plugx | 76d008d9955509d3db6e190acfa58fdf12fc64253884ac6981187a3e5ffdeb20

General

Target

update/USOPrivate.exe
Size

760KB
MD5

10866465a9b0c56af2cd093b80cdbc9f
SHA1

fc77be3e68a79b597ffed1b307d1b447787e7995
SHA256

9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa
SHA512

975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091
SSDEEP

6144:c3PgKtEhPIPe16jzM66rBghPlNoVh5j9mmNpMHGIygduNrnoh/WOHI0jVjSjztx/:eIA4PIPoQMFgDNg/jMmLohW70Rj+ztp

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 24 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2688-2-0x0000000001DA0000-0x0000000001DDC000-memory.dmp	family_plugx
behavioral1/memory/2560-23-0x0000000001E70000-0x0000000001EAC000-memory.dmp	family_plugx
behavioral1/memory/2560-24-0x0000000001E70000-0x0000000001EAC000-memory.dmp	family_plugx
behavioral1/memory/2504-29-0x0000000001BD0000-0x0000000001C0C000-memory.dmp	family_plugx
behavioral1/memory/2444-35-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2444-37-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2444-36-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2504-38-0x0000000001BD0000-0x0000000001C0C000-memory.dmp	family_plugx
behavioral1/memory/2688-44-0x0000000001DA0000-0x0000000001DDC000-memory.dmp	family_plugx
behavioral1/memory/2444-50-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2444-51-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2444-52-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2444-53-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2444-55-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2444-54-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2444-56-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2444-58-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2560-59-0x0000000001E70000-0x0000000001EAC000-memory.dmp	family_plugx
behavioral1/memory/2828-70-0x0000000000290000-0x00000000002CC000-memory.dmp	family_plugx
behavioral1/memory/2828-73-0x0000000000290000-0x00000000002CC000-memory.dmp	family_plugx
behavioral1/memory/2828-74-0x0000000000290000-0x00000000002CC000-memory.dmp	family_plugx
behavioral1/memory/2828-75-0x0000000000290000-0x00000000002CC000-memory.dmp	family_plugx
behavioral1/memory/2444-76-0x0000000000480000-0x00000000004BC000-memory.dmp	family_plugx
behavioral1/memory/2828-77-0x0000000000290000-0x00000000002CC000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	103.56.18.101
Destination IP	103.56.18.101
Destination IP	103.56.18.101
Destination IP	103.56.18.101
Destination IP	123.111.231.1

Deletes itself 1 IoCs

Processes:

USOPrivate.exe

pid process

2560 USOPrivate.exe
Executes dropped EXE 2 IoCs

Processes:

USOPrivate.exeUSOPrivate.exe

pid process

2560 USOPrivate.exe
2504 USOPrivate.exe
Loads dropped DLL 3 IoCs

Processes:

USOPrivate.exeUSOPrivate.exe

pid process

2604
2560 USOPrivate.exe
2504 USOPrivate.exe

pid	process
2560	USOPrivate.exe

pid	process
2560	USOPrivate.exe
2504	USOPrivate.exe

pid	process
2604
2560	USOPrivate.exe
2504	USOPrivate.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35003100450036004300460031003900430035003000340041004400420046000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

USOPrivate.exeUSOPrivate.exeUSOPrivate.exesvchost.exemsiexec.exe

pid	process
2688	USOPrivate.exe
2688	USOPrivate.exe
2560	USOPrivate.exe
2560	USOPrivate.exe
2504	USOPrivate.exe
2504	USOPrivate.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2444	svchost.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2444	svchost.exe
2444	svchost.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2444	svchost.exe
2444	svchost.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2444	svchost.exe
2444	svchost.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2444	svchost.exe
2444	svchost.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe
2828	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

2444 svchost.exe
2828 msiexec.exe

pid	process
2444	svchost.exe
2828	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

USOPrivate.exeUSOPrivate.exeUSOPrivate.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2688	USOPrivate.exe
Token: SeTcbPrivilege	2688	USOPrivate.exe
Token: SeDebugPrivilege	2560	USOPrivate.exe
Token: SeTcbPrivilege	2560	USOPrivate.exe
Token: SeDebugPrivilege	2504	USOPrivate.exe
Token: SeTcbPrivilege	2504	USOPrivate.exe
Token: SeDebugPrivilege	2444	svchost.exe
Token: SeTcbPrivilege	2444	svchost.exe
Token: SeDebugPrivilege	2828	msiexec.exe
Token: SeTcbPrivilege	2828	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

USOPrivate.exesvchost.exe

description	pid	process	target process
PID 2504 wrote to memory of 2444	2504	USOPrivate.exe	svchost.exe
PID 2504 wrote to memory of 2444	2504	USOPrivate.exe	svchost.exe
PID 2504 wrote to memory of 2444	2504	USOPrivate.exe	svchost.exe
PID 2504 wrote to memory of 2444	2504	USOPrivate.exe	svchost.exe
PID 2504 wrote to memory of 2444	2504	USOPrivate.exe	svchost.exe
PID 2504 wrote to memory of 2444	2504	USOPrivate.exe	svchost.exe
PID 2504 wrote to memory of 2444	2504	USOPrivate.exe	svchost.exe
PID 2504 wrote to memory of 2444	2504	USOPrivate.exe	svchost.exe
PID 2444 wrote to memory of 2828	2444	svchost.exe	msiexec.exe
PID 2444 wrote to memory of 2828	2444	svchost.exe	msiexec.exe
PID 2444 wrote to memory of 2828	2444	svchost.exe	msiexec.exe
PID 2444 wrote to memory of 2828	2444	svchost.exe	msiexec.exe
PID 2444 wrote to memory of 2828	2444	svchost.exe	msiexec.exe
PID 2444 wrote to memory of 2828	2444	svchost.exe	msiexec.exe
PID 2444 wrote to memory of 2828	2444	svchost.exe	msiexec.exe
PID 2444 wrote to memory of 2828	2444	svchost.exe	msiexec.exe
PID 2444 wrote to memory of 2828	2444	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe
"C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\ProgramData\Bitdefender\update\USOPrivate.exe
"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 100 2688
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\ProgramData\Bitdefender\update\USOPrivate.exe
"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2444
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bitdefender\update\USOPrivate.dat

Filesize
154KB

MD5
1eb44d7ec4d7d2a13a81d7542ef6bc2b

SHA1
f35d30962790b99cc29d38ccf6e9e66c82e5aa80

SHA256
bdba1d2043bd89693895c079d57d2494a02d435eae2981bc20bd3b92e9c8dece

SHA512
9a570ced024157613d01ed30293b21b81155401790a160dd42446ad15119c6b2da4362435f39ffba404b266a7831bfb955edbf42412987769c2405655471e97c

Download Submit
C:\ProgramData\Bitdefender\update\log.dll

Filesize
54KB

MD5
2a747a6201189e133c18ae24e44476f3

SHA1
002be31d69cf30bc8a8e2ed51c038a5bdfd88141

SHA256
0cc36dd25e099cc6f1798dabe1d6a3e2d8c3883aa0e0d7296e94d035cdb74f3c

SHA512
36080f7595b6a1c05ecce348a75adbac4cdf8ccc441a724e3aa50130c62cd74d3948dabf8343b95cd90043f569b7f301f94102626942e9c0080133c486a830b3

Download Submit
\ProgramData\Bitdefender\update\USOPrivate.exe

Filesize
760KB

MD5
10866465a9b0c56af2cd093b80cdbc9f

SHA1
fc77be3e68a79b597ffed1b307d1b447787e7995

SHA256
9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa

SHA512
975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091

Download Submit
memory/2444-30-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2444-33-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2444-76-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-56-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-54-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-55-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-53-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-50-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-32-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2444-58-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-34-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2444-35-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-37-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-36-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-52-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-51-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2444-49-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2504-29-0x0000000001BD0000-0x0000000001C0C000-memory.dmp

Filesize
240KB

Download
memory/2504-38-0x0000000001BD0000-0x0000000001C0C000-memory.dmp

Filesize
240KB

Download
memory/2560-24-0x0000000001E70000-0x0000000001EAC000-memory.dmp

Filesize
240KB

Download
memory/2560-23-0x0000000001E70000-0x0000000001EAC000-memory.dmp

Filesize
240KB

Download
memory/2560-21-0x0000000077090000-0x0000000077091000-memory.dmp

Filesize
4KB

Download
memory/2560-59-0x0000000001E70000-0x0000000001EAC000-memory.dmp

Filesize
240KB

Download
memory/2688-1-0x0000000077090000-0x0000000077091000-memory.dmp

Filesize
4KB

Download
memory/2688-0-0x0000000001C20000-0x0000000001D20000-memory.dmp

Filesize
1024KB

Download
memory/2688-2-0x0000000001DA0000-0x0000000001DDC000-memory.dmp

Filesize
240KB

Download
memory/2688-44-0x0000000001DA0000-0x0000000001DDC000-memory.dmp

Filesize
240KB

Download
memory/2828-68-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2828-72-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2828-73-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/2828-74-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/2828-75-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/2828-70-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/2828-77-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads