plugx | cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe
Size

2.3MB
MD5

607db7333b07c16b6ca619f20c11f9d1
SHA1

2af8308c1a06e5ee26578a759eb8a0b384751a15
SHA256

cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85
SHA512

75f914408fb03e8521935305a4befdaf00b84fe45b55a3f306964c950fc10843b38f3f53349d245097933daff72e56a5334f4fe22fc6669bc819462d51c9461d
SSDEEP

24576:LNzH/3FRzJR4o7nGhAkfvhoucd27nQNHL9mk39q8AwJRxrJEjk/MBhnhHSA8a6SM:pzvdR4QWAkf0rmjkShnhHSA8T

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 23 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4648-14-0x0000000002E20000-0x0000000002E4D000-memory.dmp	family_plugx
behavioral2/memory/3216-35-0x0000000000FA0000-0x0000000000FCD000-memory.dmp	family_plugx
behavioral2/memory/2776-40-0x0000000001850000-0x000000000187D000-memory.dmp	family_plugx
behavioral2/memory/1920-43-0x00000000010F0000-0x000000000111D000-memory.dmp	family_plugx
behavioral2/memory/2776-44-0x0000000001850000-0x000000000187D000-memory.dmp	family_plugx
behavioral2/memory/1920-45-0x00000000010F0000-0x000000000111D000-memory.dmp	family_plugx
behavioral2/memory/4648-48-0x0000000002E20000-0x0000000002E4D000-memory.dmp	family_plugx
behavioral2/memory/1920-57-0x00000000010F0000-0x000000000111D000-memory.dmp	family_plugx
behavioral2/memory/1920-58-0x00000000010F0000-0x000000000111D000-memory.dmp	family_plugx
behavioral2/memory/1920-59-0x00000000010F0000-0x000000000111D000-memory.dmp	family_plugx
behavioral2/memory/1920-60-0x00000000010F0000-0x000000000111D000-memory.dmp	family_plugx
behavioral2/memory/1920-62-0x00000000010F0000-0x000000000111D000-memory.dmp	family_plugx
behavioral2/memory/1920-63-0x00000000010F0000-0x000000000111D000-memory.dmp	family_plugx
behavioral2/memory/1920-65-0x00000000010F0000-0x000000000111D000-memory.dmp	family_plugx
behavioral2/memory/3216-66-0x0000000000FA0000-0x0000000000FCD000-memory.dmp	family_plugx
behavioral2/memory/4828-67-0x0000000001740000-0x000000000176D000-memory.dmp	family_plugx
behavioral2/memory/4828-69-0x0000000001740000-0x000000000176D000-memory.dmp	family_plugx
behavioral2/memory/4828-70-0x0000000001740000-0x000000000176D000-memory.dmp	family_plugx
behavioral2/memory/1920-71-0x00000000010F0000-0x000000000111D000-memory.dmp	family_plugx
behavioral2/memory/4828-73-0x0000000001740000-0x000000000176D000-memory.dmp	family_plugx
behavioral2/memory/4828-74-0x0000000001740000-0x000000000176D000-memory.dmp	family_plugx
behavioral2/memory/4828-75-0x0000000001740000-0x000000000176D000-memory.dmp	family_plugx
behavioral2/memory/4828-77-0x0000000001740000-0x000000000176D000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 3 IoCs

Processes:

ASUA.exeASUA.exeASUA.exe

pid process

4648 ASUA.exe
3216 ASUA.exe
2776 ASUA.exe
Loads dropped DLL 3 IoCs

Processes:

ASUA.exeASUA.exeASUA.exe

pid process

4648 ASUA.exe
3216 ASUA.exe
2776 ASUA.exe
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 61.139.2.69
Destination IP 202.98.96.68
Destination IP 205.252.144.228

description	ioc
Destination IP	61.139.2.69
Destination IP	202.98.96.68
Destination IP	205.252.144.228

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 32003400460043004500410044004500410043004500350033003500460042000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1920 svchost.exe
4828 svchost.exe

pid	process
1920	svchost.exe
4828	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ASUA.exeASUA.exesvchost.exesvchost.exe

pid	process
4648	ASUA.exe
4648	ASUA.exe
4648	ASUA.exe
4648	ASUA.exe
3216	ASUA.exe
3216	ASUA.exe
1920	svchost.exe
1920	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
1920	svchost.exe
1920	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
1920	svchost.exe
1920	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
1920	svchost.exe
1920	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
1920	svchost.exe
1920	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe
4828	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1920 svchost.exe
4828 svchost.exe

pid	process
1920	svchost.exe
4828	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

ASUA.exeASUA.exeASUA.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4648	ASUA.exe
Token: SeTcbPrivilege	4648	ASUA.exe
Token: SeDebugPrivilege	3216	ASUA.exe
Token: SeTcbPrivilege	3216	ASUA.exe
Token: SeDebugPrivilege	2776	ASUA.exe
Token: SeTcbPrivilege	2776	ASUA.exe
Token: SeDebugPrivilege	1920	svchost.exe
Token: SeTcbPrivilege	1920	svchost.exe
Token: SeDebugPrivilege	4828	svchost.exe
Token: SeTcbPrivilege	4828	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe

pid	process
2104	cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe
2104	cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exeASUA.exesvchost.exe

description	pid	process	target process
PID 2104 wrote to memory of 4648	2104	cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe	ASUA.exe
PID 2104 wrote to memory of 4648	2104	cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe	ASUA.exe
PID 2104 wrote to memory of 4648	2104	cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe	ASUA.exe
PID 2776 wrote to memory of 1920	2776	ASUA.exe	svchost.exe
PID 2776 wrote to memory of 1920	2776	ASUA.exe	svchost.exe
PID 2776 wrote to memory of 1920	2776	ASUA.exe	svchost.exe
PID 2776 wrote to memory of 1920	2776	ASUA.exe	svchost.exe
PID 2776 wrote to memory of 1920	2776	ASUA.exe	svchost.exe
PID 2776 wrote to memory of 1920	2776	ASUA.exe	svchost.exe
PID 2776 wrote to memory of 1920	2776	ASUA.exe	svchost.exe
PID 2776 wrote to memory of 1920	2776	ASUA.exe	svchost.exe
PID 1920 wrote to memory of 4828	1920	svchost.exe	svchost.exe
PID 1920 wrote to memory of 4828	1920	svchost.exe	svchost.exe
PID 1920 wrote to memory of 4828	1920	svchost.exe	svchost.exe
PID 1920 wrote to memory of 4828	1920	svchost.exe	svchost.exe
PID 1920 wrote to memory of 4828	1920	svchost.exe	svchost.exe
PID 1920 wrote to memory of 4828	1920	svchost.exe	svchost.exe
PID 1920 wrote to memory of 4828	1920	svchost.exe	svchost.exe
PID 1920 wrote to memory of 4828	1920	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe
"C:\Users\Admin\AppData\Local\Temp\cba6d325bb9377038039baf24e07a2640200caa462320ec7bf273c8c5bc6bb85.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Public\wps\ASUA.exe
  C:\Users\Public\wps\ASUA.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4648

C:\ProgramData\wpsupdate\ASUA.exe
"C:\ProgramData\wpsupdate\ASUA.exe" 100 4648
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\ProgramData\wpsupdate\ASUA.exe
"C:\ProgramData\wpsupdate\ASUA.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe 209 1920
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wpsupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\wpsupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\wpsupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\wpsupdate\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\ProgramData\wpsupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\ProgramData\wpsupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\ProgramData\wpsupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\ProgramData\wpsupdate\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\ProgramData\wpsupdate\debug.dump

Filesize
112KB

MD5
f519fd65520905db56fc0f25d8b638ed

SHA1
6b6d31c7f9162c4d41be3ab7857ffb83e7276b5c

SHA256
67e9423d9b2aabcca01720dd5f043ad41e20b795014b262f9d4370d142d46324

SHA512
28b0ed6927dfcd383ee02e26e6fec3cf345de2c9914a7dc7a37af16566a11e0becd9baf805de63165dc23039066126ed3c809d1e2c8d8287a2badfc2e2b6cbe5

Download Submit
C:\ProgramData\wpsupdate\debug.dump

Filesize
112KB

MD5
f519fd65520905db56fc0f25d8b638ed

SHA1
6b6d31c7f9162c4d41be3ab7857ffb83e7276b5c

SHA256
67e9423d9b2aabcca01720dd5f043ad41e20b795014b262f9d4370d142d46324

SHA512
28b0ed6927dfcd383ee02e26e6fec3cf345de2c9914a7dc7a37af16566a11e0becd9baf805de63165dc23039066126ed3c809d1e2c8d8287a2badfc2e2b6cbe5

Download Submit
C:\Users\Public\wps\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\Users\Public\wps\ASUA.exe

Filesize
457KB

MD5
07321f91bad9653b4fa737e5c993de90

SHA1
9b0e7f445739825816e970205fe92adf7d3e1fc8

SHA256
c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3

SHA512
c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6

Download Submit
C:\Users\Public\wps\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\Users\Public\wps\ATKEX.dll

Filesize
33KB

MD5
ae8091b6a252a2c34033eaac7e1001d6

SHA1
f2de8d84d51a1cbb9f0100f94361c13a341f7163

SHA256
ff6557980fac2ca2905eab34746eab8dde4aca4f8870e6c21a0d472969885542

SHA512
616c4880a638b2a3ac7c55f475e27f187e21a87d0cbfd4c244a09792c1ef79692db06d92236d6aab3f31c42922af897165dde1a2741de63ae686cced5277c8ed

Download Submit
C:\Users\Public\wps\debug.dump

Filesize
112KB

MD5
f519fd65520905db56fc0f25d8b638ed

SHA1
6b6d31c7f9162c4d41be3ab7857ffb83e7276b5c

SHA256
67e9423d9b2aabcca01720dd5f043ad41e20b795014b262f9d4370d142d46324

SHA512
28b0ed6927dfcd383ee02e26e6fec3cf345de2c9914a7dc7a37af16566a11e0becd9baf805de63165dc23039066126ed3c809d1e2c8d8287a2badfc2e2b6cbe5

Download Submit
memory/1920-45-0x00000000010F0000-0x000000000111D000-memory.dmp

Filesize
180KB

Download
memory/1920-71-0x00000000010F0000-0x000000000111D000-memory.dmp

Filesize
180KB

Download
memory/1920-65-0x00000000010F0000-0x000000000111D000-memory.dmp

Filesize
180KB

Download
memory/1920-63-0x00000000010F0000-0x000000000111D000-memory.dmp

Filesize
180KB

Download
memory/1920-41-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1920-43-0x00000000010F0000-0x000000000111D000-memory.dmp

Filesize
180KB

Download
memory/1920-62-0x00000000010F0000-0x000000000111D000-memory.dmp

Filesize
180KB

Download
memory/1920-60-0x00000000010F0000-0x000000000111D000-memory.dmp

Filesize
180KB

Download
memory/1920-59-0x00000000010F0000-0x000000000111D000-memory.dmp

Filesize
180KB

Download
memory/1920-57-0x00000000010F0000-0x000000000111D000-memory.dmp

Filesize
180KB

Download
memory/1920-56-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1920-58-0x00000000010F0000-0x000000000111D000-memory.dmp

Filesize
180KB

Download
memory/2776-44-0x0000000001850000-0x000000000187D000-memory.dmp

Filesize
180KB

Download
memory/2776-40-0x0000000001850000-0x000000000187D000-memory.dmp

Filesize
180KB

Download
memory/3216-66-0x0000000000FA0000-0x0000000000FCD000-memory.dmp

Filesize
180KB

Download
memory/3216-35-0x0000000000FA0000-0x0000000000FCD000-memory.dmp

Filesize
180KB

Download
memory/4648-48-0x0000000002E20000-0x0000000002E4D000-memory.dmp

Filesize
180KB

Download
memory/4648-13-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

Filesize
1024KB

Download
memory/4648-14-0x0000000002E20000-0x0000000002E4D000-memory.dmp

Filesize
180KB

Download
memory/4828-69-0x0000000001740000-0x000000000176D000-memory.dmp

Filesize
180KB

Download
memory/4828-67-0x0000000001740000-0x000000000176D000-memory.dmp

Filesize
180KB

Download
memory/4828-70-0x0000000001740000-0x000000000176D000-memory.dmp

Filesize
180KB

Download
memory/4828-68-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/4828-72-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/4828-73-0x0000000001740000-0x000000000176D000-memory.dmp

Filesize
180KB

Download
memory/4828-74-0x0000000001740000-0x000000000176D000-memory.dmp

Filesize
180KB

Download
memory/4828-75-0x0000000001740000-0x000000000176D000-memory.dmp

Filesize
180KB

Download
memory/4828-76-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/4828-77-0x0000000001740000-0x000000000176D000-memory.dmp

Filesize
180KB

Download