plugx | b7d91f0e15cf0258fc857699171b6627337d511ecca9ab22adf668e0918eec50

General

Target

Bitdefender/USOPrivate.exe
Size

760KB
MD5

10866465a9b0c56af2cd093b80cdbc9f
SHA1

fc77be3e68a79b597ffed1b307d1b447787e7995
SHA256

9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa
SHA512

975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091
SSDEEP

6144:c3PgKtEhPIPe16jzM66rBghPlNoVh5j9mmNpMHGIygduNrnoh/WOHI0jVjSjztx/:eIA4PIPoQMFgDNg/jMmLohW70Rj+ztp

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1636-3-0x0000000000160000-0x000000000019A000-memory.dmp	family_plugx
behavioral1/memory/2648-24-0x0000000000470000-0x00000000004AA000-memory.dmp	family_plugx
behavioral1/memory/2700-28-0x0000000000290000-0x00000000002CA000-memory.dmp	family_plugx
behavioral1/memory/2652-39-0x0000000000510000-0x000000000054A000-memory.dmp	family_plugx
behavioral1/memory/2652-42-0x0000000000510000-0x000000000054A000-memory.dmp	family_plugx
behavioral1/memory/2700-41-0x0000000000290000-0x00000000002CA000-memory.dmp	family_plugx
behavioral1/memory/2652-56-0x0000000000510000-0x000000000054A000-memory.dmp	family_plugx
behavioral1/memory/2652-57-0x0000000000510000-0x000000000054A000-memory.dmp	family_plugx
behavioral1/memory/2652-58-0x0000000000510000-0x000000000054A000-memory.dmp	family_plugx
behavioral1/memory/2652-55-0x0000000000510000-0x000000000054A000-memory.dmp	family_plugx
behavioral1/memory/1636-51-0x0000000000160000-0x000000000019A000-memory.dmp	family_plugx
behavioral1/memory/2652-59-0x0000000000510000-0x000000000054A000-memory.dmp	family_plugx
behavioral1/memory/2652-60-0x0000000000510000-0x000000000054A000-memory.dmp	family_plugx
behavioral1/memory/2648-64-0x0000000000470000-0x00000000004AA000-memory.dmp	family_plugx
behavioral1/memory/2688-71-0x0000000000320000-0x000000000035A000-memory.dmp	family_plugx
behavioral1/memory/2688-74-0x0000000000320000-0x000000000035A000-memory.dmp	family_plugx
behavioral1/memory/2688-75-0x0000000000320000-0x000000000035A000-memory.dmp	family_plugx
behavioral1/memory/2688-76-0x0000000000320000-0x000000000035A000-memory.dmp	family_plugx
behavioral1/memory/2652-77-0x0000000000510000-0x000000000054A000-memory.dmp	family_plugx
behavioral1/memory/2688-78-0x0000000000320000-0x000000000035A000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 123.111.231.1
Destination IP 114.114.114.114
Deletes itself 1 IoCs

Processes:

USOPrivate.exe

pid process

2648 USOPrivate.exe
Executes dropped EXE 2 IoCs

Processes:

USOPrivate.exeUSOPrivate.exe

pid process

2648 USOPrivate.exe
2700 USOPrivate.exe
Loads dropped DLL 3 IoCs

Processes:

USOPrivate.exeUSOPrivate.exe

pid process

2556
2648 USOPrivate.exe
2700 USOPrivate.exe

description	ioc
Destination IP	123.111.231.1
Destination IP	114.114.114.114

pid	process
2648	USOPrivate.exe

pid	process
2648	USOPrivate.exe
2700	USOPrivate.exe

pid	process
2556
2648	USOPrivate.exe
2700	USOPrivate.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 37004500440030003700340037004200430033003100320038003900310033000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

USOPrivate.exeUSOPrivate.exeUSOPrivate.exesvchost.exemsiexec.exe

pid	process
1636	USOPrivate.exe
1636	USOPrivate.exe
2648	USOPrivate.exe
2648	USOPrivate.exe
2700	USOPrivate.exe
2700	USOPrivate.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2652	svchost.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2652	svchost.exe
2652	svchost.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2652	svchost.exe
2652	svchost.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2652	svchost.exe
2652	svchost.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2652	svchost.exe
2652	svchost.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe
2688	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

2652 svchost.exe
2688 msiexec.exe

pid	process
2652	svchost.exe
2688	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

USOPrivate.exeUSOPrivate.exeUSOPrivate.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1636	USOPrivate.exe
Token: SeTcbPrivilege	1636	USOPrivate.exe
Token: SeDebugPrivilege	2648	USOPrivate.exe
Token: SeTcbPrivilege	2648	USOPrivate.exe
Token: SeDebugPrivilege	2700	USOPrivate.exe
Token: SeTcbPrivilege	2700	USOPrivate.exe
Token: SeDebugPrivilege	2652	svchost.exe
Token: SeTcbPrivilege	2652	svchost.exe
Token: SeDebugPrivilege	2688	msiexec.exe
Token: SeTcbPrivilege	2688	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

USOPrivate.exesvchost.exe

description	pid	process	target process
PID 2700 wrote to memory of 2652	2700	USOPrivate.exe	svchost.exe
PID 2700 wrote to memory of 2652	2700	USOPrivate.exe	svchost.exe
PID 2700 wrote to memory of 2652	2700	USOPrivate.exe	svchost.exe
PID 2700 wrote to memory of 2652	2700	USOPrivate.exe	svchost.exe
PID 2700 wrote to memory of 2652	2700	USOPrivate.exe	svchost.exe
PID 2700 wrote to memory of 2652	2700	USOPrivate.exe	svchost.exe
PID 2700 wrote to memory of 2652	2700	USOPrivate.exe	svchost.exe
PID 2652 wrote to memory of 2688	2652	svchost.exe	msiexec.exe
PID 2652 wrote to memory of 2688	2652	svchost.exe	msiexec.exe
PID 2652 wrote to memory of 2688	2652	svchost.exe	msiexec.exe
PID 2652 wrote to memory of 2688	2652	svchost.exe	msiexec.exe
PID 2652 wrote to memory of 2688	2652	svchost.exe	msiexec.exe
PID 2652 wrote to memory of 2688	2652	svchost.exe	msiexec.exe
PID 2652 wrote to memory of 2688	2652	svchost.exe	msiexec.exe
PID 2652 wrote to memory of 2688	2652	svchost.exe	msiexec.exe
PID 2652 wrote to memory of 2688	2652	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\Bitdefender\USOPrivate.exe
"C:\Users\Admin\AppData\Local\Temp\Bitdefender\USOPrivate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\ProgramData\Bitdefender\USOPrivate.exe
"C:\ProgramData\Bitdefender\USOPrivate.exe" 100 1636
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\ProgramData\Bitdefender\USOPrivate.exe
"C:\ProgramData\Bitdefender\USOPrivate.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2652
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bitdefender\USOPrivate.dat

Filesize
152KB

MD5
2f1466d3d0aa472ea9bfadf077188cc6

SHA1
6f9e0b8beb971d9ceb5b72c21c9b70fdb60d7e7a

SHA256
08d1bc104c618d7237071005641413215224c7f81eff86911619b6b99e23a28c

SHA512
721d8964a70e387057acc4e2b826c0c8cea33fd2e0919b8caecc17ba9b59d0ec2c9966b8377bd429647e843e91e229225514fed87b8ed5272ea842a2cc5892ad

Download Submit
C:\ProgramData\Bitdefender\log.dll

Filesize
71KB

MD5
03797703f999e8e5029edbee30446ed2

SHA1
272c7b26c3dabfbbdb9150f2e041e228f9692efb

SHA256
eb9ffe12dff87a143ea188fc6c16f2b3f44e43c2ae20506c4a69c23c3c74e6c2

SHA512
b4622a56e0576bb736e74ee5d1f20574a81cd9c55eac9ae64f4f4d3bd61baefaa3128b902c17b019280357687121e6ddd95de7a24f5bdfff0f4c213fbf70d1a7

Download Submit
\ProgramData\Bitdefender\USOPrivate.exe

Filesize
760KB

MD5
10866465a9b0c56af2cd093b80cdbc9f

SHA1
fc77be3e68a79b597ffed1b307d1b447787e7995

SHA256
9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa

SHA512
975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091

Download Submit
memory/1636-0-0x0000000076F70000-0x0000000076F71000-memory.dmp

Filesize
4KB

Download
memory/1636-3-0x0000000000160000-0x000000000019A000-memory.dmp

Filesize
232KB

Download
memory/1636-1-0x0000000001C10000-0x0000000001D10000-memory.dmp

Filesize
1024KB

Download
memory/1636-51-0x0000000000160000-0x000000000019A000-memory.dmp

Filesize
232KB

Download
memory/2648-64-0x0000000000470000-0x00000000004AA000-memory.dmp

Filesize
232KB

Download
memory/2648-21-0x0000000076F70000-0x0000000076F71000-memory.dmp

Filesize
4KB

Download
memory/2648-24-0x0000000000470000-0x00000000004AA000-memory.dmp

Filesize
232KB

Download
memory/2652-54-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2652-56-0x0000000000510000-0x000000000054A000-memory.dmp

Filesize
232KB

Download
memory/2652-30-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2652-39-0x0000000000510000-0x000000000054A000-memory.dmp

Filesize
232KB

Download
memory/2652-42-0x0000000000510000-0x000000000054A000-memory.dmp

Filesize
232KB

Download
memory/2652-38-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2652-34-0x0000000000080000-0x00000000000A5000-memory.dmp

Filesize
148KB

Download
memory/2652-43-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/2652-57-0x0000000000510000-0x000000000054A000-memory.dmp

Filesize
232KB

Download
memory/2652-58-0x0000000000510000-0x000000000054A000-memory.dmp

Filesize
232KB

Download
memory/2652-55-0x0000000000510000-0x000000000054A000-memory.dmp

Filesize
232KB

Download
memory/2652-77-0x0000000000510000-0x000000000054A000-memory.dmp

Filesize
232KB

Download
memory/2652-36-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/2652-59-0x0000000000510000-0x000000000054A000-memory.dmp

Filesize
232KB

Download
memory/2652-60-0x0000000000510000-0x000000000054A000-memory.dmp

Filesize
232KB

Download
memory/2688-78-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2688-71-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2688-73-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2688-74-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2688-75-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2688-76-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2700-28-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/2700-41-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads