plugx | b7d91f0e15cf0258fc857699171b6627337d511ecca9ab22adf668e0918eec50

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bitdefender/USOPrivate.exe
Size

760KB
MD5

10866465a9b0c56af2cd093b80cdbc9f
SHA1

fc77be3e68a79b597ffed1b307d1b447787e7995
SHA256

9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa
SHA512

975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091
SSDEEP

6144:c3PgKtEhPIPe16jzM66rBghPlNoVh5j9mmNpMHGIygduNrnoh/WOHI0jVjSjztx/:eIA4PIPoQMFgDNg/jMmLohW70Rj+ztp

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 23 IoCs

resource	yara_rule
behavioral2/memory/2364-2-0x000001C801AD0000-0x000001C801B0A000-memory.dmp	family_plugx
behavioral2/memory/2364-3-0x000001C801AD0000-0x000001C801B0A000-memory.dmp	family_plugx
behavioral2/memory/1268-22-0x0000020D3ACF0000-0x0000020D3AD2A000-memory.dmp	family_plugx
behavioral2/memory/4936-27-0x0000020500600000-0x000002050063A000-memory.dmp	family_plugx
behavioral2/memory/4852-30-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp	family_plugx
behavioral2/memory/4852-32-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp	family_plugx
behavioral2/memory/4936-34-0x0000020500600000-0x000002050063A000-memory.dmp	family_plugx
behavioral2/memory/2364-39-0x000001C801AD0000-0x000001C801B0A000-memory.dmp	family_plugx
behavioral2/memory/4852-45-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp	family_plugx
behavioral2/memory/4852-46-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp	family_plugx
behavioral2/memory/4852-47-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp	family_plugx
behavioral2/memory/4852-48-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp	family_plugx
behavioral2/memory/4852-49-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp	family_plugx
behavioral2/memory/4852-50-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp	family_plugx
behavioral2/memory/4852-53-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp	family_plugx
behavioral2/memory/1268-54-0x0000020D3ACF0000-0x0000020D3AD2A000-memory.dmp	family_plugx
behavioral2/memory/3556-56-0x000001C776530000-0x000001C77656A000-memory.dmp	family_plugx
behavioral2/memory/3556-60-0x000001C776530000-0x000001C77656A000-memory.dmp	family_plugx
behavioral2/memory/3556-59-0x000001C776530000-0x000001C77656A000-memory.dmp	family_plugx
behavioral2/memory/3556-62-0x000001C776530000-0x000001C77656A000-memory.dmp	family_plugx
behavioral2/memory/3556-61-0x000001C776530000-0x000001C77656A000-memory.dmp	family_plugx
behavioral2/memory/4852-63-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp	family_plugx
behavioral2/memory/3556-64-0x000001C776530000-0x000001C77656A000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Deletes itself 1 IoCs

pid	Process
1268	USOPrivate.exe

Executes dropped EXE 2 IoCs

pid	Process
1268	USOPrivate.exe
4936	USOPrivate.exe

Loads dropped DLL 2 IoCs

pid	Process
1268	USOPrivate.exe
4936	USOPrivate.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38003600420030004300320045004400300044004500390033003300420046000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	USOPrivate.exe
2364	USOPrivate.exe
2364	USOPrivate.exe
2364	USOPrivate.exe
1268	USOPrivate.exe
1268	USOPrivate.exe
1268	USOPrivate.exe
1268	USOPrivate.exe
4936	USOPrivate.exe
4936	USOPrivate.exe
4936	USOPrivate.exe
4936	USOPrivate.exe
4852	svchost.exe
4852	svchost.exe
4852	svchost.exe
4852	svchost.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
4852	svchost.exe
4852	svchost.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
4852	svchost.exe
4852	svchost.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
4852	svchost.exe
4852	svchost.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
3556	msiexec.exe
4852	svchost.exe
4852	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4852	svchost.exe
3556	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	USOPrivate.exe
Token: SeTcbPrivilege	2364	USOPrivate.exe
Token: SeDebugPrivilege	1268	USOPrivate.exe
Token: SeTcbPrivilege	1268	USOPrivate.exe
Token: SeDebugPrivilege	4936	USOPrivate.exe
Token: SeTcbPrivilege	4936	USOPrivate.exe
Token: SeDebugPrivilege	4852	svchost.exe
Token: SeTcbPrivilege	4852	svchost.exe
Token: SeDebugPrivilege	3556	msiexec.exe
Token: SeTcbPrivilege	3556	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4852	4936	USOPrivate.exe	90
PID 4936 wrote to memory of 4852	4936	USOPrivate.exe	90
PID 4936 wrote to memory of 4852	4936	USOPrivate.exe	90
PID 4936 wrote to memory of 4852	4936	USOPrivate.exe	90
PID 4936 wrote to memory of 4852	4936	USOPrivate.exe	90
PID 4936 wrote to memory of 4852	4936	USOPrivate.exe	90
PID 4852 wrote to memory of 3556	4852	svchost.exe	96
PID 4852 wrote to memory of 3556	4852	svchost.exe	96
PID 4852 wrote to memory of 3556	4852	svchost.exe	96
PID 4852 wrote to memory of 3556	4852	svchost.exe	96
PID 4852 wrote to memory of 3556	4852	svchost.exe	96
PID 4852 wrote to memory of 3556	4852	svchost.exe	96

C:\Users\Admin\AppData\Local\Temp\Bitdefender\USOPrivate.exe
"C:\Users\Admin\AppData\Local\Temp\Bitdefender\USOPrivate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\ProgramData\Bitdefender\USOPrivate.exe
"C:\ProgramData\Bitdefender\USOPrivate.exe" 100 2364
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\ProgramData\Bitdefender\USOPrivate.exe
"C:\ProgramData\Bitdefender\USOPrivate.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 4852
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bitdefender\USOPrivate.dat

Filesize
152KB

MD5
2f1466d3d0aa472ea9bfadf077188cc6

SHA1
6f9e0b8beb971d9ceb5b72c21c9b70fdb60d7e7a

SHA256
08d1bc104c618d7237071005641413215224c7f81eff86911619b6b99e23a28c

SHA512
721d8964a70e387057acc4e2b826c0c8cea33fd2e0919b8caecc17ba9b59d0ec2c9966b8377bd429647e843e91e229225514fed87b8ed5272ea842a2cc5892ad

Download Submit
C:\ProgramData\Bitdefender\USOPrivate.exe

Filesize
760KB

MD5
10866465a9b0c56af2cd093b80cdbc9f

SHA1
fc77be3e68a79b597ffed1b307d1b447787e7995

SHA256
9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa

SHA512
975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091

Download Submit
C:\ProgramData\Bitdefender\log.dll

Filesize
71KB

MD5
03797703f999e8e5029edbee30446ed2

SHA1
272c7b26c3dabfbbdb9150f2e041e228f9692efb

SHA256
eb9ffe12dff87a143ea188fc6c16f2b3f44e43c2ae20506c4a69c23c3c74e6c2

SHA512
b4622a56e0576bb736e74ee5d1f20574a81cd9c55eac9ae64f4f4d3bd61baefaa3128b902c17b019280357687121e6ddd95de7a24f5bdfff0f4c213fbf70d1a7

Download Submit
memory/1268-19-0x00007FFF07230000-0x00007FFF07231000-memory.dmp

Filesize
4KB

Download
memory/1268-22-0x0000020D3ACF0000-0x0000020D3AD2A000-memory.dmp

Filesize
232KB

Download
memory/1268-54-0x0000020D3ACF0000-0x0000020D3AD2A000-memory.dmp

Filesize
232KB

Download
memory/2364-39-0x000001C801AD0000-0x000001C801B0A000-memory.dmp

Filesize
232KB

Download
memory/2364-1-0x000001C801B60000-0x000001C801C60000-memory.dmp

Filesize
1024KB

Download
memory/2364-2-0x000001C801AD0000-0x000001C801B0A000-memory.dmp

Filesize
232KB

Download
memory/2364-3-0x000001C801AD0000-0x000001C801B0A000-memory.dmp

Filesize
232KB

Download
memory/2364-0-0x00007FFF07230000-0x00007FFF07231000-memory.dmp

Filesize
4KB

Download
memory/3556-56-0x000001C776530000-0x000001C77656A000-memory.dmp

Filesize
232KB

Download
memory/3556-58-0x000001C7764C0000-0x000001C7764C1000-memory.dmp

Filesize
4KB

Download
memory/3556-64-0x000001C776530000-0x000001C77656A000-memory.dmp

Filesize
232KB

Download
memory/3556-61-0x000001C776530000-0x000001C77656A000-memory.dmp

Filesize
232KB

Download
memory/3556-62-0x000001C776530000-0x000001C77656A000-memory.dmp

Filesize
232KB

Download
memory/3556-59-0x000001C776530000-0x000001C77656A000-memory.dmp

Filesize
232KB

Download
memory/3556-60-0x000001C776530000-0x000001C77656A000-memory.dmp

Filesize
232KB

Download
memory/4852-46-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp

Filesize
232KB

Download
memory/4852-47-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp

Filesize
232KB

Download
memory/4852-49-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp

Filesize
232KB

Download
memory/4852-50-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp

Filesize
232KB

Download
memory/4852-53-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp

Filesize
232KB

Download
memory/4852-28-0x000002EF4D0B0000-0x000002EF4D0B1000-memory.dmp

Filesize
4KB

Download
memory/4852-63-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp

Filesize
232KB

Download
memory/4852-48-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp

Filesize
232KB

Download
memory/4852-32-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp

Filesize
232KB

Download
memory/4852-45-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp

Filesize
232KB

Download
memory/4852-44-0x000002EF4D0B0000-0x000002EF4D0B1000-memory.dmp

Filesize
4KB

Download
memory/4852-30-0x000002EF4D470000-0x000002EF4D4AA000-memory.dmp

Filesize
232KB

Download
memory/4936-27-0x0000020500600000-0x000002050063A000-memory.dmp

Filesize
232KB

Download
memory/4936-34-0x0000020500600000-0x000002050063A000-memory.dmp

Filesize
232KB

Download