plugx | 721ff308a706259c674adbd7c1606f5d5636674dc372ab739f1224e0be06184a

Analysis

max time kernel
1799s
max time network
1798s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2023 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

t/Smadav.exe
Size

77KB
MD5

b830cd1b49bd31bcdb6192c20cf0b141
SHA1

b9629fdd735956772e9a3ceedcdb829bba6f8a43
SHA256

21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820
SHA512

0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd
SSDEEP

1536:NF81hiRzGLSNegJYJoUP8MXTi9Xtr835XoR66E:NFsGGLalYJoDDx835XoRe

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 4 IoCs

resource	yara_rule
behavioral8/memory/2400-132-0x0000000002250000-0x0000000003250000-memory.dmp	family_plugx
behavioral8/memory/4480-139-0x0000000000E30000-0x0000000001E30000-memory.dmp	family_plugx
behavioral8/memory/4960-141-0x00000000016F0000-0x0000000007733000-memory.dmp	family_plugx
behavioral8/memory/3444-143-0x0000000001680000-0x00000000076C3000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 1 IoCs

pid	Process
4480	Smadav.exe

Loads dropped DLL 1 IoCs

pid	Process
4480	Smadav.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Smadavs	Smadav.exe
File opened for modification	C:\Program Files (x86)\Smadavs\SmadHook32.dll	Smadav.exe
File created	C:\Program Files (x86)\Smadavs\SmadHook32.dll	Smadav.exe
File opened for modification	C:\Program Files (x86)\Smadavs\Smadav.dat	Smadav.exe
File created	C:\Program Files (x86)\Smadavs\Smadav.dat	Smadav.exe
File opened for modification	C:\Program Files (x86)\Smadavs\Smadav.exe	Smadav.exe
File created	C:\Program Files (x86)\Smadavs\Smadav.exe	Smadav.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 38003800390030003000370033003200440031004500450046004600370043000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\KET.FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	svchost.exe
4960	svchost.exe
4960	svchost.exe
4960	svchost.exe
4960	svchost.exe
4960	svchost.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
4960	svchost.exe
4960	svchost.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
4960	svchost.exe
4960	svchost.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
4960	svchost.exe
4960	svchost.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
4960	svchost.exe
4960	svchost.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
3444	userinit.exe
4960	svchost.exe
4960	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4960	svchost.exe
3444	userinit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	Smadav.exe
Token: SeTcbPrivilege	2400	Smadav.exe
Token: SeDebugPrivilege	4480	Smadav.exe
Token: SeTcbPrivilege	4480	Smadav.exe
Token: SeDebugPrivilege	4960	svchost.exe
Token: SeTcbPrivilege	4960	svchost.exe
Token: SeDebugPrivilege	3444	userinit.exe
Token: SeTcbPrivilege	3444	userinit.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4960	4480	Smadav.exe	83
PID 4480 wrote to memory of 4960	4480	Smadav.exe	83
PID 4480 wrote to memory of 4960	4480	Smadav.exe	83
PID 4480 wrote to memory of 4960	4480	Smadav.exe	83
PID 4480 wrote to memory of 4960	4480	Smadav.exe	83
PID 4480 wrote to memory of 4960	4480	Smadav.exe	83
PID 4480 wrote to memory of 4960	4480	Smadav.exe	83
PID 4960 wrote to memory of 3444	4960	svchost.exe	84
PID 4960 wrote to memory of 3444	4960	svchost.exe	84
PID 4960 wrote to memory of 3444	4960	svchost.exe	84
PID 4960 wrote to memory of 3444	4960	svchost.exe	84
PID 4960 wrote to memory of 3444	4960	svchost.exe	84
PID 4960 wrote to memory of 3444	4960	svchost.exe	84
PID 4960 wrote to memory of 3444	4960	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\t\Smadav.exe
"C:\Users\Admin\AppData\Local\Temp\t\Smadav.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Program Files (x86)\Smadavs\Smadav.exe
"C:\Program Files (x86)\Smadavs\Smadav.exe" 600 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 601 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe 609 4960
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Smadavs\SmadHook32.dll

Filesize
70KB

MD5
e1ed9b48016d43398cdf62a61c9b113d

SHA1
b8e7183fba57ca867393ea4edf62fe60d1549c94

SHA256
2e0b20fd34c70ec0566cb6e0852520fbab9452e3cb7aad8299ae841ac71733cf

SHA512
4b5fd58c0d6a59d710d80f0bec216ba19d9e52c1516d799a991995bd7a9f6e45667f924ef7b7320773881d521a1059bb8a2686e1324ed8083c10ca68e1f48714

Download Submit
C:\Program Files (x86)\Smadavs\SmadHook32.dll

Filesize
70KB

MD5
e1ed9b48016d43398cdf62a61c9b113d

SHA1
b8e7183fba57ca867393ea4edf62fe60d1549c94

SHA256
2e0b20fd34c70ec0566cb6e0852520fbab9452e3cb7aad8299ae841ac71733cf

SHA512
4b5fd58c0d6a59d710d80f0bec216ba19d9e52c1516d799a991995bd7a9f6e45667f924ef7b7320773881d521a1059bb8a2686e1324ed8083c10ca68e1f48714

Download Submit
C:\Program Files (x86)\Smadavs\Smadav.dat

Filesize
153KB

MD5
98f963bae9fd59ab4d50d9e275471ec6

SHA1
95c7b1eda105bf690cce854b53b9a308f82fc525

SHA256
a59724904c4bf6bfbf182e0235ede0109b65649b5d9f95acdb627610820eba37

SHA512
da3311197834a90cebc3d25dd1056717ca7c7d68e30328280b091fdfa2a41598fd3f09854a15c5d0cec939f21b044bab96c8ea28ba53e6c280c945fb31c892ab

Download Submit
C:\Program Files (x86)\Smadavs\Smadav.exe

Filesize
77KB

MD5
b830cd1b49bd31bcdb6192c20cf0b141

SHA1
b9629fdd735956772e9a3ceedcdb829bba6f8a43

SHA256
21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820

SHA512
0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd

Download Submit
C:\Program Files (x86)\Smadavs\Smadav.exe

Filesize
77KB

MD5
b830cd1b49bd31bcdb6192c20cf0b141

SHA1
b9629fdd735956772e9a3ceedcdb829bba6f8a43

SHA256
21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820

SHA512
0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd

Download Submit
memory/2400-133-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/2400-132-0x0000000002250000-0x0000000003250000-memory.dmp

Filesize
16.0MB

Download
memory/3444-143-0x0000000001680000-0x00000000076C3000-memory.dmp

Filesize
96.3MB

Download
memory/4480-139-0x0000000000E30000-0x0000000001E30000-memory.dmp

Filesize
16.0MB

Download
memory/4960-141-0x00000000016F0000-0x0000000007733000-memory.dmp

Filesize
96.3MB

Download