plugx | cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
23-09-2023 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe
Size

2.3MB
MD5

607db7333b07c16b6ca619f20c11f9d1
SHA1

2af8308c1a06e5ee26578a759eb8a0b384751a15
SHA256

cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85
SHA512

75f914408fb03e8521935305a4befdaf00b84fe45b55a3f306964c950fc10843b38f3f53349d245097933daff72e56a5334f4fe22fc6669bc819462d51c9461d
SSDEEP

24576:LNzH/3FRzJR4o7nGhAkfvhoucd27nQNHL9mk39q8AwJRxrJEjk/MBhnhHSA8a6SM:pzvdR4QWAkf0rmjkShnhHSA8T

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 22 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1624-15-0x0000000000150000-0x000000000017D000-memory.dmp	family_plugx
behavioral1/memory/2748-35-0x00000000002B0000-0x00000000002DD000-memory.dmp	family_plugx
behavioral1/memory/2748-36-0x00000000002B0000-0x00000000002DD000-memory.dmp	family_plugx
behavioral1/memory/2252-40-0x0000000000450000-0x000000000047D000-memory.dmp	family_plugx
behavioral1/memory/2628-48-0x0000000000210000-0x000000000023D000-memory.dmp	family_plugx
behavioral1/memory/2252-51-0x0000000000450000-0x000000000047D000-memory.dmp	family_plugx
behavioral1/memory/2628-50-0x0000000000210000-0x000000000023D000-memory.dmp	family_plugx
behavioral1/memory/1624-55-0x0000000000150000-0x000000000017D000-memory.dmp	family_plugx
behavioral1/memory/2628-63-0x0000000000210000-0x000000000023D000-memory.dmp	family_plugx
behavioral1/memory/2628-64-0x0000000000210000-0x000000000023D000-memory.dmp	family_plugx
behavioral1/memory/2628-65-0x0000000000210000-0x000000000023D000-memory.dmp	family_plugx
behavioral1/memory/2628-66-0x0000000000210000-0x000000000023D000-memory.dmp	family_plugx
behavioral1/memory/2628-68-0x0000000000210000-0x000000000023D000-memory.dmp	family_plugx
behavioral1/memory/2628-71-0x0000000000210000-0x000000000023D000-memory.dmp	family_plugx
behavioral1/memory/2748-72-0x00000000002B0000-0x00000000002DD000-memory.dmp	family_plugx
behavioral1/memory/1152-83-0x0000000000150000-0x000000000017D000-memory.dmp	family_plugx
behavioral1/memory/1152-84-0x0000000000150000-0x000000000017D000-memory.dmp	family_plugx
behavioral1/memory/1152-86-0x0000000000150000-0x000000000017D000-memory.dmp	family_plugx
behavioral1/memory/1152-87-0x0000000000150000-0x000000000017D000-memory.dmp	family_plugx
behavioral1/memory/1152-88-0x0000000000150000-0x000000000017D000-memory.dmp	family_plugx
behavioral1/memory/2628-89-0x0000000000210000-0x000000000023D000-memory.dmp	family_plugx
behavioral1/memory/1152-90-0x0000000000150000-0x000000000017D000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Deletes itself 1 IoCs

Processes:

ASUA.exe

pid process

1624 ASUA.exe
Executes dropped EXE 3 IoCs

Processes:

ASUA.exeASUA.exeASUA.exe

pid process

1624 ASUA.exe
2748 ASUA.exe
2252 ASUA.exe
Loads dropped DLL 4 IoCs

Processes:

cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exeASUA.exeASUA.exeASUA.exe

pid process

2324 cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe
1624 ASUA.exe
2748 ASUA.exe
2252 ASUA.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 34003800370038003600320046004100450046003800430030004200360043000000	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2628 svchost.exe
1152 svchost.exe

pid	process
2628	svchost.exe
1152	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ASUA.exeASUA.exesvchost.exesvchost.exe

pid	process
1624	ASUA.exe
1624	ASUA.exe
2748	ASUA.exe
2628	svchost.exe
2628	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
2628	svchost.exe
2628	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
2628	svchost.exe
2628	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
2628	svchost.exe
2628	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
2628	svchost.exe
2628	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
1152	svchost.exe
2628	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2628 svchost.exe
1152 svchost.exe

pid	process
2628	svchost.exe
1152	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

ASUA.exeASUA.exeASUA.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1624	ASUA.exe
Token: SeTcbPrivilege	1624	ASUA.exe
Token: SeDebugPrivilege	2748	ASUA.exe
Token: SeTcbPrivilege	2748	ASUA.exe
Token: SeDebugPrivilege	2252	ASUA.exe
Token: SeTcbPrivilege	2252	ASUA.exe
Token: SeDebugPrivilege	2628	svchost.exe
Token: SeTcbPrivilege	2628	svchost.exe
Token: SeDebugPrivilege	1152	svchost.exe
Token: SeTcbPrivilege	1152	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe

pid	process
2324	cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe
2324	cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exeASUA.exesvchost.exe

description	pid	process	target process
PID 2324 wrote to memory of 1624	2324	cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe	ASUA.exe
PID 2324 wrote to memory of 1624	2324	cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe	ASUA.exe
PID 2324 wrote to memory of 1624	2324	cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe	ASUA.exe
PID 2324 wrote to memory of 1624	2324	cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe	ASUA.exe
PID 2252 wrote to memory of 2628	2252	ASUA.exe	svchost.exe
PID 2252 wrote to memory of 2628	2252	ASUA.exe	svchost.exe
PID 2252 wrote to memory of 2628	2252	ASUA.exe	svchost.exe
PID 2252 wrote to memory of 2628	2252	ASUA.exe	svchost.exe
PID 2252 wrote to memory of 2628	2252	ASUA.exe	svchost.exe
PID 2252 wrote to memory of 2628	2252	ASUA.exe	svchost.exe
PID 2252 wrote to memory of 2628	2252	ASUA.exe	svchost.exe
PID 2252 wrote to memory of 2628	2252	ASUA.exe	svchost.exe
PID 2252 wrote to memory of 2628	2252	ASUA.exe	svchost.exe
PID 2628 wrote to memory of 1152	2628	svchost.exe	svchost.exe
PID 2628 wrote to memory of 1152	2628	svchost.exe	svchost.exe
PID 2628 wrote to memory of 1152	2628	svchost.exe	svchost.exe
PID 2628 wrote to memory of 1152	2628	svchost.exe	svchost.exe
PID 2628 wrote to memory of 1152	2628	svchost.exe	svchost.exe
PID 2628 wrote to memory of 1152	2628	svchost.exe	svchost.exe
PID 2628 wrote to memory of 1152	2628	svchost.exe	svchost.exe
PID 2628 wrote to memory of 1152	2628	svchost.exe	svchost.exe
PID 2628 wrote to memory of 1152	2628	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe
"C:\Users\Admin\AppData\Local\Temp\cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Public\wps\ASUA.exe
  C:\Users\Public\wps\ASUA.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624

C:\ProgramData\wpsupdate\ASUA.exe
"C:\ProgramData\wpsupdate\ASUA.exe" 100 1624
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\ProgramData\wpsupdate\ASUA.exe
"C:\ProgramData\wpsupdate\ASUA.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe 209 2628
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wpsupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\wpsupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\wpsupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\wpsupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\ProgramData\wpsupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\ProgramData\wpsupdate\debug.dump

Filesize
112KB

MD5
f519fd65520905db56fc0f25d8b638ed

SHA1
6b6d31c7f9162c4d41be3ab7857ffb83e7276b5c

SHA256
67e9423d9b2aabcca01720dd5f043ad41e20b795014b262f9d4370d142d46324

SHA512
28b0ed6927dfcd383ee02e26e6fec3cf345de2c9914a7dc7a37af16566a11e0becd9baf805de63165dc23039066126ed3c809d1e2c8d8287a2badfc2e2b6cbe5

Download Submit
C:\ProgramData\wpsupdate\debug.dump

Filesize
112KB

MD5
f519fd65520905db56fc0f25d8b638ed

SHA1
6b6d31c7f9162c4d41be3ab7857ffb83e7276b5c

SHA256
67e9423d9b2aabcca01720dd5f043ad41e20b795014b262f9d4370d142d46324

SHA512
28b0ed6927dfcd383ee02e26e6fec3cf345de2c9914a7dc7a37af16566a11e0becd9baf805de63165dc23039066126ed3c809d1e2c8d8287a2badfc2e2b6cbe5

Download Submit
C:\Users\Public\wps\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\Users\Public\wps\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\Users\Public\wps\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\Users\Public\wps\debug.dump

Filesize
112KB

MD5
f519fd65520905db56fc0f25d8b638ed

SHA1
6b6d31c7f9162c4d41be3ab7857ffb83e7276b5c

SHA256
67e9423d9b2aabcca01720dd5f043ad41e20b795014b262f9d4370d142d46324

SHA512
28b0ed6927dfcd383ee02e26e6fec3cf345de2c9914a7dc7a37af16566a11e0becd9baf805de63165dc23039066126ed3c809d1e2c8d8287a2badfc2e2b6cbe5

Download Submit
\ProgramData\wpsupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
\ProgramData\wpsupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
\Users\Public\wps\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
\Users\Public\wps\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
memory/1152-87-0x0000000000150000-0x000000000017D000-memory.dmp

Filesize
180KB

Download
memory/1152-88-0x0000000000150000-0x000000000017D000-memory.dmp

Filesize
180KB

Download
memory/1152-90-0x0000000000150000-0x000000000017D000-memory.dmp

Filesize
180KB

Download
memory/1152-86-0x0000000000150000-0x000000000017D000-memory.dmp

Filesize
180KB

Download
memory/1152-81-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1152-85-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1152-84-0x0000000000150000-0x000000000017D000-memory.dmp

Filesize
180KB

Download
memory/1152-83-0x0000000000150000-0x000000000017D000-memory.dmp

Filesize
180KB

Download
memory/1624-15-0x0000000000150000-0x000000000017D000-memory.dmp

Filesize
180KB

Download
memory/1624-14-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/1624-55-0x0000000000150000-0x000000000017D000-memory.dmp

Filesize
180KB

Download
memory/2252-40-0x0000000000450000-0x000000000047D000-memory.dmp

Filesize
180KB

Download
memory/2252-51-0x0000000000450000-0x000000000047D000-memory.dmp

Filesize
180KB

Download
memory/2628-46-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/2628-50-0x0000000000210000-0x000000000023D000-memory.dmp

Filesize
180KB

Download
memory/2628-64-0x0000000000210000-0x000000000023D000-memory.dmp

Filesize
180KB

Download
memory/2628-65-0x0000000000210000-0x000000000023D000-memory.dmp

Filesize
180KB

Download
memory/2628-66-0x0000000000210000-0x000000000023D000-memory.dmp

Filesize
180KB

Download
memory/2628-68-0x0000000000210000-0x000000000023D000-memory.dmp

Filesize
180KB

Download
memory/2628-71-0x0000000000210000-0x000000000023D000-memory.dmp

Filesize
180KB

Download
memory/2628-89-0x0000000000210000-0x000000000023D000-memory.dmp

Filesize
180KB

Download
memory/2628-62-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2628-63-0x0000000000210000-0x000000000023D000-memory.dmp

Filesize
180KB

Download
memory/2628-48-0x0000000000210000-0x000000000023D000-memory.dmp

Filesize
180KB

Download
memory/2628-47-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2628-45-0x00000000000A0000-0x00000000000BB000-memory.dmp

Filesize
108KB

Download
memory/2628-42-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2748-36-0x00000000002B0000-0x00000000002DD000-memory.dmp

Filesize
180KB

Download
memory/2748-72-0x00000000002B0000-0x00000000002DD000-memory.dmp

Filesize
180KB

Download
memory/2748-35-0x00000000002B0000-0x00000000002DD000-memory.dmp

Filesize
180KB

Download