plugx | a6dbaab6da4004321c979abf0b0270f44f56f793ac47751ccbc2989e258aea24

Analysis

max time kernel
71s
max time network
72s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09-02-2024 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample3.pdf
Size

603KB
MD5

2b203ff7805a789f64ec614dee2a7e7b
SHA1

dfa47a1bacea6afc7e334a31ad53045338d29ec5
SHA256

a6dbaab6da4004321c979abf0b0270f44f56f793ac47751ccbc2989e258aea24
SHA512

263b79355f8541dabfd26b5e85bdf7e3423bab5081eb3c99131f5dad42cdde6eeed0d00b520bf7400a5ae86883a0270759cfa846ce71832d717ea2ccd2491257
SSDEEP

12288:dGROjjzZ2fNv33w32iaMLavQVXsEAop5tNIBUwlDq7p:GOjjzyNw2qLO6XstECFpq7p

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 22 IoCs

resource	yara_rule
behavioral1/memory/2788-32-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/2788-28-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/2516-36-0x0000000000260000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/2788-47-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/2480-45-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2516-44-0x0000000000260000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/2480-43-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2480-41-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2480-59-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2480-60-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2480-61-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2480-62-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2480-63-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2480-65-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2480-66-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2480-67-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2880-76-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/2880-80-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/2880-81-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/2480-82-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2480-83-0x0000000000100000-0x000000000012C000-memory.dmp	family_plugx
behavioral1/memory/2880-84-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
2696	~temqp.tmp
2788	CamMute.exe
2516	CamMute.exe

Loads dropped DLL 4 IoCs

pid	Process
2920	cscript.exe
2696	~temqp.tmp
2788	CamMute.exe
2516	CamMute.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 32003800310046004500370037003300300030003700430046004300310038000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2480	svchost.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2480	svchost.exe
2480	svchost.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2480	svchost.exe
2480	svchost.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2480	svchost.exe
2480	svchost.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2480	svchost.exe
2480	svchost.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2880	msiexec.exe
2480	svchost.exe
2480	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	CamMute.exe
Token: SeTcbPrivilege	2788	CamMute.exe
Token: SeDebugPrivilege	2516	CamMute.exe
Token: SeTcbPrivilege	2516	CamMute.exe
Token: SeDebugPrivilege	2480	svchost.exe
Token: SeTcbPrivilege	2480	svchost.exe
Token: SeDebugPrivilege	2880	msiexec.exe
Token: SeTcbPrivilege	2880	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2548	AcroRd32.exe
2548	AcroRd32.exe
2548	AcroRd32.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2920	2548	AcroRd32.exe	28
PID 2548 wrote to memory of 2920	2548	AcroRd32.exe	28
PID 2548 wrote to memory of 2920	2548	AcroRd32.exe	28
PID 2548 wrote to memory of 2920	2548	AcroRd32.exe	28
PID 2920 wrote to memory of 2696	2920	cscript.exe	30
PID 2920 wrote to memory of 2696	2920	cscript.exe	30
PID 2920 wrote to memory of 2696	2920	cscript.exe	30
PID 2920 wrote to memory of 2696	2920	cscript.exe	30
PID 2920 wrote to memory of 2620	2920	cscript.exe	31
PID 2920 wrote to memory of 2620	2920	cscript.exe	31
PID 2920 wrote to memory of 2620	2920	cscript.exe	31
PID 2920 wrote to memory of 2620	2920	cscript.exe	31
PID 2696 wrote to memory of 2788	2696	~temqp.tmp	32
PID 2696 wrote to memory of 2788	2696	~temqp.tmp	32
PID 2696 wrote to memory of 2788	2696	~temqp.tmp	32
PID 2696 wrote to memory of 2788	2696	~temqp.tmp	32
PID 2516 wrote to memory of 2480	2516	CamMute.exe	34
PID 2516 wrote to memory of 2480	2516	CamMute.exe	34
PID 2516 wrote to memory of 2480	2516	CamMute.exe	34
PID 2516 wrote to memory of 2480	2516	CamMute.exe	34
PID 2516 wrote to memory of 2480	2516	CamMute.exe	34
PID 2516 wrote to memory of 2480	2516	CamMute.exe	34
PID 2516 wrote to memory of 2480	2516	CamMute.exe	34
PID 2516 wrote to memory of 2480	2516	CamMute.exe	34
PID 2516 wrote to memory of 2480	2516	CamMute.exe	34
PID 2480 wrote to memory of 2880	2480	svchost.exe	35
PID 2480 wrote to memory of 2880	2480	svchost.exe	35
PID 2480 wrote to memory of 2880	2480	svchost.exe	35
PID 2480 wrote to memory of 2880	2480	svchost.exe	35
PID 2480 wrote to memory of 2880	2480	svchost.exe	35
PID 2480 wrote to memory of 2880	2480	svchost.exe	35
PID 2480 wrote to memory of 2880	2480	svchost.exe	35
PID 2480 wrote to memory of 2880	2480	svchost.exe	35
PID 2480 wrote to memory of 2880	2480	svchost.exe	35
PID 2480 wrote to memory of 2880	2480	svchost.exe	35
PID 2480 wrote to memory of 2880	2480	svchost.exe	35
PID 2480 wrote to memory of 2880	2480	svchost.exe	35

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sample3.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp\Winword.js
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\~temqp.tmp
    ~temqp.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
      "C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 100 2696
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c Adobe.pdf
    3⤵
    PID:2620

C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
"C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2480
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.dll

Filesize
40KB

MD5
6be2cf583a8d3187a04772aee4c05ab6

SHA1
d8ddeaf4a9c23bc05829bbb7b1738513bb1ac310

SHA256
b81c356b56b292b51b0e03ee2c69d96de2a3e0e6f6e7f6111119400a6c7ac14f

SHA512
b571ebda31070b5c48fca922e209712379dff14d32989d6acf664320b6c8ea1031e18a16903ac56e6909c93403467de4679bcc3989691ebf7bd11ece0ff1acfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.jax

Filesize
111KB

MD5
dc996c4855add1f655c899e9806c8b3e

SHA1
757c919328aae9f8dfe36293f2095da73a866e89

SHA256
a018fba9f923edf661a915311b72b25cd414f658b64e7f4272ca9622be049259

SHA512
fbea508af9ef82d519d7f94c7b40266c8f002afc31421c7e303b74e6853804061e7b571c501244cd0ace377245db9259fbf330738749ab67718a60a05c31b6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winword.js

Filesize
446KB

MD5
19047595de7edc3550963ced15347ce1

SHA1
012695dfb871d0b72d5875faf9ac8c1ebac68952

SHA256
a6c2bbb4726b396adea3fabaf6ea9f86fa48bdce6cadeb9999679bd54b918c91

SHA512
71e243d64689ae900257ba57421d3daf88732376d557804665f1dc4f1899fbdd68a8f7d39f24795ec98896181483c3c73ef8f93a4ed3a6e57e1c6f434a817a36

Download Submit
\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe

Filesize
56KB

MD5
4c8cdd74359dad73a2d499e5775b9bb9

SHA1
89fde2c26d2bdbc5592aa54c65fac51e3f6df631

SHA256
457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba

SHA512
3395cbc20b924d1ea5694180b67a4f410fbfa25e9d977334911a3c9ea93724c7cec763ea2c77444761b93d353888ee262021c7be0cb98918fd5e5044571552c8

Download Submit
\Users\Admin\AppData\Local\Temp\~temqp.tmp

Filesize
222KB

MD5
37bc5cdaf9b026e334edd6752e3cdb00

SHA1
ee7eb5b20e25aeb4456a360e50185f245a6cc065

SHA256
c9a42238d5b1815458031395ef99896cf96656c1016abbe91ca9b0449f1eea6b

SHA512
efec59fefba7095d91bcab3ad3c4e44e24634385179189335085f006fd5a0ed79e05831e4350555c8be19f8bcd2bb36d5a36d82841df53e047d7b9039262ddbf

Download Submit
memory/2480-66-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-58-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2480-83-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-82-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-67-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-65-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-37-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2480-39-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/2480-40-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/2480-63-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-45-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-62-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-43-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-42-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2480-41-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-61-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-59-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2480-60-0x0000000000100000-0x000000000012C000-memory.dmp

Filesize
176KB

Download
memory/2516-44-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/2516-36-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/2548-0-0x0000000005020000-0x0000000005096000-memory.dmp

Filesize
472KB

Download
memory/2788-32-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2788-47-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2788-28-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2788-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2788-29-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/2880-76-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2880-81-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2880-77-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2880-80-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2880-78-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2880-84-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download