plugx | 9ff40de5a55aa6b5cf34c61acd52a26f77c6eb5cf1d464e0e651a046227a7b78

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LZMA.exe
Size

388KB
MD5

89266366e2c712e8b47b2b9ed30d60b7
SHA1

a94bb0440fe6c0d7a6c102037561ffbe6203a251
SHA256

f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0
SHA512

385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95
SSDEEP

12288:1PzUcyOjaTbV7DWZzZg1iuc30Oy7CxMFr:Vz1y6AbV+qwEr

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 24 IoCs

resource	yara_rule
behavioral3/memory/548-1-0x00000000030F0000-0x000000000311D000-memory.dmp	family_plugx
behavioral3/memory/3224-22-0x0000000000D00000-0x0000000000D2D000-memory.dmp	family_plugx
behavioral3/memory/4560-26-0x0000000001590000-0x00000000015BD000-memory.dmp	family_plugx
behavioral3/memory/4560-27-0x0000000001590000-0x00000000015BD000-memory.dmp	family_plugx
behavioral3/memory/768-29-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/768-31-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/768-30-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/548-36-0x00000000030F0000-0x000000000311D000-memory.dmp	family_plugx
behavioral3/memory/768-44-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/768-45-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/768-46-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/768-47-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/768-50-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/768-51-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/768-52-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/768-54-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/3224-55-0x0000000000D00000-0x0000000000D2D000-memory.dmp	family_plugx
behavioral3/memory/4244-58-0x0000000000ED0000-0x0000000000EFD000-memory.dmp	family_plugx
behavioral3/memory/4244-59-0x0000000000ED0000-0x0000000000EFD000-memory.dmp	family_plugx
behavioral3/memory/4244-61-0x0000000000ED0000-0x0000000000EFD000-memory.dmp	family_plugx
behavioral3/memory/4244-62-0x0000000000ED0000-0x0000000000EFD000-memory.dmp	family_plugx
behavioral3/memory/4244-63-0x0000000000ED0000-0x0000000000EFD000-memory.dmp	family_plugx
behavioral3/memory/768-64-0x0000000001650000-0x000000000167D000-memory.dmp	family_plugx
behavioral3/memory/4244-65-0x0000000000ED0000-0x0000000000EFD000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Deletes itself 1 IoCs

pid	Process
3224	LZMA.exe

Executes dropped EXE 2 IoCs

pid	Process
3224	LZMA.exe
4560	LZMA.exe

Loads dropped DLL 2 IoCs

pid	Process
3224	LZMA.exe
4560	LZMA.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	182.16.12.250
Destination IP	182.16.12.250
Destination IP	182.16.12.250

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 33004600350037003800370038004600410043003500450033004200310038000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
768	svchost.exe
4244	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
548	LZMA.exe
548	LZMA.exe
548	LZMA.exe
548	LZMA.exe
3224	LZMA.exe
3224	LZMA.exe
768	svchost.exe
768	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
768	svchost.exe
768	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
768	svchost.exe
768	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
768	svchost.exe
768	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
768	svchost.exe
768	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe
4244	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
768	svchost.exe
4244	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	LZMA.exe
Token: SeTcbPrivilege	548	LZMA.exe
Token: SeDebugPrivilege	3224	LZMA.exe
Token: SeTcbPrivilege	3224	LZMA.exe
Token: SeDebugPrivilege	4560	LZMA.exe
Token: SeTcbPrivilege	4560	LZMA.exe
Token: SeDebugPrivilege	768	svchost.exe
Token: SeTcbPrivilege	768	svchost.exe
Token: SeDebugPrivilege	4244	svchost.exe
Token: SeTcbPrivilege	4244	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 768	4560	LZMA.exe	89
PID 4560 wrote to memory of 768	4560	LZMA.exe	89
PID 4560 wrote to memory of 768	4560	LZMA.exe	89
PID 4560 wrote to memory of 768	4560	LZMA.exe	89
PID 4560 wrote to memory of 768	4560	LZMA.exe	89
PID 4560 wrote to memory of 768	4560	LZMA.exe	89
PID 4560 wrote to memory of 768	4560	LZMA.exe	89
PID 4560 wrote to memory of 768	4560	LZMA.exe	89
PID 768 wrote to memory of 4244	768	svchost.exe	93
PID 768 wrote to memory of 4244	768	svchost.exe	93
PID 768 wrote to memory of 4244	768	svchost.exe	93
PID 768 wrote to memory of 4244	768	svchost.exe	93
PID 768 wrote to memory of 4244	768	svchost.exe	93
PID 768 wrote to memory of 4244	768	svchost.exe	93
PID 768 wrote to memory of 4244	768	svchost.exe	93
PID 768 wrote to memory of 4244	768	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\LZMA.exe
"C:\Users\Admin\AppData\Local\Temp\LZMA.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 100 548
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe
"C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\svchost.exe
    C:\Windows\system32\svchost.exe 209 768
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\CryptSvcser\LZMA.exe

Filesize
388KB

MD5
89266366e2c712e8b47b2b9ed30d60b7

SHA1
a94bb0440fe6c0d7a6c102037561ffbe6203a251

SHA256
f7369777a4fee1b2e8282f30dc355c3216e4fdc7018912f2a7444026f9edafd0

SHA512
385916c9bbc9a4d7474bfcc68c4fb281e2f3d6df5c11a114b8646400f8a822a5c945f80de2d8d97547e58971b03bcada2f28fc2f259db07ea1880b3fa68b3d95

Download Submit
C:\ProgramData\Microsoft\CryptSvcser\expatai.dll

Filesize
400KB

MD5
dd55071ced298687339566cbe9b23c40

SHA1
1b5f760daab97658f7c0f7c28db35f10bde761bb

SHA256
ed10a005bbab4385775e5964586bad0c1d267edbf87ce98feb3cc7135877cca1

SHA512
ae9753860775be0039463c408e080a2541465562702c2407b46d3ab15dacdae6721325eb60ae72e0b389da2524e6122593a6f9bf42f1c2df5c2cb8463c4026c8

Download Submit
C:\ProgramData\Microsoft\CryptSvcser\update.log

Filesize
228KB

MD5
fc5100b1fc7e642bf76fdc3df1846df5

SHA1
664d22bc60a7cd08b8ba5aee9f045fa21de719cb

SHA256
8a7e960d9aefce2bc6c515e63a46ea5d6e7db964301eb8a26c3dd561707eac77

SHA512
46cc8e84c7e5668e4fa5da0eabab725da2c5c93bfcce6d7774e668b3e011c6f24d9e0513aac097366504e1139525879b9a43b128c37c719c0a25401ceb9fbe47

Download Submit
memory/548-36-0x00000000030F0000-0x000000000311D000-memory.dmp

Filesize
180KB

Download
memory/548-1-0x00000000030F0000-0x000000000311D000-memory.dmp

Filesize
180KB

Download
memory/548-0-0x0000000002FC0000-0x00000000030C0000-memory.dmp

Filesize
1024KB

Download
memory/768-46-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/768-51-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/768-29-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/768-28-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/768-31-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/768-30-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/768-64-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/768-43-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/768-44-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/768-45-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/768-54-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/768-47-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/768-50-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/768-52-0x0000000001650000-0x000000000167D000-memory.dmp

Filesize
180KB

Download
memory/3224-22-0x0000000000D00000-0x0000000000D2D000-memory.dmp

Filesize
180KB

Download
memory/3224-55-0x0000000000D00000-0x0000000000D2D000-memory.dmp

Filesize
180KB

Download
memory/4244-56-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/4244-58-0x0000000000ED0000-0x0000000000EFD000-memory.dmp

Filesize
180KB

Download
memory/4244-60-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4244-59-0x0000000000ED0000-0x0000000000EFD000-memory.dmp

Filesize
180KB

Download
memory/4244-61-0x0000000000ED0000-0x0000000000EFD000-memory.dmp

Filesize
180KB

Download
memory/4244-62-0x0000000000ED0000-0x0000000000EFD000-memory.dmp

Filesize
180KB

Download
memory/4244-63-0x0000000000ED0000-0x0000000000EFD000-memory.dmp

Filesize
180KB

Download
memory/4244-65-0x0000000000ED0000-0x0000000000EFD000-memory.dmp

Filesize
180KB

Download
memory/4560-27-0x0000000001590000-0x00000000015BD000-memory.dmp

Filesize
180KB

Download
memory/4560-26-0x0000000001590000-0x00000000015BD000-memory.dmp

Filesize
180KB

Download