plugx | 55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe
Size

243KB
MD5

c5684320e55824d99f009382dd0804df
SHA1

cd336b57d677db8fa60af8b6550e077efa7bb0fa
SHA256

55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74
SHA512

30925165742752137f0716d73bee5c0047456d4be269da74ff4b1e89b0edcd4b7a89d818bc8e4ec11b19c61ec2abc62cd6bab4bb7358caf2772f55a702a6020e
SSDEEP

6144:pLRA0S1lHhJNuTwU9l0OrDvxYDTdw4myOKNGVFp:p20S1XtqDZYDT9mjoGV

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 7 IoCs

resource	yara_rule
behavioral2/memory/852-139-0x0000000002170000-0x000000000219E000-memory.dmp	family_plugx
behavioral2/memory/1196-144-0x0000000000E30000-0x0000000000E5E000-memory.dmp	family_plugx
behavioral2/memory/4340-146-0x0000000001600000-0x000000000162E000-memory.dmp	family_plugx
behavioral2/memory/852-147-0x0000000002170000-0x000000000219E000-memory.dmp	family_plugx
behavioral2/memory/1376-149-0x0000000001010000-0x000000000103E000-memory.dmp	family_plugx
behavioral2/memory/4340-150-0x0000000001600000-0x000000000162E000-memory.dmp	family_plugx
behavioral2/memory/1376-151-0x0000000001010000-0x000000000103E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
852	NvDev.exe
1196	NvDev.exe

Loads dropped DLL 2 IoCs

pid	Process
852	NvDev.exe
1196	NvDev.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004100420041004600370034003900370035004100380030004500310041000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1196	NvDev.exe
1196	NvDev.exe
4340	svchost.exe
4340	svchost.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
4340	svchost.exe
4340	svchost.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
4340	svchost.exe
4340	svchost.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
4340	svchost.exe
4340	svchost.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
4340	svchost.exe
4340	svchost.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
1376	msiexec.exe
4340	svchost.exe
4340	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4340	svchost.exe
1376	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	NvDev.exe
Token: SeTcbPrivilege	852	NvDev.exe
Token: SeDebugPrivilege	1196	NvDev.exe
Token: SeTcbPrivilege	1196	NvDev.exe
Token: SeDebugPrivilege	4340	svchost.exe
Token: SeTcbPrivilege	4340	svchost.exe
Token: SeDebugPrivilege	1376	msiexec.exe
Token: SeTcbPrivilege	1376	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 852	1508	55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe	81
PID 1508 wrote to memory of 852	1508	55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe	81
PID 1508 wrote to memory of 852	1508	55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe	81
PID 1196 wrote to memory of 4340	1196	NvDev.exe	83
PID 1196 wrote to memory of 4340	1196	NvDev.exe	83
PID 1196 wrote to memory of 4340	1196	NvDev.exe	83
PID 1196 wrote to memory of 4340	1196	NvDev.exe	83
PID 1196 wrote to memory of 4340	1196	NvDev.exe	83
PID 1196 wrote to memory of 4340	1196	NvDev.exe	83
PID 1196 wrote to memory of 4340	1196	NvDev.exe	83
PID 1196 wrote to memory of 4340	1196	NvDev.exe	83
PID 4340 wrote to memory of 1376	4340	svchost.exe	84
PID 4340 wrote to memory of 1376	4340	svchost.exe	84
PID 4340 wrote to memory of 1376	4340	svchost.exe	84
PID 4340 wrote to memory of 1376	4340	svchost.exe	84
PID 4340 wrote to memory of 1376	4340	svchost.exe	84
PID 4340 wrote to memory of 1376	4340	svchost.exe	84
PID 4340 wrote to memory of 1376	4340	svchost.exe	84
PID 4340 wrote to memory of 1376	4340	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe
"C:\Users\Admin\AppData\Local\Temp\55bfe41ee6e3783d3df72f9b42a69583a8c2c59dac8d1af7d70da1657fe09d74.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\ProgramData\NvDev\NvDev.exe
  "C:\ProgramData\NvDev\NvDev.exe" 100 1508
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:852

C:\ProgramData\NvDev\NvDev.exe
"C:\ProgramData\NvDev\NvDev.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 4340
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NvDev\BOOT.LDR

Filesize
115KB

MD5
25b9fc5e15ab8c54fd270aa8892b3c21

SHA1
bda1c7150ad07182e4d28afd8ae04805f028dbad

SHA256
7ce86b8fa32a1cc8b65809f44082103c0a7ddd6c907e1f656765bb7017cfebbd

SHA512
0030853559bd4c042845b5fe4257554e9a618541ebaca490f7d84cd3eab1733e254cbe0cb680b63656de41d954e7166f274cfdda39da40a9edca49ed52ca14b6

Download Submit
C:\ProgramData\NvDev\NvDev.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\NvDev\NvDev.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\NvDev\NvDev.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\ProgramData\NvDev\NvSmartMax.dll

Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
C:\ProgramData\NvDev\NvSmartMax.dll

Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
C:\ProgramData\NvDev\NvSmartMax.dll

Filesize
4KB

MD5
e13dcbc20c249469f7dd02d8e625c4a6

SHA1
7f24d493766c26a19fa7da35a5de103ff89e40b9

SHA256
c1bda0bf4e99c31bde29c815c7419f4ed53b2f7049c3dbfeeebc7ac681454397

SHA512
5de3eee58396f8ac7c494891165a8174622c141c24c8b42cd4f05883b57e22b4a9facd46450f3fb5abba435f0cf8af4fb9faf5b319222f325c487393190b373b

Download Submit
C:\ProgramData\bug.log

Filesize
376B

MD5
12c6abc493fe91f88982bb82f1582849

SHA1
0c46ad71bb1582bc4b298667dc54b5ac4fb14a77

SHA256
beba31073d163b9da6d240f9470a4c6cb56e97a3c590f4ac3ec2b46adaa6147f

SHA512
4ff4c8b47f589b47d56273d65fada45b4881047cfed26849c2bdcbd25cee8253dbcf9a3a2cd31ba5310de48e7f73ea5c0e985c2930ec8108f3647996d9000566

Download Submit
memory/852-139-0x0000000002170000-0x000000000219E000-memory.dmp

Filesize
184KB

Download
memory/852-138-0x0000000002020000-0x0000000002120000-memory.dmp

Filesize
1024KB

Download
memory/852-147-0x0000000002170000-0x000000000219E000-memory.dmp

Filesize
184KB

Download
memory/1196-144-0x0000000000E30000-0x0000000000E5E000-memory.dmp

Filesize
184KB

Download
memory/1376-149-0x0000000001010000-0x000000000103E000-memory.dmp

Filesize
184KB

Download
memory/1376-151-0x0000000001010000-0x000000000103E000-memory.dmp

Filesize
184KB

Download
memory/4340-146-0x0000000001600000-0x000000000162E000-memory.dmp

Filesize
184KB

Download
memory/4340-150-0x0000000001600000-0x000000000162E000-memory.dmp

Filesize
184KB

Download