plugx | a6dbaab6da4004321c979abf0b0270f44f56f793ac47751ccbc2989e258aea24

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/04/2024, 10:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sample3.pdf
Size

603KB
MD5

2b203ff7805a789f64ec614dee2a7e7b
SHA1

dfa47a1bacea6afc7e334a31ad53045338d29ec5
SHA256

a6dbaab6da4004321c979abf0b0270f44f56f793ac47751ccbc2989e258aea24
SHA512

263b79355f8541dabfd26b5e85bdf7e3423bab5081eb3c99131f5dad42cdde6eeed0d00b520bf7400a5ae86883a0270759cfa846ce71832d717ea2ccd2491257
SSDEEP

12288:dGROjjzZ2fNv33w32iaMLavQVXsEAop5tNIBUwlDq7p:GOjjzyNw2qLO6XstECFpq7p

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 21 IoCs

resource	yara_rule
behavioral1/memory/2480-27-0x0000000000260000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/2480-28-0x0000000000260000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/2464-40-0x00000000002E0000-0x000000000030C000-memory.dmp	family_plugx
behavioral1/memory/2496-49-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx
behavioral1/memory/2464-52-0x00000000002E0000-0x000000000030C000-memory.dmp	family_plugx
behavioral1/memory/2496-55-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx
behavioral1/memory/2480-61-0x0000000000260000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/2496-76-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx
behavioral1/memory/2496-77-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx
behavioral1/memory/2496-78-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx
behavioral1/memory/2496-79-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx
behavioral1/memory/2496-80-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx
behavioral1/memory/2496-82-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx
behavioral1/memory/2496-94-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx
behavioral1/memory/2028-103-0x00000000002B0000-0x00000000002DC000-memory.dmp	family_plugx
behavioral1/memory/2028-107-0x00000000002B0000-0x00000000002DC000-memory.dmp	family_plugx
behavioral1/memory/2028-106-0x00000000002B0000-0x00000000002DC000-memory.dmp	family_plugx
behavioral1/memory/2496-109-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx
behavioral1/memory/2496-110-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx
behavioral1/memory/2028-111-0x00000000002B0000-0x00000000002DC000-memory.dmp	family_plugx
behavioral1/memory/2496-117-0x0000000000190000-0x00000000001BC000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
2820	~temqp.tmp
2480	CamMute.exe
2464	CamMute.exe

Loads dropped DLL 4 IoCs

pid	Process
2988	cscript.exe
2820	~temqp.tmp
2480	CamMute.exe
2464	CamMute.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadNetworkName = "Network 3"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecisionTime = 906426a5b085da01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecisionTime = f0c528a5b085da01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecisionTime = 906426a5b085da01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecisionTime = f0c528a5b085da01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDetectedUrl	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-a3-50-a3-bf-31\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84740C32-7556-44DF-993D-F05C7562AC87}\fe-a3-50-a3-bf-31	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 33003100300044004300450035004100350034003700300034003600340041000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2496	svchost.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2496	svchost.exe
2496	svchost.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2496	svchost.exe
2496	svchost.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2496	svchost.exe
2496	svchost.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2496	svchost.exe
2496	svchost.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2028	msiexec.exe
2496	svchost.exe
2496	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
820	AcroRd32.exe
2496	svchost.exe
2028	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	CamMute.exe
Token: SeTcbPrivilege	2480	CamMute.exe
Token: SeDebugPrivilege	2464	CamMute.exe
Token: SeTcbPrivilege	2464	CamMute.exe
Token: SeDebugPrivilege	2496	svchost.exe
Token: SeTcbPrivilege	2496	svchost.exe
Token: SeDebugPrivilege	2028	msiexec.exe
Token: SeTcbPrivilege	2028	msiexec.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2872	AcroRd32.exe
2872	AcroRd32.exe
2872	AcroRd32.exe
820	AcroRd32.exe
820	AcroRd32.exe
820	AcroRd32.exe
820	AcroRd32.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2988	2872	AcroRd32.exe	28
PID 2872 wrote to memory of 2988	2872	AcroRd32.exe	28
PID 2872 wrote to memory of 2988	2872	AcroRd32.exe	28
PID 2872 wrote to memory of 2988	2872	AcroRd32.exe	28
PID 2988 wrote to memory of 2820	2988	cscript.exe	30
PID 2988 wrote to memory of 2820	2988	cscript.exe	30
PID 2988 wrote to memory of 2820	2988	cscript.exe	30
PID 2988 wrote to memory of 2820	2988	cscript.exe	30
PID 2988 wrote to memory of 2720	2988	cscript.exe	31
PID 2988 wrote to memory of 2720	2988	cscript.exe	31
PID 2988 wrote to memory of 2720	2988	cscript.exe	31
PID 2988 wrote to memory of 2720	2988	cscript.exe	31
PID 2820 wrote to memory of 2480	2820	~temqp.tmp	32
PID 2820 wrote to memory of 2480	2820	~temqp.tmp	32
PID 2820 wrote to memory of 2480	2820	~temqp.tmp	32
PID 2820 wrote to memory of 2480	2820	~temqp.tmp	32
PID 2464 wrote to memory of 2496	2464	CamMute.exe	34
PID 2464 wrote to memory of 2496	2464	CamMute.exe	34
PID 2464 wrote to memory of 2496	2464	CamMute.exe	34
PID 2464 wrote to memory of 2496	2464	CamMute.exe	34
PID 2464 wrote to memory of 2496	2464	CamMute.exe	34
PID 2464 wrote to memory of 2496	2464	CamMute.exe	34
PID 2464 wrote to memory of 2496	2464	CamMute.exe	34
PID 2464 wrote to memory of 2496	2464	CamMute.exe	34
PID 2464 wrote to memory of 2496	2464	CamMute.exe	34
PID 2720 wrote to memory of 820	2720	cmd.exe	35
PID 2720 wrote to memory of 820	2720	cmd.exe	35
PID 2720 wrote to memory of 820	2720	cmd.exe	35
PID 2720 wrote to memory of 820	2720	cmd.exe	35
PID 2496 wrote to memory of 2028	2496	svchost.exe	36
PID 2496 wrote to memory of 2028	2496	svchost.exe	36
PID 2496 wrote to memory of 2028	2496	svchost.exe	36
PID 2496 wrote to memory of 2028	2496	svchost.exe	36
PID 2496 wrote to memory of 2028	2496	svchost.exe	36
PID 2496 wrote to memory of 2028	2496	svchost.exe	36
PID 2496 wrote to memory of 2028	2496	svchost.exe	36
PID 2496 wrote to memory of 2028	2496	svchost.exe	36
PID 2496 wrote to memory of 2028	2496	svchost.exe	36
PID 2496 wrote to memory of 2028	2496	svchost.exe	36
PID 2496 wrote to memory of 2028	2496	svchost.exe	36
PID 2496 wrote to memory of 2028	2496	svchost.exe	36

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sample3.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp\Winword.js
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\~temqp.tmp
    ~temqp.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
      "C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 100 2820
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c Adobe.pdf
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Adobe.pdf"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:820

C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
"C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2496
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A9R19C9.tmp

Filesize
358B

MD5
c7102ce1c0c300b57997799dd492e511

SHA1
bb562efcd0342dc16e587306d4cbec4f6f8e0d36

SHA256
dc3a193f69cf78304dd2d30d9e46f590beb48c2c5d78a65ca0caefc0d2fe8dee

SHA512
c286832ad8bf69e16340b90842245cbad7d73cd746df2d67e4ae03a020c9ee0d70f4b7d2cadcb10f279638c7d620bd94decd31cab918d10ccc6816046b794e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe.pdf

Filesize
78KB

MD5
6123154c0ead8f7050e0865614f79671

SHA1
0f7db7be2a7d35db235773711ac7b30a8ac072a3

SHA256
8cfa1d6a3f07cc71ef995d41084565b506247f23df99f5924f83aaa9517d1215

SHA512
4d1e9e495cf904d965dd0f888f59985783e9474b0d63406696447cc3f034515e044051079a38d6085c0259ef4fa10d7489d0f368e912536dae6320a642609d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe

Filesize
56KB

MD5
4c8cdd74359dad73a2d499e5775b9bb9

SHA1
89fde2c26d2bdbc5592aa54c65fac51e3f6df631

SHA256
457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba

SHA512
3395cbc20b924d1ea5694180b67a4f410fbfa25e9d977334911a3c9ea93724c7cec763ea2c77444761b93d353888ee262021c7be0cb98918fd5e5044571552c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.dll

Filesize
40KB

MD5
6be2cf583a8d3187a04772aee4c05ab6

SHA1
d8ddeaf4a9c23bc05829bbb7b1738513bb1ac310

SHA256
b81c356b56b292b51b0e03ee2c69d96de2a3e0e6f6e7f6111119400a6c7ac14f

SHA512
b571ebda31070b5c48fca922e209712379dff14d32989d6acf664320b6c8ea1031e18a16903ac56e6909c93403467de4679bcc3989691ebf7bd11ece0ff1acfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.jax

Filesize
111KB

MD5
dc996c4855add1f655c899e9806c8b3e

SHA1
757c919328aae9f8dfe36293f2095da73a866e89

SHA256
a018fba9f923edf661a915311b72b25cd414f658b64e7f4272ca9622be049259

SHA512
fbea508af9ef82d519d7f94c7b40266c8f002afc31421c7e303b74e6853804061e7b571c501244cd0ace377245db9259fbf330738749ab67718a60a05c31b6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winword.js

Filesize
446KB

MD5
19047595de7edc3550963ced15347ce1

SHA1
012695dfb871d0b72d5875faf9ac8c1ebac68952

SHA256
a6c2bbb4726b396adea3fabaf6ea9f86fa48bdce6cadeb9999679bd54b918c91

SHA512
71e243d64689ae900257ba57421d3daf88732376d557804665f1dc4f1899fbdd68a8f7d39f24795ec98896181483c3c73ef8f93a4ed3a6e57e1c6f434a817a36

Download Submit
\Users\Admin\AppData\Local\Temp\~temqp.tmp

Filesize
222KB

MD5
37bc5cdaf9b026e334edd6752e3cdb00

SHA1
ee7eb5b20e25aeb4456a360e50185f245a6cc065

SHA256
c9a42238d5b1815458031395ef99896cf96656c1016abbe91ca9b0449f1eea6b

SHA512
efec59fefba7095d91bcab3ad3c4e44e24634385179189335085f006fd5a0ed79e05831e4350555c8be19f8bcd2bb36d5a36d82841df53e047d7b9039262ddbf

Download Submit
memory/2028-111-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/2028-107-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/2028-104-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2028-103-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/2028-106-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/2464-40-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download
memory/2464-52-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download
memory/2480-28-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/2480-27-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/2480-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2480-26-0x0000000000420000-0x0000000000520000-memory.dmp

Filesize
1024KB

Download
memory/2480-61-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/2496-82-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2496-94-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2496-77-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2496-78-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2496-79-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2496-80-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2496-50-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2496-47-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/2496-46-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/2496-76-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2496-44-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2496-117-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2496-75-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2496-55-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2496-109-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2496-110-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2496-49-0x0000000000190000-0x00000000001BC000-memory.dmp

Filesize
176KB

Download
memory/2872-0-0x00000000031D0000-0x0000000003246000-memory.dmp

Filesize
472KB

Download