plugx | a6dbaab6da4004321c979abf0b0270f44f56f793ac47751ccbc2989e258aea24

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03/04/2024, 10:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sample3.pdf
Size

603KB
MD5

2b203ff7805a789f64ec614dee2a7e7b
SHA1

dfa47a1bacea6afc7e334a31ad53045338d29ec5
SHA256

a6dbaab6da4004321c979abf0b0270f44f56f793ac47751ccbc2989e258aea24
SHA512

263b79355f8541dabfd26b5e85bdf7e3423bab5081eb3c99131f5dad42cdde6eeed0d00b520bf7400a5ae86883a0270759cfa846ce71832d717ea2ccd2491257
SSDEEP

12288:dGROjjzZ2fNv33w32iaMLavQVXsEAop5tNIBUwlDq7p:GOjjzyNw2qLO6XstECFpq7p

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 21 IoCs

resource	yara_rule
behavioral1/memory/2652-26-0x0000000000260000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/2652-30-0x0000000000260000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/2416-48-0x0000000000450000-0x000000000047C000-memory.dmp	family_plugx
behavioral1/memory/2024-77-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/2024-82-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/2652-81-0x0000000000260000-0x000000000028C000-memory.dmp	family_plugx
behavioral1/memory/2024-79-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/2024-78-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/2024-73-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/2024-58-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/2024-61-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/2416-59-0x0000000000450000-0x000000000047C000-memory.dmp	family_plugx
behavioral1/memory/2024-83-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/2024-86-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/2024-91-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/844-102-0x00000000001E0000-0x000000000020C000-memory.dmp	family_plugx
behavioral1/memory/844-104-0x00000000001E0000-0x000000000020C000-memory.dmp	family_plugx
behavioral1/memory/844-106-0x00000000001E0000-0x000000000020C000-memory.dmp	family_plugx
behavioral1/memory/2024-107-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/2024-108-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx
behavioral1/memory/2024-114-0x0000000000220000-0x000000000024C000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
2632	~temqp.tmp
2652	CamMute.exe
2416	CamMute.exe

Loads dropped DLL 4 IoCs

pid	Process
3004	cscript.exe
2632	~temqp.tmp
2652	CamMute.exe
2416	CamMute.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-8d-16-2d-53-ba\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-8d-16-2d-53-ba\WpadDecisionTime = a0601b5bb385da01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-8d-16-2d-53-ba\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-8d-16-2d-53-ba\WpadDecisionTime = 00c21d5bb385da01	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE58B978-6C19-4DAC-97AA-1F12AF7C3E2F}\WpadDecisionTime = a0601b5bb385da01	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE58B978-6C19-4DAC-97AA-1F12AF7C3E2F}\WpadDecision = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE58B978-6C19-4DAC-97AA-1F12AF7C3E2F}\WpadDecisionReason = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-8d-16-2d-53-ba\WpadDetectedUrl	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE58B978-6C19-4DAC-97AA-1F12AF7C3E2F}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE58B978-6C19-4DAC-97AA-1F12AF7C3E2F}\WpadDecisionTime = 00c21d5bb385da01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-8d-16-2d-53-ba	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE58B978-6C19-4DAC-97AA-1F12AF7C3E2F}\e6-8d-16-2d-53-ba	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BE58B978-6C19-4DAC-97AA-1F12AF7C3E2F}\WpadNetworkName = "Network 3"	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 37003800310035003600410030004400440036004400340032003900450039000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	svchost.exe
2024	svchost.exe
2024	svchost.exe
2024	svchost.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
2024	svchost.exe
2024	svchost.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
2024	svchost.exe
2024	svchost.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
2024	svchost.exe
2024	svchost.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
2024	svchost.exe
2024	svchost.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
844	msiexec.exe
2024	svchost.exe
2024	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1420	AcroRd32.exe
2024	svchost.exe
844	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	CamMute.exe
Token: SeTcbPrivilege	2652	CamMute.exe
Token: SeDebugPrivilege	2416	CamMute.exe
Token: SeTcbPrivilege	2416	CamMute.exe
Token: SeDebugPrivilege	2024	svchost.exe
Token: SeTcbPrivilege	2024	svchost.exe
Token: SeDebugPrivilege	844	msiexec.exe
Token: SeTcbPrivilege	844	msiexec.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
840	AcroRd32.exe
840	AcroRd32.exe
840	AcroRd32.exe
1420	AcroRd32.exe
1420	AcroRd32.exe
1420	AcroRd32.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 3004	840	AcroRd32.exe	28
PID 840 wrote to memory of 3004	840	AcroRd32.exe	28
PID 840 wrote to memory of 3004	840	AcroRd32.exe	28
PID 840 wrote to memory of 3004	840	AcroRd32.exe	28
PID 3004 wrote to memory of 2632	3004	cscript.exe	30
PID 3004 wrote to memory of 2632	3004	cscript.exe	30
PID 3004 wrote to memory of 2632	3004	cscript.exe	30
PID 3004 wrote to memory of 2632	3004	cscript.exe	30
PID 3004 wrote to memory of 2532	3004	cscript.exe	31
PID 3004 wrote to memory of 2532	3004	cscript.exe	31
PID 3004 wrote to memory of 2532	3004	cscript.exe	31
PID 3004 wrote to memory of 2532	3004	cscript.exe	31
PID 2632 wrote to memory of 2652	2632	~temqp.tmp	32
PID 2632 wrote to memory of 2652	2632	~temqp.tmp	32
PID 2632 wrote to memory of 2652	2632	~temqp.tmp	32
PID 2632 wrote to memory of 2652	2632	~temqp.tmp	32
PID 2416 wrote to memory of 2024	2416	CamMute.exe	34
PID 2416 wrote to memory of 2024	2416	CamMute.exe	34
PID 2416 wrote to memory of 2024	2416	CamMute.exe	34
PID 2416 wrote to memory of 2024	2416	CamMute.exe	34
PID 2416 wrote to memory of 2024	2416	CamMute.exe	34
PID 2416 wrote to memory of 2024	2416	CamMute.exe	34
PID 2416 wrote to memory of 2024	2416	CamMute.exe	34
PID 2416 wrote to memory of 2024	2416	CamMute.exe	34
PID 2416 wrote to memory of 2024	2416	CamMute.exe	34
PID 2532 wrote to memory of 1420	2532	cmd.exe	35
PID 2532 wrote to memory of 1420	2532	cmd.exe	35
PID 2532 wrote to memory of 1420	2532	cmd.exe	35
PID 2532 wrote to memory of 1420	2532	cmd.exe	35
PID 2024 wrote to memory of 844	2024	svchost.exe	36
PID 2024 wrote to memory of 844	2024	svchost.exe	36
PID 2024 wrote to memory of 844	2024	svchost.exe	36
PID 2024 wrote to memory of 844	2024	svchost.exe	36
PID 2024 wrote to memory of 844	2024	svchost.exe	36
PID 2024 wrote to memory of 844	2024	svchost.exe	36
PID 2024 wrote to memory of 844	2024	svchost.exe	36
PID 2024 wrote to memory of 844	2024	svchost.exe	36
PID 2024 wrote to memory of 844	2024	svchost.exe	36
PID 2024 wrote to memory of 844	2024	svchost.exe	36
PID 2024 wrote to memory of 844	2024	svchost.exe	36
PID 2024 wrote to memory of 844	2024	svchost.exe	36

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sample3.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp\Winword.js
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\~temqp.tmp
    ~temqp.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
      "C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 100 2632
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c Adobe.pdf
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Adobe.pdf"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:1420

C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe
"C:\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2024
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A9R13FF.tmp

Filesize
358B

MD5
8598af51454087cdb45aea5dee7af258

SHA1
0969dc917f0c74523fb73de1eba02181baeb2021

SHA256
6417c5a24a484b9b10886bf03dc2c7d037dd5798b43b24dd6607662fd6cd515c

SHA512
9f2c5fba936b04527331c430269d34b78e56204fa176cb6c0eb537fcffdd036f45baa1cc503ad1f621f32b579536e0cdceae9866e98af1f241b5f021422e987a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe.pdf

Filesize
78KB

MD5
6123154c0ead8f7050e0865614f79671

SHA1
0f7db7be2a7d35db235773711ac7b30a8ac072a3

SHA256
8cfa1d6a3f07cc71ef995d41084565b506247f23df99f5924f83aaa9517d1215

SHA512
4d1e9e495cf904d965dd0f888f59985783e9474b0d63406696447cc3f034515e044051079a38d6085c0259ef4fa10d7489d0f368e912536dae6320a642609d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.dll

Filesize
40KB

MD5
6be2cf583a8d3187a04772aee4c05ab6

SHA1
d8ddeaf4a9c23bc05829bbb7b1738513bb1ac310

SHA256
b81c356b56b292b51b0e03ee2c69d96de2a3e0e6f6e7f6111119400a6c7ac14f

SHA512
b571ebda31070b5c48fca922e209712379dff14d32989d6acf664320b6c8ea1031e18a16903ac56e6909c93403467de4679bcc3989691ebf7bd11ece0ff1acfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAM\CommFunc.jax

Filesize
111KB

MD5
dc996c4855add1f655c899e9806c8b3e

SHA1
757c919328aae9f8dfe36293f2095da73a866e89

SHA256
a018fba9f923edf661a915311b72b25cd414f658b64e7f4272ca9622be049259

SHA512
fbea508af9ef82d519d7f94c7b40266c8f002afc31421c7e303b74e6853804061e7b571c501244cd0ace377245db9259fbf330738749ab67718a60a05c31b6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winword.js

Filesize
446KB

MD5
19047595de7edc3550963ced15347ce1

SHA1
012695dfb871d0b72d5875faf9ac8c1ebac68952

SHA256
a6c2bbb4726b396adea3fabaf6ea9f86fa48bdce6cadeb9999679bd54b918c91

SHA512
71e243d64689ae900257ba57421d3daf88732376d557804665f1dc4f1899fbdd68a8f7d39f24795ec98896181483c3c73ef8f93a4ed3a6e57e1c6f434a817a36

Download Submit
\Users\Admin\AppData\Local\Temp\CAM\CamMute.exe

Filesize
56KB

MD5
4c8cdd74359dad73a2d499e5775b9bb9

SHA1
89fde2c26d2bdbc5592aa54c65fac51e3f6df631

SHA256
457b71d3effea8ec517277d17cf35a0b775103e549c0a779c81ba4eb125503ba

SHA512
3395cbc20b924d1ea5694180b67a4f410fbfa25e9d977334911a3c9ea93724c7cec763ea2c77444761b93d353888ee262021c7be0cb98918fd5e5044571552c8

Download Submit
\Users\Admin\AppData\Local\Temp\~temqp.tmp

Filesize
222KB

MD5
37bc5cdaf9b026e334edd6752e3cdb00

SHA1
ee7eb5b20e25aeb4456a360e50185f245a6cc065

SHA256
c9a42238d5b1815458031395ef99896cf96656c1016abbe91ca9b0449f1eea6b

SHA512
efec59fefba7095d91bcab3ad3c4e44e24634385179189335085f006fd5a0ed79e05831e4350555c8be19f8bcd2bb36d5a36d82841df53e047d7b9039262ddbf

Download Submit
memory/840-0-0x0000000003920000-0x0000000003996000-memory.dmp

Filesize
472KB

Download
memory/844-106-0x00000000001E0000-0x000000000020C000-memory.dmp

Filesize
176KB

Download
memory/844-104-0x00000000001E0000-0x000000000020C000-memory.dmp

Filesize
176KB

Download
memory/844-103-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/844-102-0x00000000001E0000-0x000000000020C000-memory.dmp

Filesize
176KB

Download
memory/2024-86-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-83-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-77-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-82-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-114-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-79-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-78-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-73-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-72-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2024-58-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-61-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-60-0x0000000000450000-0x000000000047C000-memory.dmp

Filesize
176KB

Download
memory/2024-108-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-57-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/2024-56-0x00000000000E0000-0x00000000000FA000-memory.dmp

Filesize
104KB

Download
memory/2024-53-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2024-107-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-91-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2416-48-0x0000000000450000-0x000000000047C000-memory.dmp

Filesize
176KB

Download
memory/2416-59-0x0000000000450000-0x000000000047C000-memory.dmp

Filesize
176KB

Download
memory/2652-30-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/2652-28-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2652-26-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/2652-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2652-81-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download