plugx | e893dbe6b911e8faea85dad69061e2755ef52db23bc5163f7c5dfd4138f29d6e

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wps.exe
Size

177KB
MD5

f44992d14033a2b5b1064104658a29e1
SHA1

62673aa6e8bde17f218524cbe3bf50cb5b949f3b
SHA256

331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4
SHA512

9a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b
SSDEEP

3072:65nSsRkXPsSadfviPNPVY5bYm1wkUBL/1cAR+oOb5vENb/fZOKeb0WhmNNdnLeny:65SsRkXPYGPG5cm6Bd3oEt/fZOaBi/fi

Score

10^/10

plugx trojan vmprotect

Malware Config

Signatures

Detects PlugX payload 23 IoCs

resource	yara_rule
behavioral6/memory/3664-4-0x0000000002320000-0x000000000235A000-memory.dmp	family_plugx
behavioral6/memory/3664-17-0x0000000002320000-0x000000000235A000-memory.dmp	family_plugx
behavioral6/memory/3000-28-0x00000000020B0000-0x00000000020EA000-memory.dmp	family_plugx
behavioral6/memory/4560-34-0x0000000000C50000-0x0000000000C8A000-memory.dmp	family_plugx
behavioral6/memory/672-39-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp	family_plugx
behavioral6/memory/672-54-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp	family_plugx
behavioral6/memory/672-61-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp	family_plugx
behavioral6/memory/672-60-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp	family_plugx
behavioral6/memory/672-59-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp	family_plugx
behavioral6/memory/4560-58-0x0000000000C50000-0x0000000000C8A000-memory.dmp	family_plugx
behavioral6/memory/672-55-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp	family_plugx
behavioral6/memory/672-53-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp	family_plugx
behavioral6/memory/672-52-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp	family_plugx
behavioral6/memory/672-41-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp	family_plugx
behavioral6/memory/672-37-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp	family_plugx
behavioral6/memory/4560-35-0x0000000000C50000-0x0000000000C8A000-memory.dmp	family_plugx
behavioral6/memory/3000-26-0x00000000020B0000-0x00000000020EA000-memory.dmp	family_plugx
behavioral6/memory/3000-65-0x00000000020B0000-0x00000000020EA000-memory.dmp	family_plugx
behavioral6/memory/1032-68-0x0000021004800000-0x000002100483A000-memory.dmp	family_plugx
behavioral6/memory/1032-73-0x0000021004800000-0x000002100483A000-memory.dmp	family_plugx
behavioral6/memory/1032-72-0x0000021004800000-0x000002100483A000-memory.dmp	family_plugx
behavioral6/memory/1032-71-0x0000021004800000-0x000002100483A000-memory.dmp	family_plugx
behavioral6/memory/672-74-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.43.18.19

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral6/memory/3664-1-0x00007FFFE1EE0000-0x00007FFFE1F24000-memory.dmp	vmprotect
behavioral6/memory/3664-0-0x00007FFFE1EE0000-0x00007FFFE1F24000-memory.dmp	vmprotect
behavioral6/files/0x0007000000023c99-21.dat	vmprotect
behavioral6/memory/4560-57-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp	vmprotect
behavioral6/memory/3664-40-0x00007FFFE1EE0000-0x00007FFFE1F24000-memory.dmp	vmprotect
behavioral6/memory/4560-32-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp	vmprotect
behavioral6/memory/4560-31-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp	vmprotect
behavioral6/memory/3000-23-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp	vmprotect
behavioral6/memory/3000-22-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp	vmprotect
behavioral6/memory/3000-66-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp	vmprotect

Deletes itself 1 IoCs

pid	Process
3000	wps.exe

Executes dropped EXE 2 IoCs

pid	Process
3000	wps.exe
4560	wps.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	wps.exe
4560	wps.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 34003200300034003500330045003200410037004400310032004300410041000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3664	wps.exe
3664	wps.exe
3664	wps.exe
3664	wps.exe
3000	wps.exe
3000	wps.exe
3000	wps.exe
3000	wps.exe
4560	wps.exe
4560	wps.exe
4560	wps.exe
4560	wps.exe
672	svchost.exe
672	svchost.exe
672	svchost.exe
672	svchost.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
672	svchost.exe
672	svchost.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
672	svchost.exe
672	svchost.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
672	svchost.exe
672	svchost.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
1032	msiexec.exe
672	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
672	svchost.exe
1032	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	wps.exe
Token: SeTcbPrivilege	3664	wps.exe
Token: SeDebugPrivilege	3000	wps.exe
Token: SeTcbPrivilege	3000	wps.exe
Token: SeDebugPrivilege	4560	wps.exe
Token: SeTcbPrivilege	4560	wps.exe
Token: SeDebugPrivilege	672	svchost.exe
Token: SeTcbPrivilege	672	svchost.exe
Token: SeDebugPrivilege	1032	msiexec.exe
Token: SeTcbPrivilege	1032	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 672	4560	wps.exe	85
PID 4560 wrote to memory of 672	4560	wps.exe	85
PID 4560 wrote to memory of 672	4560	wps.exe	85
PID 4560 wrote to memory of 672	4560	wps.exe	85
PID 4560 wrote to memory of 672	4560	wps.exe	85
PID 4560 wrote to memory of 672	4560	wps.exe	85
PID 672 wrote to memory of 1032	672	svchost.exe	86
PID 672 wrote to memory of 1032	672	svchost.exe	86
PID 672 wrote to memory of 1032	672	svchost.exe	86
PID 672 wrote to memory of 1032	672	svchost.exe	86
PID 672 wrote to memory of 1032	672	svchost.exe	86
PID 672 wrote to memory of 1032	672	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\wps.exe
"C:\Users\Admin\AppData\Local\Temp\wps.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\ProgramData\Kingsoft\office6\wps.exe
"C:\ProgramData\Kingsoft\office6\wps.exe" 100 3664
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\ProgramData\Kingsoft\office6\wps.exe
"C:\ProgramData\Kingsoft\office6\wps.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 672
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Kingsoft\office6\kdump64.dll

Filesize
148KB

MD5
d5dcfc5ac42bcba55a1170756f3493f4

SHA1
1bcefa919e0c9c1d114ed6384e4aff8f316482de

SHA256
8ba00843b9aba2cff6f2234a7daf040aadfebce4c05b13061da63b48f63bfa4f

SHA512
dbaf78188b53629d667bdcb4fcdc0c35045e77330bbe209739c86fbe2d7c2ba04b3adeedc6576186e1af20f8eb373a9788ed3b0050f80f61485475dcf23b0a24

Download Submit
C:\ProgramData\Kingsoft\office6\wps.dat

Filesize
152KB

MD5
a1ed676cf36394b6b4fb449309b91b5b

SHA1
4cf7a01b132e4855581e39f5d0da204301fdae98

SHA256
8da2085b60e44aa5fa46c8613757e1582df098e27373b2c8916d2725f28b46de

SHA512
ce224d2376a7d78777691f9eceb8a48755787b390b73e309d48337b8d097a9370e66780237e2884294c76205f93f27e82744804781abe8eaee255c9e2f0f3f11

Download Submit
C:\ProgramData\Kingsoft\office6\wps.exe

Filesize
177KB

MD5
f44992d14033a2b5b1064104658a29e1

SHA1
62673aa6e8bde17f218524cbe3bf50cb5b949f3b

SHA256
331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4

SHA512
9a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b

Download Submit
memory/672-39-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp

Filesize
232KB

Download
memory/672-55-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp

Filesize
232KB

Download
memory/672-74-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp

Filesize
232KB

Download
memory/672-37-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp

Filesize
232KB

Download
memory/672-36-0x000002D2B5700000-0x000002D2B5701000-memory.dmp

Filesize
4KB

Download
memory/672-54-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp

Filesize
232KB

Download
memory/672-51-0x000002D2B5780000-0x000002D2B5781000-memory.dmp

Filesize
4KB

Download
memory/672-52-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp

Filesize
232KB

Download
memory/672-41-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp

Filesize
232KB

Download
memory/672-61-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp

Filesize
232KB

Download
memory/672-60-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp

Filesize
232KB

Download
memory/672-59-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp

Filesize
232KB

Download
memory/672-53-0x000002D2B5AD0000-0x000002D2B5B0A000-memory.dmp

Filesize
232KB

Download
memory/1032-70-0x0000021002CE0000-0x0000021002CE1000-memory.dmp

Filesize
4KB

Download
memory/1032-68-0x0000021004800000-0x000002100483A000-memory.dmp

Filesize
232KB

Download
memory/1032-71-0x0000021004800000-0x000002100483A000-memory.dmp

Filesize
232KB

Download
memory/1032-72-0x0000021004800000-0x000002100483A000-memory.dmp

Filesize
232KB

Download
memory/1032-73-0x0000021004800000-0x000002100483A000-memory.dmp

Filesize
232KB

Download
memory/3000-27-0x00007FFFEF050000-0x00007FFFEF051000-memory.dmp

Filesize
4KB

Download
memory/3000-26-0x00000000020B0000-0x00000000020EA000-memory.dmp

Filesize
232KB

Download
memory/3000-28-0x00000000020B0000-0x00000000020EA000-memory.dmp

Filesize
232KB

Download
memory/3000-66-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp

Filesize
272KB

Download
memory/3000-65-0x00000000020B0000-0x00000000020EA000-memory.dmp

Filesize
232KB

Download
memory/3000-22-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp

Filesize
272KB

Download
memory/3000-23-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp

Filesize
272KB

Download
memory/3664-0-0x00007FFFE1EE0000-0x00007FFFE1F24000-memory.dmp

Filesize
272KB

Download
memory/3664-4-0x0000000002320000-0x000000000235A000-memory.dmp

Filesize
232KB

Download
memory/3664-17-0x0000000002320000-0x000000000235A000-memory.dmp

Filesize
232KB

Download
memory/3664-2-0x00000000021B0000-0x00000000022B0000-memory.dmp

Filesize
1024KB

Download
memory/3664-1-0x00007FFFE1EE0000-0x00007FFFE1F24000-memory.dmp

Filesize
272KB

Download
memory/3664-40-0x00007FFFE1EE0000-0x00007FFFE1F24000-memory.dmp

Filesize
272KB

Download
memory/3664-3-0x00007FFFEF050000-0x00007FFFEF051000-memory.dmp

Filesize
4KB

Download
memory/4560-31-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp

Filesize
272KB

Download
memory/4560-32-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp

Filesize
272KB

Download
memory/4560-35-0x0000000000C50000-0x0000000000C8A000-memory.dmp

Filesize
232KB

Download
memory/4560-57-0x00007FFFE1E20000-0x00007FFFE1E64000-memory.dmp

Filesize
272KB

Download
memory/4560-34-0x0000000000C50000-0x0000000000C8A000-memory.dmp

Filesize
232KB

Download
memory/4560-58-0x0000000000C50000-0x0000000000C8A000-memory.dmp

Filesize
232KB

Download