Overview

overview

10

Static

static

3

PlugX.zip

windows10-1703-x64

1

3BC9E9B78A...t.hlp_

windows10-1703-x64

3

5F9F8AC1F7...D_.doc

windows10-1703-x64

1

6B97B3CD2F...et.exe

windows10-1703-x64

1

901FA02FFD...ar.dll

windows10-1703-x64

1

97C11E7D6B...l.doc_

windows10-1703-x64

3

C116CD0832..._2.exe

windows10-1703-x64

10

FC88BEEB74...NWORD_

windows10-1703-x64

1

PlugX_3C74...20.dll

windows10-1703-x64

10

originalfi...ae.rtf

windows10-1703-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-1703_x64
  • resource
    win10-20231023-en
  • resource tags

    arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-11-2023 03:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PlugX_3C74A85C2CF883BD9D4B9F8B9746030F_DW20.dll

  • Size

    228KB

  • MD5

    3c74a85c2cf883bd9d4b9f8b9746030f

  • SHA1

    40541a03e910b21df681bec69cfe59678ebba86c

  • SHA256

    66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967

  • SHA512

    15ab0c68e1dc8f5dc87231942f008228fe658ce221efe0ba90dfbfedea7e9cf401cac37098674a1d7cd489c97d061b847f09b86c24453575e2d46d4d9326e29c

  • SSDEEP

    3072:Y3Bb2V38tdLIKbEN2HSKjZNPH4cGHk51Kk+u5arueqFl8sLbxDZxWRko5V:YRbvkKgN8/RH4hHk5gUUYFl8UmT

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 22 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\PlugX_3C74A85C2CF883BD9D4B9F8B9746030F_DW20.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:440
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\PlugX_3C74A85C2CF883BD9D4B9F8B9746030F_DW20.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:512
      • C:\Users\Admin\AppData\Local\Temp\E510.tmp
        C:\Users\Admin\AppData\Local\Temp\E510.tmp
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1756
        • C:\Users\Admin\AppData\Local\Temp\Gadget.exe
          C:\Users\Admin\AppData\Local\Temp\\Gadget.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3484
  • C:\ProgramData\WS\Gadget.exe
    C:\ProgramData\WS\Gadget.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 684
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\WS\Gadget.exe
    Filesize

    25KB

    MD5

    6b97b3cd2fcfb4b74985143230441463

    SHA1

    8985c2394ed9a58c36f907962b0724fe66c204a6

    SHA256

    5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

    SHA512

    736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

    Download Submit

  • C:\ProgramData\WS\Gadget.exe
    Filesize

    25KB

    MD5

    6b97b3cd2fcfb4b74985143230441463

    SHA1

    8985c2394ed9a58c36f907962b0724fe66c204a6

    SHA256

    5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

    SHA512

    736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

    Download Submit

  • C:\ProgramData\WS\Gadget.exe
    Filesize

    25KB

    MD5

    6b97b3cd2fcfb4b74985143230441463

    SHA1

    8985c2394ed9a58c36f907962b0724fe66c204a6

    SHA256

    5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

    SHA512

    736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

    Download Submit

  • C:\ProgramData\WS\SideBar.dll
    Filesize

    41KB

    MD5

    901fa02ffd43de5b2d7c8c6b8c2f6a43

    SHA1

    8bb71adf1c418061510c40240852c3cd61fb214c

    SHA256

    3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

    SHA512

    6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

    Download Submit

  • C:\ProgramData\WS\SideBar.dll
    Filesize

    41KB

    MD5

    901fa02ffd43de5b2d7c8c6b8c2f6a43

    SHA1

    8bb71adf1c418061510c40240852c3cd61fb214c

    SHA256

    3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

    SHA512

    6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

    Download Submit

  • C:\ProgramData\WS\SideBar.dll.doc
    Filesize

    121KB

    MD5

    97c11e7d6b1926cd4be13804b36239ac

    SHA1

    b388b86a782ae14fee2a31bc7626a816c3eabc5a

    SHA256

    a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a

    SHA512

    8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

    Download Submit

  • C:\ProgramData\WS\SideBar.dll.doc
    Filesize

    121KB

    MD5

    97c11e7d6b1926cd4be13804b36239ac

    SHA1

    b388b86a782ae14fee2a31bc7626a816c3eabc5a

    SHA256

    a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a

    SHA512

    8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\E510.tmp
    Filesize

    225KB

    MD5

    c116cd083284cc599c024c3479ca9b70

    SHA1

    bf831962162a0446454e3e32d764cc0e5daafde0

    SHA256

    90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84

    SHA512

    d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\E510.tmp
    Filesize

    225KB

    MD5

    c116cd083284cc599c024c3479ca9b70

    SHA1

    bf831962162a0446454e3e32d764cc0e5daafde0

    SHA256

    90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84

    SHA512

    d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Gadget.exe
    Filesize

    25KB

    MD5

    6b97b3cd2fcfb4b74985143230441463

    SHA1

    8985c2394ed9a58c36f907962b0724fe66c204a6

    SHA256

    5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

    SHA512

    736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Gadget.exe
    Filesize

    25KB

    MD5

    6b97b3cd2fcfb4b74985143230441463

    SHA1

    8985c2394ed9a58c36f907962b0724fe66c204a6

    SHA256

    5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9

    SHA512

    736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SideBar.dll
    Filesize

    41KB

    MD5

    901fa02ffd43de5b2d7c8c6b8c2f6a43

    SHA1

    8bb71adf1c418061510c40240852c3cd61fb214c

    SHA256

    3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

    SHA512

    6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SideBar.dll.doc
    Filesize

    121KB

    MD5

    97c11e7d6b1926cd4be13804b36239ac

    SHA1

    b388b86a782ae14fee2a31bc7626a816c3eabc5a

    SHA256

    a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a

    SHA512

    8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

    Download Submit

  • \ProgramData\WS\SideBar.dll
    Filesize

    41KB

    MD5

    901fa02ffd43de5b2d7c8c6b8c2f6a43

    SHA1

    8bb71adf1c418061510c40240852c3cd61fb214c

    SHA256

    3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

    SHA512

    6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Sidebar.dll
    Filesize

    41KB

    MD5

    901fa02ffd43de5b2d7c8c6b8c2f6a43

    SHA1

    8bb71adf1c418061510c40240852c3cd61fb214c

    SHA256

    3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679

    SHA512

    6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

    Download Submit

  • memory/684-38-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/684-40-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/684-79-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/684-58-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/684-70-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/684-69-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/684-37-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-57-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/684-54-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/684-60-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/684-55-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/684-42-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/684-52-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/684-53-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3484-41-0x0000000000560000-0x0000000000590000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3484-16-0x0000000000560000-0x0000000000590000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3484-12-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3484-14-0x00000000007E0000-0x00000000008E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4232-39-0x0000000000790000-0x00000000007C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4232-36-0x0000000000790000-0x00000000007C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4232-35-0x0000000000790000-0x00000000007C0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4232-33-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/4504-63-0x0000000004D80000-0x0000000004DB0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4504-64-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4504-66-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4504-68-0x0000000004D80000-0x0000000004DB0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4504-67-0x0000000004D80000-0x0000000004DB0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4504-65-0x0000000004D80000-0x0000000004DB0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4504-71-0x0000000000940000-0x0000000000970000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4504-72-0x0000000004D80000-0x0000000004DB0000-memory.dmp

    Filesize

    192KB

    Download