plugx | 7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-02-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe
Size

680KB
MD5

2f1356cb77747b11a41902001be47d03
SHA1

b580948628efa035b39beb2a132d025ba3306a34
SHA256

7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8
SHA512

9cbbdc58fc69c6bdbdf455fd86615a127e694d8571715d4aaad2e8a9cf1dbc1e6d22c29be3ebd8f192d9b2d1a4c094e121ffa554e198b9e6acc9a46c3c497d8c
SSDEEP

12288:uubsNSOetfARQAPyGU2X+tZ/mH2xd8eEOLBc64cry3rqiWaA3HG:uubsnafAPyjt/hxd8jCBr1ubiakm

Score

10^/10

plugx trojan vmprotect

Malware Config

Signatures

Detects PlugX payload 21 IoCs

resource	yara_rule
behavioral1/memory/2216-21-0x0000000001D30000-0x0000000001D6A000-memory.dmp	family_plugx
behavioral1/memory/2216-22-0x0000000001D30000-0x0000000001D6A000-memory.dmp	family_plugx
behavioral1/memory/1712-47-0x0000000001CB0000-0x0000000001CEA000-memory.dmp	family_plugx
behavioral1/memory/3020-64-0x00000000003D0000-0x000000000040A000-memory.dmp	family_plugx
behavioral1/memory/3020-66-0x00000000003D0000-0x000000000040A000-memory.dmp	family_plugx
behavioral1/memory/2580-67-0x0000000001CC0000-0x0000000001CFA000-memory.dmp	family_plugx
behavioral1/memory/2580-56-0x0000000001CC0000-0x0000000001CFA000-memory.dmp	family_plugx
behavioral1/memory/3020-83-0x00000000003D0000-0x000000000040A000-memory.dmp	family_plugx
behavioral1/memory/3020-82-0x00000000003D0000-0x000000000040A000-memory.dmp	family_plugx
behavioral1/memory/3020-86-0x00000000003D0000-0x000000000040A000-memory.dmp	family_plugx
behavioral1/memory/3020-89-0x00000000003D0000-0x000000000040A000-memory.dmp	family_plugx
behavioral1/memory/3020-85-0x00000000003D0000-0x000000000040A000-memory.dmp	family_plugx
behavioral1/memory/3020-84-0x00000000003D0000-0x000000000040A000-memory.dmp	family_plugx
behavioral1/memory/3020-81-0x00000000003D0000-0x000000000040A000-memory.dmp	family_plugx
behavioral1/memory/1912-100-0x0000000000430000-0x000000000046A000-memory.dmp	family_plugx
behavioral1/memory/1912-105-0x0000000000430000-0x000000000046A000-memory.dmp	family_plugx
behavioral1/memory/1912-107-0x0000000000430000-0x000000000046A000-memory.dmp	family_plugx
behavioral1/memory/1912-106-0x0000000000430000-0x000000000046A000-memory.dmp	family_plugx
behavioral1/memory/1712-108-0x0000000001CB0000-0x0000000001CEA000-memory.dmp	family_plugx
behavioral1/memory/3020-109-0x00000000003D0000-0x000000000040A000-memory.dmp	family_plugx
behavioral1/memory/1912-110-0x0000000000430000-0x000000000046A000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 4 IoCs

pid	Process
2216	wps.exe
1712	wps.exe
468	Process not Found
2580	wps.exe

Loads dropped DLL 8 IoCs

pid	Process
2448	7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe
2448	7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe
2216	wps.exe
1524	Process not Found
1524	Process not Found
1712	wps.exe
468	Process not Found
2580	wps.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	110.173.53.162

VMProtect packed file 11 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0007000000016441-14.dat	vmprotect
behavioral1/memory/2216-16-0x000007FEF7380000-0x000007FEF73C4000-memory.dmp	vmprotect
behavioral1/memory/2216-17-0x000007FEF7380000-0x000007FEF73C4000-memory.dmp	vmprotect
behavioral1/files/0x0009000000016d12-40.dat	vmprotect
behavioral1/memory/1712-41-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp	vmprotect
behavioral1/memory/1712-42-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp	vmprotect
behavioral1/memory/2580-53-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp	vmprotect
behavioral1/memory/2580-52-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp	vmprotect
behavioral1/memory/2580-70-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp	vmprotect
behavioral1/memory/2216-75-0x000007FEF7380000-0x000007FEF73C4000-memory.dmp	vmprotect
behavioral1/memory/1712-90-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39004200370044003500460034003100430032003400310041003200300035000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	wps.exe
2216	wps.exe
1712	wps.exe
1712	wps.exe
2580	wps.exe
2580	wps.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
3020	svchost.exe
3020	svchost.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
3020	svchost.exe
3020	svchost.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
3020	svchost.exe
3020	svchost.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
3020	svchost.exe
3020	svchost.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe
1912	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3020	svchost.exe
1912	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	wps.exe
Token: SeTcbPrivilege	2216	wps.exe
Token: SeDebugPrivilege	1712	wps.exe
Token: SeTcbPrivilege	1712	wps.exe
Token: SeDebugPrivilege	2580	wps.exe
Token: SeTcbPrivilege	2580	wps.exe
Token: SeDebugPrivilege	3020	svchost.exe
Token: SeTcbPrivilege	3020	svchost.exe
Token: SeDebugPrivilege	1912	msiexec.exe
Token: SeTcbPrivilege	1912	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2216	2448	7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe	28
PID 2448 wrote to memory of 2216	2448	7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe	28
PID 2448 wrote to memory of 2216	2448	7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe	28
PID 2448 wrote to memory of 2216	2448	7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe	28
PID 2580 wrote to memory of 3020	2580	wps.exe	31
PID 2580 wrote to memory of 3020	2580	wps.exe	31
PID 2580 wrote to memory of 3020	2580	wps.exe	31
PID 2580 wrote to memory of 3020	2580	wps.exe	31
PID 2580 wrote to memory of 3020	2580	wps.exe	31
PID 2580 wrote to memory of 3020	2580	wps.exe	31
PID 2580 wrote to memory of 3020	2580	wps.exe	31
PID 3020 wrote to memory of 1912	3020	svchost.exe	33
PID 3020 wrote to memory of 1912	3020	svchost.exe	33
PID 3020 wrote to memory of 1912	3020	svchost.exe	33
PID 3020 wrote to memory of 1912	3020	svchost.exe	33
PID 3020 wrote to memory of 1912	3020	svchost.exe	33
PID 3020 wrote to memory of 1912	3020	svchost.exe	33
PID 3020 wrote to memory of 1912	3020	svchost.exe	33
PID 3020 wrote to memory of 1912	3020	svchost.exe	33
PID 3020 wrote to memory of 1912	3020	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe
"C:\Users\Admin\AppData\Local\Temp\7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\wps.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wps.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216

C:\ProgramData\Kingsoft\office6\wps.exe
"C:\ProgramData\Kingsoft\office6\wps.exe" 100 2216
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe 201 0
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\system32\msiexec.exe
  C:\Windows\system32\msiexec.exe 209 3020
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1912

C:\ProgramData\Kingsoft\office6\wps.exe
"C:\ProgramData\Kingsoft\office6\wps.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Kingsoft\office6\wps.exe

Filesize
124KB

MD5
47405ed0a34dc74a75a3db147b86f8c5

SHA1
718b782e67ba20c4fa358b85c2e3db95d9277597

SHA256
fa58cf8d9add1a611700cd8e37776eae86201fbeff91d6d3620957355aee6a6e

SHA512
fcc7cb0a9a7d39931498c80ac07e53e42650b10da00f42d4a9101176a80f1b86a773409659d4d9419339fc32218f8fad1d4ac83cca9bfc72c2729f9ee05f5ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kdump64.dll

Filesize
147KB

MD5
ae0178a893006cdc447f54e41d549991

SHA1
e5109d5f1e762ab3c52bfecdca67ccb783248bf4

SHA256
e4ba3a0debbb790a917abe7c5374350de9f7909d5a8b2fafdc1962b968013acd

SHA512
d3782758405423afec5000af001ea990fd26be0e2561cf5ec344db1f45cae072a41c0cdd107745b9bb473e535bf8220acef0a00a9992b997a0bcc7baed4a9ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wps.dat

Filesize
152KB

MD5
a1ed676cf36394b6b4fb449309b91b5b

SHA1
4cf7a01b132e4855581e39f5d0da204301fdae98

SHA256
8da2085b60e44aa5fa46c8613757e1582df098e27373b2c8916d2725f28b46de

SHA512
ce224d2376a7d78777691f9eceb8a48755787b390b73e309d48337b8d097a9370e66780237e2884294c76205f93f27e82744804781abe8eaee255c9e2f0f3f11

Download Submit
\ProgramData\Kingsoft\office6\kdump64.dll

Filesize
77KB

MD5
d0a8225739dba451de5fdebbcea7daf1

SHA1
7a58fedfcbc5d8d52e476a07a1febfdff8bd661e

SHA256
be99553ca6aec4ebe965bf9abebde22a9ecb61f33255819fa88cb93703ccb896

SHA512
05658591569fff0030c0f4aee495b643a92beb2da623b0c754ed212eebe08846b8e0cac91485cd8267e55b5d70ac1b5a117c7cf0d8dec6469fc8c5d55baeee3b

Download Submit
\ProgramData\Kingsoft\office6\wps.exe

Filesize
100KB

MD5
4d77dd4a326adb474f4546b2d5981b54

SHA1
957a8f2cacd03efaf3ee66c6512eaca8f8809c7d

SHA256
55f20f55fce63d032fb1f8ae4e7f6ae8a88769bf234318ff021c4e48f3b96b0d

SHA512
30b72ef1b1296dc2b407cdf47a7788998ef3912abfc45fa13aa4f13da4e741b6cee081d92a69b1af990fc9883e6709a50c2014f4a5f9f7cd3e65a2da13a2bdde

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\wps.exe

Filesize
177KB

MD5
f44992d14033a2b5b1064104658a29e1

SHA1
62673aa6e8bde17f218524cbe3bf50cb5b949f3b

SHA256
331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4

SHA512
9a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b

Download Submit
memory/1712-41-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp

Filesize
272KB

Download
memory/1712-90-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp

Filesize
272KB

Download
memory/1712-108-0x0000000001CB0000-0x0000000001CEA000-memory.dmp

Filesize
232KB

Download
memory/1712-45-0x0000000076CF0000-0x0000000076CF1000-memory.dmp

Filesize
4KB

Download
memory/1712-47-0x0000000001CB0000-0x0000000001CEA000-memory.dmp

Filesize
232KB

Download
memory/1712-42-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp

Filesize
272KB

Download
memory/1912-106-0x0000000000430000-0x000000000046A000-memory.dmp

Filesize
232KB

Download
memory/1912-110-0x0000000000430000-0x000000000046A000-memory.dmp

Filesize
232KB

Download
memory/1912-107-0x0000000000430000-0x000000000046A000-memory.dmp

Filesize
232KB

Download
memory/1912-105-0x0000000000430000-0x000000000046A000-memory.dmp

Filesize
232KB

Download
memory/1912-103-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1912-100-0x0000000000430000-0x000000000046A000-memory.dmp

Filesize
232KB

Download
memory/2216-22-0x0000000001D30000-0x0000000001D6A000-memory.dmp

Filesize
232KB

Download
memory/2216-21-0x0000000001D30000-0x0000000001D6A000-memory.dmp

Filesize
232KB

Download
memory/2216-20-0x0000000076CF0000-0x0000000076CF1000-memory.dmp

Filesize
4KB

Download
memory/2216-19-0x0000000001F50000-0x0000000002050000-memory.dmp

Filesize
1024KB

Download
memory/2216-17-0x000007FEF7380000-0x000007FEF73C4000-memory.dmp

Filesize
272KB

Download
memory/2216-16-0x000007FEF7380000-0x000007FEF73C4000-memory.dmp

Filesize
272KB

Download
memory/2216-75-0x000007FEF7380000-0x000007FEF73C4000-memory.dmp

Filesize
272KB

Download
memory/2580-70-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp

Filesize
272KB

Download
memory/2580-67-0x0000000001CC0000-0x0000000001CFA000-memory.dmp

Filesize
232KB

Download
memory/2580-56-0x0000000001CC0000-0x0000000001CFA000-memory.dmp

Filesize
232KB

Download
memory/2580-53-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp

Filesize
272KB

Download
memory/2580-52-0x000007FEF66B0000-0x000007FEF66F4000-memory.dmp

Filesize
272KB

Download
memory/3020-86-0x00000000003D0000-0x000000000040A000-memory.dmp

Filesize
232KB

Download
memory/3020-60-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/3020-85-0x00000000003D0000-0x000000000040A000-memory.dmp

Filesize
232KB

Download
memory/3020-84-0x00000000003D0000-0x000000000040A000-memory.dmp

Filesize
232KB

Download
memory/3020-81-0x00000000003D0000-0x000000000040A000-memory.dmp

Filesize
232KB

Download
memory/3020-80-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3020-59-0x0000000000100000-0x0000000000125000-memory.dmp

Filesize
148KB

Download
memory/3020-89-0x00000000003D0000-0x000000000040A000-memory.dmp

Filesize
232KB

Download
memory/3020-57-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3020-66-0x00000000003D0000-0x000000000040A000-memory.dmp

Filesize
232KB

Download
memory/3020-64-0x00000000003D0000-0x000000000040A000-memory.dmp

Filesize
232KB

Download
memory/3020-62-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3020-82-0x00000000003D0000-0x000000000040A000-memory.dmp

Filesize
232KB

Download
memory/3020-109-0x00000000003D0000-0x000000000040A000-memory.dmp

Filesize
232KB

Download
memory/3020-83-0x00000000003D0000-0x000000000040A000-memory.dmp

Filesize
232KB

Download