plugx | 5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5.exe
Size

491KB
MD5

e7f3d45d4e51176150f58d4b885e01e4
SHA1

f8141b3f21e3f9f354eb960b841050cc2aabe03d
SHA256

5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5
SHA512

63e87fc692ded07fc5f304813cc046ec8ac45958ca2254f1064e4cae0e03d4db4d4c6b5373f69b8b5075286d2206e10b30b05dad61cc15e64e18795d1d707174
SSDEEP

12288:ZGqN/XdctpVtkYoAcoDDpY1sbF7A0Lxjulj/:PNcBtkjAcoMs5kUylj/

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 22 IoCs

resource	yara_rule
behavioral2/memory/2348-19-0x0000000002F10000-0x0000000002F47000-memory.dmp	family_plugx
behavioral2/memory/2348-20-0x0000000002F10000-0x0000000002F47000-memory.dmp	family_plugx
behavioral2/memory/4896-39-0x00000000010F0000-0x0000000001127000-memory.dmp	family_plugx
behavioral2/memory/4896-40-0x00000000010F0000-0x0000000001127000-memory.dmp	family_plugx
behavioral2/memory/2956-44-0x0000000001260000-0x0000000001297000-memory.dmp	family_plugx
behavioral2/memory/2956-45-0x0000000001260000-0x0000000001297000-memory.dmp	family_plugx
behavioral2/memory/988-48-0x0000000001710000-0x0000000001747000-memory.dmp	family_plugx
behavioral2/memory/988-49-0x0000000001710000-0x0000000001747000-memory.dmp	family_plugx
behavioral2/memory/2956-51-0x0000000001260000-0x0000000001297000-memory.dmp	family_plugx
behavioral2/memory/2348-53-0x0000000002F10000-0x0000000002F47000-memory.dmp	family_plugx
behavioral2/memory/988-62-0x0000000001710000-0x0000000001747000-memory.dmp	family_plugx
behavioral2/memory/988-63-0x0000000001710000-0x0000000001747000-memory.dmp	family_plugx
behavioral2/memory/988-64-0x0000000001710000-0x0000000001747000-memory.dmp	family_plugx
behavioral2/memory/988-65-0x0000000001710000-0x0000000001747000-memory.dmp	family_plugx
behavioral2/memory/988-68-0x0000000001710000-0x0000000001747000-memory.dmp	family_plugx
behavioral2/memory/988-69-0x0000000001710000-0x0000000001747000-memory.dmp	family_plugx
behavioral2/memory/988-71-0x0000000001710000-0x0000000001747000-memory.dmp	family_plugx
behavioral2/memory/988-72-0x0000000001710000-0x0000000001747000-memory.dmp	family_plugx
behavioral2/memory/4896-80-0x00000000010F0000-0x0000000001127000-memory.dmp	family_plugx
behavioral2/memory/4388-219-0x0000000001560000-0x0000000001597000-memory.dmp	family_plugx
behavioral2/memory/988-556-0x0000000001710000-0x0000000001747000-memory.dmp	family_plugx
behavioral2/memory/4388-889-0x0000000001560000-0x0000000001597000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5.exe

Deletes itself 1 IoCs

pid	Process
2348	Layer.exe

Executes dropped EXE 3 IoCs

pid	Process
2348	Layer.exe
4896	Layer.exe
2956	Layer.exe

Loads dropped DLL 3 IoCs

pid	Process
2348	Layer.exe
4896	Layer.exe
2956	Layer.exe

Unexpected DNS network traffic destination 12 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	205.252.144.228
Destination IP	205.252.144.228
Destination IP	61.139.2.69
Destination IP	61.139.2.69
Destination IP	202.98.96.68
Destination IP	61.139.2.69
Destination IP	202.98.96.68
Destination IP	205.252.144.228
Destination IP	205.252.144.228
Destination IP	202.98.96.68
Destination IP	202.98.96.68
Destination IP	61.139.2.69

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 32004100370041003400310039003200410036003100300037004100410032000000	svchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
988	svchost.exe
4388	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	Layer.exe
2348	Layer.exe
2348	Layer.exe
2348	Layer.exe
4896	Layer.exe
4896	Layer.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
4388	msiexec.exe
4388	msiexec.exe
988	svchost.exe
988	svchost.exe
4388	msiexec.exe
4388	msiexec.exe
988	svchost.exe
988	svchost.exe
4388	msiexec.exe
4388	msiexec.exe
988	svchost.exe
988	svchost.exe
4388	msiexec.exe
4388	msiexec.exe
988	svchost.exe
988	svchost.exe
4388	msiexec.exe
4388	msiexec.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
4388	msiexec.exe
4388	msiexec.exe
988	svchost.exe
988	svchost.exe
4388	msiexec.exe
4388	msiexec.exe
988	svchost.exe
988	svchost.exe
4388	msiexec.exe
4388	msiexec.exe
988	svchost.exe
988	svchost.exe
4388	msiexec.exe
4388	msiexec.exe
988	svchost.exe
988	svchost.exe
4388	msiexec.exe
4388	msiexec.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe
988	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
988	svchost.exe
4388	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	Layer.exe
Token: SeTcbPrivilege	2348	Layer.exe
Token: SeDebugPrivilege	4896	Layer.exe
Token: SeTcbPrivilege	4896	Layer.exe
Token: SeDebugPrivilege	2956	Layer.exe
Token: SeTcbPrivilege	2956	Layer.exe
Token: SeDebugPrivilege	988	svchost.exe
Token: SeTcbPrivilege	988	svchost.exe
Token: SeDebugPrivilege	4388	msiexec.exe
Token: SeTcbPrivilege	4388	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2348	2272	5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5.exe	87
PID 2272 wrote to memory of 2348	2272	5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5.exe	87
PID 2272 wrote to memory of 2348	2272	5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5.exe	87
PID 2956 wrote to memory of 988	2956	Layer.exe	94
PID 2956 wrote to memory of 988	2956	Layer.exe	94
PID 2956 wrote to memory of 988	2956	Layer.exe	94
PID 2956 wrote to memory of 988	2956	Layer.exe	94
PID 2956 wrote to memory of 988	2956	Layer.exe	94
PID 2956 wrote to memory of 988	2956	Layer.exe	94
PID 2956 wrote to memory of 988	2956	Layer.exe	94
PID 2956 wrote to memory of 988	2956	Layer.exe	94
PID 988 wrote to memory of 4388	988	svchost.exe	97
PID 988 wrote to memory of 4388	988	svchost.exe	97
PID 988 wrote to memory of 4388	988	svchost.exe	97
PID 988 wrote to memory of 4388	988	svchost.exe	97
PID 988 wrote to memory of 4388	988	svchost.exe	97
PID 988 wrote to memory of 4388	988	svchost.exe	97
PID 988 wrote to memory of 4388	988	svchost.exe	97
PID 988 wrote to memory of 4388	988	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5.exe
"C:\Users\Admin\AppData\Local\Temp\5ead238621bef7cc4c4f58ac5eb614dd16acbcfd30c75169ff5f16d7905243a5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Layer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Layer.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348

C:\ProgramData\PlayWav\Layer.exe
"C:\ProgramData\PlayWav\Layer.exe" 100 2348
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\ProgramData\PlayWav\Layer.exe
"C:\ProgramData\PlayWav\Layer.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 988
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Layer.exe

Filesize
99KB

MD5
431aa2dcbd1ff6815adc76537d63fb36

SHA1
fd294d12e590889dd26bc278a8540f46dbfbf879

SHA256
5cff0f4f3e01640a607f30861e42dff908fb8ceb5d8b833a560d1109c9b9a4e6

SHA512
0c0246f6468ac7e13a2e846e4d409d204069035b7f8b5aac0d0104a49ed1b36b7f5bad1d8e83fe09f37fb0a1dfe038282b79f82d797a3c846f738bcad09b995c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RoboForm.DLL

Filesize
89KB

MD5
a573648a7f56fa012c3e83f0c94a9709

SHA1
6be21e85c3aab4ca47db9341f6cc96c98c7bc185

SHA256
fc8ee97fd67dbcd47780713f076c36bedf7c29be0ba6f1912635b0557fc3764f

SHA512
39ee077f36560b386d271e31cf096561096c8d4686b9024a5f489bcb37a4ac2f96eb118a18708f1487139c47367dcc45efa9ac3959cfaabcad2830afa7e612e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.log

Filesize
133KB

MD5
f8d21123dfa0d37caece024c47d434bb

SHA1
7f48d0b6d215fcbf6f9dddc900c7258c93e3cdc3

SHA256
f264e45f50ac959cc1eef7100c45684243be5ae8b541aa08f3c06ad6089f5404

SHA512
9c3d1b9ac0b82015f3fe2201cb3a1bf093dc97c893ecd11420d9a42b3024a134e5e5987e12214e770b72beec228bf478e460ef8c7da8f1bfbad78dbe7011b07f

Download Submit
memory/988-65-0x0000000001710000-0x0000000001747000-memory.dmp

Filesize
220KB

Download
memory/988-72-0x0000000001710000-0x0000000001747000-memory.dmp

Filesize
220KB

Download
memory/988-71-0x0000000001710000-0x0000000001747000-memory.dmp

Filesize
220KB

Download
memory/988-69-0x0000000001710000-0x0000000001747000-memory.dmp

Filesize
220KB

Download
memory/988-68-0x0000000001710000-0x0000000001747000-memory.dmp

Filesize
220KB

Download
memory/988-62-0x0000000001710000-0x0000000001747000-memory.dmp

Filesize
220KB

Download
memory/988-64-0x0000000001710000-0x0000000001747000-memory.dmp

Filesize
220KB

Download
memory/988-46-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/988-48-0x0000000001710000-0x0000000001747000-memory.dmp

Filesize
220KB

Download
memory/988-49-0x0000000001710000-0x0000000001747000-memory.dmp

Filesize
220KB

Download
memory/988-63-0x0000000001710000-0x0000000001747000-memory.dmp

Filesize
220KB

Download
memory/988-556-0x0000000001710000-0x0000000001747000-memory.dmp

Filesize
220KB

Download
memory/988-61-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/2348-53-0x0000000002F10000-0x0000000002F47000-memory.dmp

Filesize
220KB

Download
memory/2348-19-0x0000000002F10000-0x0000000002F47000-memory.dmp

Filesize
220KB

Download
memory/2348-18-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

Filesize
1024KB

Download
memory/2348-20-0x0000000002F10000-0x0000000002F47000-memory.dmp

Filesize
220KB

Download
memory/2956-45-0x0000000001260000-0x0000000001297000-memory.dmp

Filesize
220KB

Download
memory/2956-44-0x0000000001260000-0x0000000001297000-memory.dmp

Filesize
220KB

Download
memory/2956-51-0x0000000001260000-0x0000000001297000-memory.dmp

Filesize
220KB

Download
memory/4388-219-0x0000000001560000-0x0000000001597000-memory.dmp

Filesize
220KB

Download
memory/4388-217-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/4388-722-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/4388-889-0x0000000001560000-0x0000000001597000-memory.dmp

Filesize
220KB

Download
memory/4896-80-0x00000000010F0000-0x0000000001127000-memory.dmp

Filesize
220KB

Download
memory/4896-39-0x00000000010F0000-0x0000000001127000-memory.dmp

Filesize
220KB

Download
memory/4896-40-0x00000000010F0000-0x0000000001127000-memory.dmp

Filesize
220KB

Download