plugx | 721ff308a706259c674adbd7c1606f5d5636674dc372ab739f1224e0be06184a

Analysis

max time kernel
1801s
max time network
1797s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15-02-2023 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

t/Smadav.exe
Size

77KB
MD5

b830cd1b49bd31bcdb6192c20cf0b141
SHA1

b9629fdd735956772e9a3ceedcdb829bba6f8a43
SHA256

21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820
SHA512

0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd
SSDEEP

1536:NF81hiRzGLSNegJYJoUP8MXTi9Xtr835XoR66E:NFsGGLalYJoDDx835XoRe

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 4 IoCs

resource	yara_rule
behavioral7/memory/2012-54-0x0000000001D90000-0x0000000002D90000-memory.dmp	family_plugx
behavioral7/memory/1956-61-0x0000000001D90000-0x0000000002D90000-memory.dmp	family_plugx
behavioral7/memory/1520-66-0x0000000000850000-0x0000000006893000-memory.dmp	family_plugx
behavioral7/memory/1760-72-0x0000000002000000-0x0000000008043000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 1 IoCs

pid	Process
1956	Smadav.exe

Loads dropped DLL 1 IoCs

pid	Process
1956	Smadav.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Smadavs\Smadav.exe	Smadav.exe
File created	C:\Program Files (x86)\Smadavs\Smadav.exe	Smadav.exe
File opened for modification	C:\Program Files (x86)\Smadavs	Smadav.exe
File opened for modification	C:\Program Files (x86)\Smadavs\SmadHook32.dll	Smadav.exe
File created	C:\Program Files (x86)\Smadavs\SmadHook32.dll	Smadav.exe
File opened for modification	C:\Program Files (x86)\Smadavs\Smadav.dat	Smadav.exe
File created	C:\Program Files (x86)\Smadavs\Smadav.dat	Smadav.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecisionTime = 20cea5ec4e41d901	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDetectedUrl	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecisionTime = a0445e2e4f41d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecisionTime = 20cde88b4f41d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecisionTime = 20cea5ec4e41d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecisionTime = c0cf5e7f5241d901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecisionTime = 802c71ca5041d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecisionTime = c07de1a95141d901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecisionTime = a0445e2e4f41d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecisionTime = 802c71ca5041d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecisionTime = 40123c685141d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecisionTime = c0cf5e7f5241d901	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecisionTime = 40123c685141d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecisionTime = c07de1a95141d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecisionTime = a0e03f085241d901	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadNetworkName = "Network 2"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecisionTime = 20abf22a5041d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecisionTime = c0acfed65041d901	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\2e-cb-2a-ff-64-c6	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecisionTime = 20cde88b4f41d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecisionTime = 20abf22a5041d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-cb-2a-ff-64-c6\WpadDecisionTime = c0acfed65041d901	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{705ECD17-ED2C-4A37-B767-AF7C143CAE4F}\WpadDecisionTime = a0e03f085241d901	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\KET.FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 42004500320039003400300033003700350031003900330034003900420043000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	svchost.exe
1520	svchost.exe
1520	svchost.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1520	svchost.exe
1520	svchost.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1520	svchost.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1520	svchost.exe
1520	svchost.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1520	svchost.exe
1520	svchost.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1520	svchost.exe
1520	svchost.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1520	svchost.exe
1520	svchost.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe
1520	svchost.exe
1520	svchost.exe
1760	userinit.exe
1760	userinit.exe
1760	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1760	userinit.exe
1520	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	Smadav.exe
Token: SeTcbPrivilege	2012	Smadav.exe
Token: SeDebugPrivilege	1956	Smadav.exe
Token: SeTcbPrivilege	1956	Smadav.exe
Token: SeDebugPrivilege	1520	svchost.exe
Token: SeTcbPrivilege	1520	svchost.exe
Token: SeDebugPrivilege	1760	userinit.exe
Token: SeTcbPrivilege	1760	userinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1520	1956	Smadav.exe	29
PID 1956 wrote to memory of 1520	1956	Smadav.exe	29
PID 1956 wrote to memory of 1520	1956	Smadav.exe	29
PID 1956 wrote to memory of 1520	1956	Smadav.exe	29
PID 1956 wrote to memory of 1520	1956	Smadav.exe	29
PID 1956 wrote to memory of 1520	1956	Smadav.exe	29
PID 1956 wrote to memory of 1520	1956	Smadav.exe	29
PID 1956 wrote to memory of 1520	1956	Smadav.exe	29
PID 1520 wrote to memory of 1760	1520	svchost.exe	30
PID 1520 wrote to memory of 1760	1520	svchost.exe	30
PID 1520 wrote to memory of 1760	1520	svchost.exe	30
PID 1520 wrote to memory of 1760	1520	svchost.exe	30
PID 1520 wrote to memory of 1760	1520	svchost.exe	30
PID 1520 wrote to memory of 1760	1520	svchost.exe	30
PID 1520 wrote to memory of 1760	1520	svchost.exe	30
PID 1520 wrote to memory of 1760	1520	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\t\Smadav.exe
"C:\Users\Admin\AppData\Local\Temp\t\Smadav.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Program Files (x86)\Smadavs\Smadav.exe
"C:\Program Files (x86)\Smadavs\Smadav.exe" 600 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 601 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe 609 1520
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Smadavs\SmadHook32.dll

Filesize
70KB

MD5
e1ed9b48016d43398cdf62a61c9b113d

SHA1
b8e7183fba57ca867393ea4edf62fe60d1549c94

SHA256
2e0b20fd34c70ec0566cb6e0852520fbab9452e3cb7aad8299ae841ac71733cf

SHA512
4b5fd58c0d6a59d710d80f0bec216ba19d9e52c1516d799a991995bd7a9f6e45667f924ef7b7320773881d521a1059bb8a2686e1324ed8083c10ca68e1f48714

Download Submit
C:\Program Files (x86)\Smadavs\Smadav.dat

Filesize
153KB

MD5
98f963bae9fd59ab4d50d9e275471ec6

SHA1
95c7b1eda105bf690cce854b53b9a308f82fc525

SHA256
a59724904c4bf6bfbf182e0235ede0109b65649b5d9f95acdb627610820eba37

SHA512
da3311197834a90cebc3d25dd1056717ca7c7d68e30328280b091fdfa2a41598fd3f09854a15c5d0cec939f21b044bab96c8ea28ba53e6c280c945fb31c892ab

Download Submit
C:\Program Files (x86)\Smadavs\Smadav.exe

Filesize
77KB

MD5
b830cd1b49bd31bcdb6192c20cf0b141

SHA1
b9629fdd735956772e9a3ceedcdb829bba6f8a43

SHA256
21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820

SHA512
0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd

Download Submit
\Program Files (x86)\Smadavs\SmadHook32.dll

Filesize
70KB

MD5
e1ed9b48016d43398cdf62a61c9b113d

SHA1
b8e7183fba57ca867393ea4edf62fe60d1549c94

SHA256
2e0b20fd34c70ec0566cb6e0852520fbab9452e3cb7aad8299ae841ac71733cf

SHA512
4b5fd58c0d6a59d710d80f0bec216ba19d9e52c1516d799a991995bd7a9f6e45667f924ef7b7320773881d521a1059bb8a2686e1324ed8083c10ca68e1f48714

Download Submit
memory/1520-63-0x00000000000A0000-0x00000000000C4000-memory.dmp

Filesize
144KB

Download
memory/1520-66-0x0000000000850000-0x0000000006893000-memory.dmp

Filesize
96.3MB

Download
memory/1520-67-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1760-72-0x0000000002000000-0x0000000008043000-memory.dmp

Filesize
96.3MB

Download
memory/1956-61-0x0000000001D90000-0x0000000002D90000-memory.dmp

Filesize
16.0MB

Download
memory/2012-56-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/2012-55-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/2012-54-0x0000000001D90000-0x0000000002D90000-memory.dmp

Filesize
16.0MB

Download