plugx | 55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74

Analysis

max time kernel
171s
max time network
169s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe
Size

243KB
MD5

c5684320e55824d99f009382dd0804df
SHA1

cd336b57d677db8fa60af8b6550e077efa7bb0fa
SHA256

55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74
SHA512

30925165742752137f0716d73bee5c0047456d4be269da74ff4b1e89b0edcd4b7a89d818bc8e4ec11b19c61ec2abc62cd6bab4bb7358caf2772f55a702a6020e
SSDEEP

6144:pLRA0S1lHhJNuTwU9l0OrDvxYDTdw4myOKNGVFp:p20S1XtqDZYDT9mjoGV

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/772-63-0x0000000001C90000-0x0000000001CBE000-memory.dmp	family_plugx
behavioral1/memory/1312-72-0x0000000000290000-0x00000000002BE000-memory.dmp	family_plugx
behavioral1/memory/872-74-0x0000000000210000-0x000000000023E000-memory.dmp	family_plugx
behavioral1/memory/772-75-0x0000000001C90000-0x0000000001CBE000-memory.dmp	family_plugx
behavioral1/memory/872-76-0x0000000000210000-0x000000000023E000-memory.dmp	family_plugx
behavioral1/memory/2036-81-0x00000000002E0000-0x000000000030E000-memory.dmp	family_plugx
behavioral1/memory/2036-82-0x00000000002E0000-0x000000000030E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 2 IoCs

Processes:

NvDev.exeNvDev.exe

pid process

772 NvDev.exe
1312 NvDev.exe
Deletes itself 1 IoCs

Processes:

NvDev.exe

pid process

772 NvDev.exe

pid	process
772	NvDev.exe
1312	NvDev.exe

pid	process
772	NvDev.exe

Loads dropped DLL 4 IoCs

Processes:

55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exeNvDev.exeNvDev.exe

pid	process
1944	55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe
1944	55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe
772	NvDev.exe
1312	NvDev.exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Modifies data under HKEY_USERS 33 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-ce-9e-63-75-3b	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-ce-9e-63-75-3b\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77A4ED42-702E-4B58-9BE0-6C0B169007DF}\WpadDecisionTime = e038143c550cd901	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77A4ED42-702E-4B58-9BE0-6C0B169007DF}\WpadNetworkName = "Network 2"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77A4ED42-702E-4B58-9BE0-6C0B169007DF}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77A4ED42-702E-4B58-9BE0-6C0B169007DF}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77A4ED42-702E-4B58-9BE0-6C0B169007DF}\5a-ce-9e-63-75-3b	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-ce-9e-63-75-3b\WpadDecisionTime = e038143c550cd901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{77A4ED42-702E-4B58-9BE0-6C0B169007DF}\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-ce-9e-63-75-3b\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0044000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 46003100440032003200350044003800330046004400420032004200330031000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NvDev.exesvchost.exemsiexec.exe

pid	process
1312	NvDev.exe
872	svchost.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
872	svchost.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
872	svchost.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
872	svchost.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
872	svchost.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
872	svchost.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
872	svchost.exe
872	svchost.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
872	svchost.exe
872	svchost.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
872	svchost.exe
872	svchost.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
872	svchost.exe
872	svchost.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe
2036	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

NvDev.exeNvDev.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	772	NvDev.exe
Token: SeTcbPrivilege	772	NvDev.exe
Token: SeDebugPrivilege	1312	NvDev.exe
Token: SeTcbPrivilege	1312	NvDev.exe
Token: SeDebugPrivilege	872	svchost.exe
Token: SeTcbPrivilege	872	svchost.exe
Token: SeDebugPrivilege	2036	msiexec.exe
Token: SeTcbPrivilege	2036	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exeNvDev.exesvchost.exe

description	pid	process	target process
PID 1944 wrote to memory of 772	1944	55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe	NvDev.exe
PID 1944 wrote to memory of 772	1944	55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe	NvDev.exe
PID 1944 wrote to memory of 772	1944	55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe	NvDev.exe
PID 1944 wrote to memory of 772	1944	55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe	NvDev.exe
PID 1312 wrote to memory of 872	1312	NvDev.exe	svchost.exe
PID 1312 wrote to memory of 872	1312	NvDev.exe	svchost.exe
PID 1312 wrote to memory of 872	1312	NvDev.exe	svchost.exe
PID 1312 wrote to memory of 872	1312	NvDev.exe	svchost.exe
PID 1312 wrote to memory of 872	1312	NvDev.exe	svchost.exe
PID 1312 wrote to memory of 872	1312	NvDev.exe	svchost.exe
PID 1312 wrote to memory of 872	1312	NvDev.exe	svchost.exe
PID 1312 wrote to memory of 872	1312	NvDev.exe	svchost.exe
PID 1312 wrote to memory of 872	1312	NvDev.exe	svchost.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe
PID 872 wrote to memory of 2036	872	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe
"C:\Users\Admin\AppData\Local\Temp\55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944
- C:\ProgramData\NvDev\NvDev.exe
  "C:\ProgramData\NvDev\NvDev.exe" 100 1944
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:772

C:\ProgramData\NvDev\NvDev.exe
"C:\ProgramData\NvDev\NvDev.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 872
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NvDev\BOOT.LDR

Filesize
115KB

MD5
25b9fc5e15ab8c54fd270aa8892b3c21

SHA1
bda1c7150ad07182e4d28afd8ae04805f028dbad

SHA256
7ce86b8fa32a1cc8b65809f44082103c0a7ddd6c907e1f656765bb7017cfebbd

SHA512
0030853559bd4c042845b5fe4257554e9a618541ebaca490f7d84cd3eab1733e254cbe0cb680b63656de41d954e7166f274cfdda39da40a9edca49ed52ca14b6

Download Submit
C:\ProgramData\NvDev\NvDev.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\NvDev\NvDev.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\NvDev\NvSmartMax.dll

Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
C:\ProgramData\bug.log

Filesize
376B

MD5
3da98ee29f7f70546e9d0a47093c9285

SHA1
517f3bdd8b912485fcd3e334daed85f795b2b4e4

SHA256
adbed81c6bc100b86dfa925a425fbf39096353141b562f54a056385d0a5347c5

SHA512
3dbe62d9c4e371f4b99276127cc70f86bf699c4c505c79192ddd141c9435a921900afcd51765f5dd5e7437c8f92640bf3dbc4c5bd66208dcc1e4e784c4366e52

Download Submit
\ProgramData\NvDev\NvDev.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\ProgramData\NvDev\NvDev.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
\ProgramData\NvDev\NvSmartMax.dll

Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
\ProgramData\NvDev\NvSmartMax.dll

Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
memory/772-61-0x0000000001B60000-0x0000000001C60000-memory.dmp

Filesize
1024KB

Download
memory/772-62-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/772-63-0x0000000001C90000-0x0000000001CBE000-memory.dmp

Filesize
184KB

Download
memory/772-56-0x0000000000000000-mapping.dmp

Download
memory/772-75-0x0000000001C90000-0x0000000001CBE000-memory.dmp

Filesize
184KB

Download
memory/872-68-0x00000000000E0000-0x00000000000FC000-memory.dmp

Filesize
112KB

Download
memory/872-74-0x0000000000210000-0x000000000023E000-memory.dmp

Filesize
184KB

Download
memory/872-70-0x0000000000000000-mapping.dmp

Download
memory/872-76-0x0000000000210000-0x000000000023E000-memory.dmp

Filesize
184KB

Download
memory/1312-72-0x0000000000290000-0x00000000002BE000-memory.dmp

Filesize
184KB

Download
memory/2036-79-0x0000000000000000-mapping.dmp

Download
memory/2036-81-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/2036-82-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download