plugx | a8df0944129fd25f9ea584d551409160e3d8004881a9cc99010ea3f26eccfa0f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

369e74a8e1f686896f82d92ee2467ca6736bc44b06faab9db9ea6473aef4c397.exe
Size

697KB
MD5

48ab8b5189e1fae02258e9e82a964e51
SHA1

1a8dc7545033f3a17cf47b43313ce2fba7a71e78
SHA256

369e74a8e1f686896f82d92ee2467ca6736bc44b06faab9db9ea6473aef4c397
SHA512

0d03ab2dc67d34f1fc922c1b0b4afb213021adf4d8460b2c2d30621362db50cc2f99e3b5755ee4f4a7d358cb73e7eeee71102e91bc0ac932bf86e4900e9e48bf
SSDEEP

12288:YUomEFRu3xEPE6wr0AgMw3GPWyf50YiYjnpYzQxANb3B0G+tUfeI6t5:YmOMSPE6w47Iv5036YzQguGMVI+5

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 23 IoCs

resource	yara_rule
behavioral2/memory/2984-21-0x00000000007D0000-0x0000000000805000-memory.dmp	family_plugx
behavioral2/memory/2984-20-0x00000000007D0000-0x0000000000805000-memory.dmp	family_plugx
behavioral2/memory/4940-40-0x00000000008D0000-0x0000000000905000-memory.dmp	family_plugx
behavioral2/memory/4940-41-0x00000000008D0000-0x0000000000905000-memory.dmp	family_plugx
behavioral2/memory/1256-45-0x0000000001250000-0x0000000001285000-memory.dmp	family_plugx
behavioral2/memory/32-62-0x00000000008A0000-0x00000000008D5000-memory.dmp	family_plugx
behavioral2/memory/32-64-0x00000000008A0000-0x00000000008D5000-memory.dmp	family_plugx
behavioral2/memory/2984-67-0x00000000007D0000-0x0000000000805000-memory.dmp	family_plugx
behavioral2/memory/32-68-0x00000000008A0000-0x00000000008D5000-memory.dmp	family_plugx
behavioral2/memory/32-70-0x00000000008A0000-0x00000000008D5000-memory.dmp	family_plugx
behavioral2/memory/32-69-0x00000000008A0000-0x00000000008D5000-memory.dmp	family_plugx
behavioral2/memory/32-61-0x00000000008A0000-0x00000000008D5000-memory.dmp	family_plugx
behavioral2/memory/32-60-0x00000000008A0000-0x00000000008D5000-memory.dmp	family_plugx
behavioral2/memory/32-59-0x00000000008A0000-0x00000000008D5000-memory.dmp	family_plugx
behavioral2/memory/32-48-0x00000000008A0000-0x00000000008D5000-memory.dmp	family_plugx
behavioral2/memory/1256-47-0x0000000001250000-0x0000000001285000-memory.dmp	family_plugx
behavioral2/memory/32-46-0x00000000008A0000-0x00000000008D5000-memory.dmp	family_plugx
behavioral2/memory/4940-73-0x00000000008D0000-0x0000000000905000-memory.dmp	family_plugx
behavioral2/memory/3736-75-0x0000000001380000-0x00000000013B5000-memory.dmp	family_plugx
behavioral2/memory/3736-77-0x0000000001380000-0x00000000013B5000-memory.dmp	family_plugx
behavioral2/memory/3736-80-0x0000000001380000-0x00000000013B5000-memory.dmp	family_plugx
behavioral2/memory/3736-78-0x0000000001380000-0x00000000013B5000-memory.dmp	family_plugx
behavioral2/memory/3736-79-0x0000000001380000-0x00000000013B5000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	369e74a8e1f686896f82d92ee2467ca6736bc44b06faab9db9ea6473aef4c397.exe

Executes dropped EXE 3 IoCs

pid	Process
2984	adb.exe
4940	adb.exe
1256	adb.exe

Loads dropped DLL 3 IoCs

pid	Process
2984	adb.exe
4940	adb.exe
1256	adb.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	100.65.220.18
Destination IP	100.107.244.74
Destination IP	100.69.93.50
Destination IP	100.119.232.0

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	369e74a8e1f686896f82d92ee2467ca6736bc44b06faab9db9ea6473aef4c397.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 34004600370031003900460035004500410038003400360043003500310038000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
32	svchost.exe
32	svchost.exe
32	svchost.exe
32	svchost.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
32	svchost.exe
32	svchost.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
32	svchost.exe
32	svchost.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
32	svchost.exe
32	svchost.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
32	svchost.exe
32	svchost.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
3736	msiexec.exe
32	svchost.exe
32	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
32	svchost.exe
3736	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	adb.exe
Token: SeTcbPrivilege	2984	adb.exe
Token: SeDebugPrivilege	4940	adb.exe
Token: SeTcbPrivilege	4940	adb.exe
Token: SeDebugPrivilege	1256	adb.exe
Token: SeTcbPrivilege	1256	adb.exe
Token: SeDebugPrivilege	32	svchost.exe
Token: SeTcbPrivilege	32	svchost.exe
Token: SeDebugPrivilege	3736	msiexec.exe
Token: SeTcbPrivilege	3736	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2984	5092	369e74a8e1f686896f82d92ee2467ca6736bc44b06faab9db9ea6473aef4c397.exe	82
PID 5092 wrote to memory of 2984	5092	369e74a8e1f686896f82d92ee2467ca6736bc44b06faab9db9ea6473aef4c397.exe	82
PID 5092 wrote to memory of 2984	5092	369e74a8e1f686896f82d92ee2467ca6736bc44b06faab9db9ea6473aef4c397.exe	82
PID 1256 wrote to memory of 32	1256	adb.exe	89
PID 1256 wrote to memory of 32	1256	adb.exe	89
PID 1256 wrote to memory of 32	1256	adb.exe	89
PID 1256 wrote to memory of 32	1256	adb.exe	89
PID 1256 wrote to memory of 32	1256	adb.exe	89
PID 1256 wrote to memory of 32	1256	adb.exe	89
PID 1256 wrote to memory of 32	1256	adb.exe	89
PID 1256 wrote to memory of 32	1256	adb.exe	89
PID 32 wrote to memory of 3736	32	svchost.exe	94
PID 32 wrote to memory of 3736	32	svchost.exe	94
PID 32 wrote to memory of 3736	32	svchost.exe	94
PID 32 wrote to memory of 3736	32	svchost.exe	94
PID 32 wrote to memory of 3736	32	svchost.exe	94
PID 32 wrote to memory of 3736	32	svchost.exe	94
PID 32 wrote to memory of 3736	32	svchost.exe	94
PID 32 wrote to memory of 3736	32	svchost.exe	94

C:\Users\Admin\AppData\Local\Temp\369e74a8e1f686896f82d92ee2467ca6736bc44b06faab9db9ea6473aef4c397.exe
"C:\Users\Admin\AppData\Local\Temp\369e74a8e1f686896f82d92ee2467ca6736bc44b06faab9db9ea6473aef4c397.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\adb.exe
  "C:\Users\Admin\AppData\Local\Temp\adb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

C:\ProgramData\adb\adb.exe
"C:\ProgramData\adb\adb.exe" 100 2984
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\ProgramData\adb\adb.exe
"C:\ProgramData\adb\adb.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 32
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdbWinApi.dat

Filesize
148KB

MD5
cbcc0845497ddd773399e0f095539a4c

SHA1
6c878e4ee18d14b94a3214bdd283b221a1981877

SHA256
88045766007380b99fa7874c633d66bcb17d3314b6145ad5f8d8216e8e24b375

SHA512
e9a237e1ed9a53ce52c52ed40c43073430bc54b36996c53a90ab7524c0e3a3c9d8fa403b4f0ee52997f19d4d720f7d9db8efa7e988ca53efc221573a05a8e38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdbWinApi.dll

Filesize
33KB

MD5
114d0cdadcbdec8c6baa9af0a869700a

SHA1
a794329bac18d02b891b0e24ec73d88da4fe3404

SHA256
9217518710b77766d9dc3397c3ce9bd88734c71c8b80a2dd1e9ed1312efacd9c

SHA512
edab7b4ee16d7e8797d297c6e3add9b2b685b732d51a9c1b3994f8cf21c285fb3a2198d02536168d2153711eb4ed925ad602459c70def4c5c7cbff5ec12d6a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\adb.exe

Filesize
804KB

MD5
790fb1184a3ed8e475263daa54f98469

SHA1
37a60f670a4f3c68a4872ec2e95c0be2bd130dae

SHA256
ef4c7f4c417c18cd3394dd81ccd94381af252e0af81b0ad89b7e6d81412f4706

SHA512
66a2325c59a7fdacd049f43b528224682245c2705f10c50a907b6454d5755522b9d9d07046426d42db8c324ba95adbde1de087e31a0fb21b635c1dc4ca25a4f8

Download Submit
memory/32-58-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/32-61-0x00000000008A0000-0x00000000008D5000-memory.dmp

Filesize
212KB

Download
memory/32-48-0x00000000008A0000-0x00000000008D5000-memory.dmp

Filesize
212KB

Download
memory/32-70-0x00000000008A0000-0x00000000008D5000-memory.dmp

Filesize
212KB

Download
memory/32-59-0x00000000008A0000-0x00000000008D5000-memory.dmp

Filesize
212KB

Download
memory/32-46-0x00000000008A0000-0x00000000008D5000-memory.dmp

Filesize
212KB

Download
memory/32-62-0x00000000008A0000-0x00000000008D5000-memory.dmp

Filesize
212KB

Download
memory/32-69-0x00000000008A0000-0x00000000008D5000-memory.dmp

Filesize
212KB

Download
memory/32-64-0x00000000008A0000-0x00000000008D5000-memory.dmp

Filesize
212KB

Download
memory/32-60-0x00000000008A0000-0x00000000008D5000-memory.dmp

Filesize
212KB

Download
memory/32-68-0x00000000008A0000-0x00000000008D5000-memory.dmp

Filesize
212KB

Download
memory/1256-47-0x0000000001250000-0x0000000001285000-memory.dmp

Filesize
212KB

Download
memory/1256-63-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1256-45-0x0000000001250000-0x0000000001285000-memory.dmp

Filesize
212KB

Download
memory/2984-66-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/2984-21-0x00000000007D0000-0x0000000000805000-memory.dmp

Filesize
212KB

Download
memory/2984-67-0x00000000007D0000-0x0000000000805000-memory.dmp

Filesize
212KB

Download
memory/2984-19-0x00000000025A0000-0x00000000026A0000-memory.dmp

Filesize
1024KB

Download
memory/2984-20-0x00000000007D0000-0x0000000000805000-memory.dmp

Filesize
212KB

Download
memory/3736-77-0x0000000001380000-0x00000000013B5000-memory.dmp

Filesize
212KB

Download
memory/3736-75-0x0000000001380000-0x00000000013B5000-memory.dmp

Filesize
212KB

Download
memory/3736-76-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/3736-80-0x0000000001380000-0x00000000013B5000-memory.dmp

Filesize
212KB

Download
memory/3736-78-0x0000000001380000-0x00000000013B5000-memory.dmp

Filesize
212KB

Download
memory/3736-79-0x0000000001380000-0x00000000013B5000-memory.dmp

Filesize
212KB

Download
memory/4940-40-0x00000000008D0000-0x0000000000905000-memory.dmp

Filesize
212KB

Download
memory/4940-73-0x00000000008D0000-0x0000000000905000-memory.dmp

Filesize
212KB

Download
memory/4940-74-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4940-41-0x00000000008D0000-0x0000000000905000-memory.dmp

Filesize
212KB

Download