory.dmp

Filesize
1024KB

Download
memory/4400-147-0x0000000000000000-mapping.dmp

Download
memory/4400-148-0x0000000002320000-0x0000000002355000-memory.dmp

Filesize
212KB

Download
memory/4400-150-0x0000000002320000-0x0000000002355000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads