plugx | 354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379

Analysis

max time kernel
155s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe
Size

697KB
MD5

3523aba425931e1afbe4864ae714beb1
SHA1

38e49f28a2f36eb1346eec18083c6a6b3e7ab4d7
SHA256

354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379
SHA512

973a8a551c38d7efc5f3d21ae0d34b053f8330cec858814d06384b9a7bc12ef1e97fb3d4ce0bd638ab79e0c1f297af61a430c5f1ab81666127abd8d331c069dc
SSDEEP

12288:YUomEFRu3xEPE6WB0G+tUfeyr0AgMw3GPWyf50YiYjnpYzQxANbx6t5:YmOMSPE6xGMVy47Iv5036YzQgd+5

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 23 IoCs

resource	yara_rule
behavioral2/memory/1732-26-0x00000000007D0000-0x0000000000805000-memory.dmp	family_plugx
behavioral2/memory/1732-20-0x00000000007D0000-0x0000000000805000-memory.dmp	family_plugx
behavioral2/memory/2976-41-0x00000000007B0000-0x00000000007E5000-memory.dmp	family_plugx
behavioral2/memory/460-45-0x0000000000DB0000-0x0000000000DE5000-memory.dmp	family_plugx
behavioral2/memory/460-46-0x0000000000DB0000-0x0000000000DE5000-memory.dmp	family_plugx
behavioral2/memory/1332-49-0x0000000000BB0000-0x0000000000BE5000-memory.dmp	family_plugx
behavioral2/memory/1332-50-0x0000000000BB0000-0x0000000000BE5000-memory.dmp	family_plugx
behavioral2/memory/1332-48-0x0000000000BB0000-0x0000000000BE5000-memory.dmp	family_plugx
behavioral2/memory/1332-65-0x0000000000BB0000-0x0000000000BE5000-memory.dmp	family_plugx
behavioral2/memory/1332-66-0x0000000000BB0000-0x0000000000BE5000-memory.dmp	family_plugx
behavioral2/memory/1332-67-0x0000000000BB0000-0x0000000000BE5000-memory.dmp	family_plugx
behavioral2/memory/1332-69-0x0000000000BB0000-0x0000000000BE5000-memory.dmp	family_plugx
behavioral2/memory/1332-70-0x0000000000BB0000-0x0000000000BE5000-memory.dmp	family_plugx
behavioral2/memory/1332-71-0x0000000000BB0000-0x0000000000BE5000-memory.dmp	family_plugx
behavioral2/memory/1332-72-0x0000000000BB0000-0x0000000000BE5000-memory.dmp	family_plugx
behavioral2/memory/2976-75-0x00000000007B0000-0x00000000007E5000-memory.dmp	family_plugx
behavioral2/memory/3352-77-0x0000000002930000-0x0000000002965000-memory.dmp	family_plugx
behavioral2/memory/3352-79-0x0000000002930000-0x0000000002965000-memory.dmp	family_plugx
behavioral2/memory/3352-81-0x0000000002930000-0x0000000002965000-memory.dmp	family_plugx
behavioral2/memory/3352-82-0x0000000002930000-0x0000000002965000-memory.dmp	family_plugx
behavioral2/memory/3352-83-0x0000000002930000-0x0000000002965000-memory.dmp	family_plugx
behavioral2/memory/1332-85-0x0000000000BB0000-0x0000000000BE5000-memory.dmp	family_plugx
behavioral2/memory/3352-86-0x0000000002930000-0x0000000002965000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe

Executes dropped EXE 3 IoCs

pid	Process
1732	adb.exe
2976	adb.exe
460	adb.exe

Loads dropped DLL 3 IoCs

pid	Process
1732	adb.exe
2976	adb.exe
460	adb.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.43.18.220

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30004200420038004100410031004300320030004500320030004100420046000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1332	svchost.exe
1332	svchost.exe
1332	svchost.exe
1332	svchost.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
1332	svchost.exe
1332	svchost.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
1332	svchost.exe
1332	svchost.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
1332	svchost.exe
1332	svchost.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
1332	svchost.exe
1332	svchost.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
3352	msiexec.exe
1332	svchost.exe
1332	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1332	svchost.exe
3352	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	adb.exe
Token: SeTcbPrivilege	1732	adb.exe
Token: SeDebugPrivilege	2976	adb.exe
Token: SeTcbPrivilege	2976	adb.exe
Token: SeDebugPrivilege	460	adb.exe
Token: SeTcbPrivilege	460	adb.exe
Token: SeDebugPrivilege	1332	svchost.exe
Token: SeTcbPrivilege	1332	svchost.exe
Token: SeDebugPrivilege	3352	msiexec.exe
Token: SeTcbPrivilege	3352	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 1732	3464	354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe	96
PID 3464 wrote to memory of 1732	3464	354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe	96
PID 3464 wrote to memory of 1732	3464	354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe	96
PID 460 wrote to memory of 1332	460	adb.exe	103
PID 460 wrote to memory of 1332	460	adb.exe	103
PID 460 wrote to memory of 1332	460	adb.exe	103
PID 460 wrote to memory of 1332	460	adb.exe	103
PID 460 wrote to memory of 1332	460	adb.exe	103
PID 460 wrote to memory of 1332	460	adb.exe	103
PID 460 wrote to memory of 1332	460	adb.exe	103
PID 460 wrote to memory of 1332	460	adb.exe	103
PID 1332 wrote to memory of 3352	1332	svchost.exe	108
PID 1332 wrote to memory of 3352	1332	svchost.exe	108
PID 1332 wrote to memory of 3352	1332	svchost.exe	108
PID 1332 wrote to memory of 3352	1332	svchost.exe	108
PID 1332 wrote to memory of 3352	1332	svchost.exe	108
PID 1332 wrote to memory of 3352	1332	svchost.exe	108
PID 1332 wrote to memory of 3352	1332	svchost.exe	108
PID 1332 wrote to memory of 3352	1332	svchost.exe	108

C:\Users\Admin\AppData\Local\Temp\354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe
"C:\Users\Admin\AppData\Local\Temp\354fed4072f0c12b9a7e40f48feb32c043481d0a87fbff599ce36fd2e323d379.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\adb.exe
  "C:\Users\Admin\AppData\Local\Temp\adb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1732

C:\ProgramData\adb\adb.exe
"C:\ProgramData\adb\adb.exe" 100 1732
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\ProgramData\adb\adb.exe
"C:\ProgramData\adb\adb.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 1332
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdbWinApi.dat

Filesize
148KB

MD5
cbcc0845497ddd773399e0f095539a4c

SHA1
6c878e4ee18d14b94a3214bdd283b221a1981877

SHA256
88045766007380b99fa7874c633d66bcb17d3314b6145ad5f8d8216e8e24b375

SHA512
e9a237e1ed9a53ce52c52ed40c43073430bc54b36996c53a90ab7524c0e3a3c9d8fa403b4f0ee52997f19d4d720f7d9db8efa7e988ca53efc221573a05a8e38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdbWinApi.dll

Filesize
33KB

MD5
114d0cdadcbdec8c6baa9af0a869700a

SHA1
a794329bac18d02b891b0e24ec73d88da4fe3404

SHA256
9217518710b77766d9dc3397c3ce9bd88734c71c8b80a2dd1e9ed1312efacd9c

SHA512
edab7b4ee16d7e8797d297c6e3add9b2b685b732d51a9c1b3994f8cf21c285fb3a2198d02536168d2153711eb4ed925ad602459c70def4c5c7cbff5ec12d6a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\adb.exe

Filesize
804KB

MD5
790fb1184a3ed8e475263daa54f98469

SHA1
37a60f670a4f3c68a4872ec2e95c0be2bd130dae

SHA256
ef4c7f4c417c18cd3394dd81ccd94381af252e0af81b0ad89b7e6d81412f4706

SHA512
66a2325c59a7fdacd049f43b528224682245c2705f10c50a907b6454d5755522b9d9d07046426d42db8c324ba95adbde1de087e31a0fb21b635c1dc4ca25a4f8

Download Submit
memory/460-45-0x0000000000DB0000-0x0000000000DE5000-memory.dmp

Filesize
212KB

Download
memory/460-57-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/460-46-0x0000000000DB0000-0x0000000000DE5000-memory.dmp

Filesize
212KB

Download
memory/1332-67-0x0000000000BB0000-0x0000000000BE5000-memory.dmp

Filesize
212KB

Download
memory/1332-69-0x0000000000BB0000-0x0000000000BE5000-memory.dmp

Filesize
212KB

Download
memory/1332-85-0x0000000000BB0000-0x0000000000BE5000-memory.dmp

Filesize
212KB

Download
memory/1332-47-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1332-49-0x0000000000BB0000-0x0000000000BE5000-memory.dmp

Filesize
212KB

Download
memory/1332-50-0x0000000000BB0000-0x0000000000BE5000-memory.dmp

Filesize
212KB

Download
memory/1332-48-0x0000000000BB0000-0x0000000000BE5000-memory.dmp

Filesize
212KB

Download
memory/1332-72-0x0000000000BB0000-0x0000000000BE5000-memory.dmp

Filesize
212KB

Download
memory/1332-65-0x0000000000BB0000-0x0000000000BE5000-memory.dmp

Filesize
212KB

Download
memory/1332-66-0x0000000000BB0000-0x0000000000BE5000-memory.dmp

Filesize
212KB

Download
memory/1332-71-0x0000000000BB0000-0x0000000000BE5000-memory.dmp

Filesize
212KB

Download
memory/1332-70-0x0000000000BB0000-0x0000000000BE5000-memory.dmp

Filesize
212KB

Download
memory/1332-63-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1732-26-0x00000000007D0000-0x0000000000805000-memory.dmp

Filesize
212KB

Download
memory/1732-64-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1732-19-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/1732-20-0x00000000007D0000-0x0000000000805000-memory.dmp

Filesize
212KB

Download
memory/2976-41-0x00000000007B0000-0x00000000007E5000-memory.dmp

Filesize
212KB

Download
memory/2976-76-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2976-75-0x00000000007B0000-0x00000000007E5000-memory.dmp

Filesize
212KB

Download
memory/3352-77-0x0000000002930000-0x0000000002965000-memory.dmp

Filesize
212KB

Download
memory/3352-79-0x0000000002930000-0x0000000002965000-memory.dmp

Filesize
212KB

Download
memory/3352-80-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3352-81-0x0000000002930000-0x0000000002965000-memory.dmp

Filesize
212KB

Download
memory/3352-82-0x0000000002930000-0x0000000002965000-memory.dmp

Filesize
212KB

Download
memory/3352-83-0x0000000002930000-0x0000000002965000-memory.dmp

Filesize
212KB

Download
memory/3352-78-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3352-86-0x0000000002930000-0x0000000002965000-memory.dmp

Filesize
212KB

Download