plugx | 721ff308a706259c674adbd7c1606f5d5636674dc372ab739f1224e0be06184a

Analysis

max time kernel
299s
max time network
294s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15-02-2023 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

t/Smadav.exe
Size

77KB
MD5

b830cd1b49bd31bcdb6192c20cf0b141
SHA1

b9629fdd735956772e9a3ceedcdb829bba6f8a43
SHA256

21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820
SHA512

0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd
SSDEEP

1536:NF81hiRzGLSNegJYJoUP8MXTi9Xtr835XoR66E:NFsGGLalYJoDDx835XoRe

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4976-141-0x0000000002240000-0x0000000003240000-memory.dmp	family_plugx
behavioral3/memory/1544-181-0x0000000000EE0000-0x0000000001EE0000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 1 IoCs

Processes:

Smadav.exe

pid process

1544 Smadav.exe
Loads dropped DLL 1 IoCs

Processes:

Smadav.exe

pid process

1544 Smadav.exe

pid	process
1544	Smadav.exe

pid	process
1544	Smadav.exe

Drops file in System32 directory 5 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	svchost.exe

Drops file in Program Files directory 7 IoCs

Processes:

Smadav.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Smadavs\Smadav.dat	Smadav.exe
File created	C:\Program Files (x86)\Smadavs\Smadav.dat	Smadav.exe
File opened for modification	C:\Program Files (x86)\Smadavs\Smadav.exe	Smadav.exe
File created	C:\Program Files (x86)\Smadavs\Smadav.exe	Smadav.exe
File opened for modification	C:\Program Files (x86)\Smadavs	Smadav.exe
File opened for modification	C:\Program Files (x86)\Smadavs\SmadHook32.dll	Smadav.exe
File created	C:\Program Files (x86)\Smadavs\SmadHook32.dll	Smadav.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\KET.FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 44003100310035003600390030004100320035003500370042004600380041000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exeuserinit.exe

pid	process
4992	svchost.exe
4992	svchost.exe
4992	svchost.exe
4992	svchost.exe
4992	svchost.exe
4992	svchost.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4992	svchost.exe
4992	svchost.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4992	svchost.exe
4992	svchost.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4992	svchost.exe
4992	svchost.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4992	svchost.exe
4992	svchost.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe
4488	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exeuserinit.exe

pid process

4992 svchost.exe
4488 userinit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Smadav.exeSmadav.exesvchost.exeuserinit.exe

description	pid	process
Token: SeDebugPrivilege	4976	Smadav.exe
Token: SeTcbPrivilege	4976	Smadav.exe
Token: SeDebugPrivilege	1544	Smadav.exe
Token: SeTcbPrivilege	1544	Smadav.exe
Token: SeDebugPrivilege	4992	svchost.exe
Token: SeTcbPrivilege	4992	svchost.exe
Token: SeDebugPrivilege	4488	userinit.exe
Token: SeTcbPrivilege	4488	userinit.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Smadav.exesvchost.exe

description	pid	process	target process
PID 1544 wrote to memory of 4992	1544	Smadav.exe	svchost.exe
PID 1544 wrote to memory of 4992	1544	Smadav.exe	svchost.exe
PID 1544 wrote to memory of 4992	1544	Smadav.exe	svchost.exe
PID 1544 wrote to memory of 4992	1544	Smadav.exe	svchost.exe
PID 1544 wrote to memory of 4992	1544	Smadav.exe	svchost.exe
PID 1544 wrote to memory of 4992	1544	Smadav.exe	svchost.exe
PID 1544 wrote to memory of 4992	1544	Smadav.exe	svchost.exe
PID 4992 wrote to memory of 4488	4992	svchost.exe	userinit.exe
PID 4992 wrote to memory of 4488	4992	svchost.exe	userinit.exe
PID 4992 wrote to memory of 4488	4992	svchost.exe	userinit.exe
PID 4992 wrote to memory of 4488	4992	svchost.exe	userinit.exe
PID 4992 wrote to memory of 4488	4992	svchost.exe	userinit.exe
PID 4992 wrote to memory of 4488	4992	svchost.exe	userinit.exe
PID 4992 wrote to memory of 4488	4992	svchost.exe	userinit.exe

C:\Users\Admin\AppData\Local\Temp\t\Smadav.exe
"C:\Users\Admin\AppData\Local\Temp\t\Smadav.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Program Files (x86)\Smadavs\Smadav.exe
"C:\Program Files (x86)\Smadavs\Smadav.exe" 600 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 601 0
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\userinit.exe
    C:\Windows\system32\userinit.exe 609 4992
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Smadavs\SmadHook32.dll

Filesize
70KB

MD5
e1ed9b48016d43398cdf62a61c9b113d

SHA1
b8e7183fba57ca867393ea4edf62fe60d1549c94

SHA256
2e0b20fd34c70ec0566cb6e0852520fbab9452e3cb7aad8299ae841ac71733cf

SHA512
4b5fd58c0d6a59d710d80f0bec216ba19d9e52c1516d799a991995bd7a9f6e45667f924ef7b7320773881d521a1059bb8a2686e1324ed8083c10ca68e1f48714

Download Submit
C:\Program Files (x86)\Smadavs\Smadav.dat

Filesize
153KB

MD5
98f963bae9fd59ab4d50d9e275471ec6

SHA1
95c7b1eda105bf690cce854b53b9a308f82fc525

SHA256
a59724904c4bf6bfbf182e0235ede0109b65649b5d9f95acdb627610820eba37

SHA512
da3311197834a90cebc3d25dd1056717ca7c7d68e30328280b091fdfa2a41598fd3f09854a15c5d0cec939f21b044bab96c8ea28ba53e6c280c945fb31c892ab

Download Submit
C:\Program Files (x86)\Smadavs\Smadav.exe

Filesize
77KB

MD5
b830cd1b49bd31bcdb6192c20cf0b141

SHA1
b9629fdd735956772e9a3ceedcdb829bba6f8a43

SHA256
21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820

SHA512
0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd

Download Submit
C:\Program Files (x86)\Smadavs\Smadav.exe

Filesize
77KB

MD5
b830cd1b49bd31bcdb6192c20cf0b141

SHA1
b9629fdd735956772e9a3ceedcdb829bba6f8a43

SHA256
21d34a02ec28e9bd6f7b2f96ac7921f5ef08d291416b38a3fc8cf651f11fc820

SHA512
0ffef5b2681e57d3586b878bbf174a667423cd30e75a7f4ef60910922b2f9e3e02af309a7c3f15b70a42b747445513df43ce651dcb85bec7b94bfed6a7704ccd

Download Submit
\Program Files (x86)\Smadavs\SmadHook32.dll

Filesize
70KB

MD5
e1ed9b48016d43398cdf62a61c9b113d

SHA1
b8e7183fba57ca867393ea4edf62fe60d1549c94

SHA256
2e0b20fd34c70ec0566cb6e0852520fbab9452e3cb7aad8299ae841ac71733cf

SHA512
4b5fd58c0d6a59d710d80f0bec216ba19d9e52c1516d799a991995bd7a9f6e45667f924ef7b7320773881d521a1059bb8a2686e1324ed8083c10ca68e1f48714

Download Submit
memory/1544-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-174-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-157-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-184-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-185-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-183-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-182-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-181-0x0000000000EE0000-0x0000000001EE0000-memory.dmp

Filesize
16.0MB

Download
memory/1544-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-179-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-178-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-176-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-175-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-156-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1544-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-234-0x0000000000000000-mapping.dmp

Download
memory/4976-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-118-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-141-0x0000000002240000-0x0000000003240000-memory.dmp

Filesize
16.0MB

Download
memory/4976-142-0x0000000000530000-0x0000000000557000-memory.dmp

Filesize
156KB

Download
memory/4976-119-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-117-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-116-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4976-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4992-191-0x0000000000000000-mapping.dmp

Download