plugx | 625fba7fa29e9eb30a9cc98ece69706cbd66792b4185f92e14363657bd0e76d5

General

Target

unsecapp.exe
Size

95KB
MD5

28c6f235946fd694d2634c7a2f24c1ba
SHA1

e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5
SHA256

c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763
SHA512

16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be
SSDEEP

1536:d4mHlQgfJA3DrnN6TU3W9bEuLJDuUVfwX9Gy5JE840gbDcCRDb9:dBFwrs9bb1VYXH5JE840Ax/9

Score

10^/10

plugx persistence trojan

Malware Config

Extracted

Family

plugx

C2

www.apple-net.com:80

www.apple-net.com:443

www.apple-net.com:53

www.apple-net.com:8080

Mutex

Attributes

folder
Microsoft Malware ProtectionbOr

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 1 IoCs

pid	Process
2852	unsecapp.exe

Loads dropped DLL 3 IoCs

pid	Process
2024	unsecapp.exe
2024	unsecapp.exe
2852	unsecapp.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	3.64.163.50
Destination IP	3.64.163.50
Destination IP	3.64.163.50
Destination IP	3.64.163.50
Destination IP	3.64.163.50
Destination IP	3.64.163.50
Destination IP	3.64.163.50
Destination IP	3.64.163.50
Destination IP	3.64.163.50

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Malware ProtectionbOr = "\"C:\\ProgramData\\Microsoft Malware ProtectionbOr\\unsecapp.exe\" 72"	unsecapp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Malware ProtectionbOr = "\"C:\\ProgramData\\Microsoft Malware ProtectionbOr\\unsecapp.exe\" 72"	unsecapp.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY	unsecapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu	unsecapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\PROXY	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	unsecapp.exe
Token: SeTcbPrivilege	2852	unsecapp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2852	2024	unsecapp.exe	28
PID 2024 wrote to memory of 2852	2024	unsecapp.exe	28
PID 2024 wrote to memory of 2852	2024	unsecapp.exe	28
PID 2024 wrote to memory of 2852	2024	unsecapp.exe	28

C:\Users\Admin\AppData\Local\Temp\unsecapp.exe
"C:\Users\Admin\AppData\Local\Temp\unsecapp.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe
  "C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe" 6
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Malware ProtectionbOr\http_dll.dat

Filesize
127KB

MD5
e1feeb80a32ba300fa408ac2a74ed81d

SHA1
515ab546514e528e037220c1a9e093d42b6bb8a9

SHA256
b522aba81f2230118537e15088366e450962382025fbb837a591d29d0b242ff9

SHA512
0a574d81ef4bfb4ee374c6aef84316e8f7d9d2835dbaa5ca23813d75ca0522034cc49fba38477bf9b199c419796c40f3799f988918c845dabeacb43e110c873b

Download Submit
C:\ProgramData\Microsoft Malware ProtectionbOr\http_dll.dll

Filesize
20KB

MD5
cc496b5bf0fe335447d1c08eb84ad8ab

SHA1
11ada1737b52fac71138160f8ff14d23819308e7

SHA256
f8b107ba060fc57899e02b6b5117c2603e169d8ee4beddf53be6d453e4fc12fb

SHA512
361e830fd956eaf26d49bba92118a1e1d717cf0169f8def9989a813d123655bda9a45fa09d0ac4a34165d76ce4f279ea50ef35b0d6a5303881e4b0b42c972019

Download Submit
C:\ProgramData\Microsoft Malware ProtectionbOr\unsecapp.exe

Filesize
95KB

MD5
28c6f235946fd694d2634c7a2f24c1ba

SHA1
e9a9ce1ff07834d6ba9a51ba0d9e7c7a0b68d3e5

SHA256
c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763

SHA512
16865c473e010950a2aa25263af70074ad7539a86dc20e0a253df39e54e3635e99e821d4df83cd7a0eaeff10c75782966439d16d056427e824be8df953e138be

Download Submit
memory/2024-11-0x0000000000100000-0x000000000012F000-memory.dmp

Filesize
188KB

Download
memory/2024-13-0x0000000000100000-0x000000000012F000-memory.dmp

Filesize
188KB

Download
memory/2024-6-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2852-24-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-27-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-20-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-21-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-22-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-23-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-19-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-25-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/2852-26-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-18-0x0000000000450000-0x0000000000550000-memory.dmp

Filesize
1024KB

Download
memory/2852-28-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-29-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-30-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-31-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-32-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-33-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-34-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download
memory/2852-35-0x0000000000290000-0x00000000002BF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads