plugx | 0b3fd64713282aa0c31877bb1078ead1677f25b83e71cd73720ad02eea1bf92b

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2025, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b3fd64713282aa0c31877bb1078ead1677f25b83e71cd73720ad02eea1bf92b.exe
Size

227KB
MD5

058f639ccb210210a0f8e4441ac2dd31
SHA1

c8037330b9df11a524191583243fdc558738785e
SHA256

0b3fd64713282aa0c31877bb1078ead1677f25b83e71cd73720ad02eea1bf92b
SHA512

668b12f0e09ac99d99d9cef83dec7ed08f4ac2786c38986a0619ad9e984be732b786fd164c91d4204ad44d65b9251b5895db4224bc975d30426b08d324d60b0b
SSDEEP

6144:uLkD+fqCNAl8aVuMULdQrdas2gQntcgMly5CjrjZZ6AnRl:uYD+iCNAl/HULdQrRfQnegMlcCjeAnRl

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 18 IoCs

resource	yara_rule
behavioral2/memory/216-14-0x00000000021F0000-0x000000000221E000-memory.dmp	family_plugx
behavioral2/memory/2040-32-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx
behavioral2/memory/2468-35-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx
behavioral2/memory/2040-37-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx
behavioral2/memory/2468-36-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx
behavioral2/memory/216-41-0x00000000021F0000-0x000000000221E000-memory.dmp	family_plugx
behavioral2/memory/2468-44-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx
behavioral2/memory/2468-55-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx
behavioral2/memory/2468-57-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx
behavioral2/memory/2468-56-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx
behavioral2/memory/1692-62-0x0000000001250000-0x000000000127E000-memory.dmp	family_plugx
behavioral2/memory/1692-65-0x0000000001250000-0x000000000127E000-memory.dmp	family_plugx
behavioral2/memory/1692-64-0x0000000001250000-0x000000000127E000-memory.dmp	family_plugx
behavioral2/memory/2468-66-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx
behavioral2/memory/1692-67-0x0000000001250000-0x000000000127E000-memory.dmp	family_plugx
behavioral2/memory/2468-68-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx
behavioral2/memory/2468-70-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx
behavioral2/memory/2468-71-0x0000000000D70000-0x0000000000D9E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Deletes itself 1 IoCs

pid	Process
2468	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
216	SOUNDMAN.exe
2040	SOUNDMAN.exe

Loads dropped DLL 2 IoCs

pid	Process
216	SOUNDMAN.exe
2040	SOUNDMAN.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SOUNDMAN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b3fd64713282aa0c31877bb1078ead1677f25b83e71cd73720ad02eea1bf92b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SOUNDMAN.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 39003900430034004600350033004500430041003700410045003300340039000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
2468	svchost.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
2468	svchost.exe
2468	svchost.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
2468	svchost.exe
2468	svchost.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
2468	svchost.exe
2468	svchost.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
2468	svchost.exe
2468	svchost.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe
1692	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2468	svchost.exe
1692	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	SOUNDMAN.exe
Token: SeTcbPrivilege	216	SOUNDMAN.exe
Token: SeDebugPrivilege	2040	SOUNDMAN.exe
Token: SeTcbPrivilege	2040	SOUNDMAN.exe
Token: SeDebugPrivilege	2468	svchost.exe
Token: SeTcbPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1692	msiexec.exe
Token: SeTcbPrivilege	1692	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 216	1868	0b3fd64713282aa0c31877bb1078ead1677f25b83e71cd73720ad02eea1bf92b.exe	82
PID 1868 wrote to memory of 216	1868	0b3fd64713282aa0c31877bb1078ead1677f25b83e71cd73720ad02eea1bf92b.exe	82
PID 1868 wrote to memory of 216	1868	0b3fd64713282aa0c31877bb1078ead1677f25b83e71cd73720ad02eea1bf92b.exe	82
PID 2040 wrote to memory of 2468	2040	SOUNDMAN.exe	84
PID 2040 wrote to memory of 2468	2040	SOUNDMAN.exe	84
PID 2040 wrote to memory of 2468	2040	SOUNDMAN.exe	84
PID 2040 wrote to memory of 2468	2040	SOUNDMAN.exe	84
PID 2040 wrote to memory of 2468	2040	SOUNDMAN.exe	84
PID 2040 wrote to memory of 2468	2040	SOUNDMAN.exe	84
PID 2040 wrote to memory of 2468	2040	SOUNDMAN.exe	84
PID 2040 wrote to memory of 2468	2040	SOUNDMAN.exe	84
PID 2468 wrote to memory of 1692	2468	svchost.exe	90
PID 2468 wrote to memory of 1692	2468	svchost.exe	90
PID 2468 wrote to memory of 1692	2468	svchost.exe	90
PID 2468 wrote to memory of 1692	2468	svchost.exe	90
PID 2468 wrote to memory of 1692	2468	svchost.exe	90
PID 2468 wrote to memory of 1692	2468	svchost.exe	90
PID 2468 wrote to memory of 1692	2468	svchost.exe	90
PID 2468 wrote to memory of 1692	2468	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\0b3fd64713282aa0c31877bb1078ead1677f25b83e71cd73720ad02eea1bf92b.exe
"C:\Users\Admin\AppData\Local\Temp\0b3fd64713282aa0c31877bb1078ead1677f25b83e71cd73720ad02eea1bf92b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe
  "C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe" 100 1868
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:216

C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
C:\ProgramData\SOUNDMAN\SOUNDMAN.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SxS\bug.log

Filesize
456B

MD5
023998519fff58a8db464fb0b2b4b30c

SHA1
212393456fe1bcf8aa5508bf529b99abd7288114

SHA256
2b3caff6f169bc696f752dd24d24daa8dd1b12ccc135c8310ba2e7a4d94711f1

SHA512
374a0eca0bfad852b6b526ef4924b3bdd7b5dcad5705aa38cf407e1ff41801f55ca382d631a8f1cc953ff558e05d0103dc87e3c6de96cf36e7d12fef9103497c

Download Submit
C:\ProgramData\SxS\bug.log

Filesize
618B

MD5
19520bdc52a025252f11040a1462d5ef

SHA1
21f881463cbd6d7794c0c453822832bebb4ea028

SHA256
26ab3acf84147e62a0cad059abba9bcf6af9b5adf150e0e56a34cb57a2cfe807

SHA512
c0f60ac92b620ae2aa0bf33145fb0870190cbf33a59129915771c77844b1a731c4d50b7ed7988cbbd8dac50c1ad6e1e29a0c313ad7826b5ba14318ee884fcdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\HID.DLL

Filesize
41KB

MD5
89fb8ee88cfd469e14bc7493d78b70c4

SHA1
0f431b38ef83728e71aa044b06da6e8f989cfbbd

SHA256
a8099c7b3748c3b1bff3cd477f3c29bba86ebb6797a08f89f3a661df820adf51

SHA512
2e0f4838d8edc15e11410f23557dd96cf56ec1e9ad649d50314a3715a66d2adbd7de2ecf19c722df2f9833eee5db15db5b3cfa894e9a3a7df8c0abad2725f1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\HID.DLLx

Filesize
116KB

MD5
6e41d17b267dd2378feb4b0211dece84

SHA1
860c85a6887360a5dff2547422b0b7c1ce5212f5

SHA256
b8a3f4ca6e1c803ab1b8b709f256a82d6dfa3f33c8ec48d5f5f186031419d8ee

SHA512
e496c67bf3f02fe84501fe2d6fb09578473932fc6917f4087c830820a617419044713d782231fa57b24e23009f03b43974a023baaa832d75369769f27da1310a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HID\SOUNDMAN.exe

Filesize
82KB

MD5
798c0c1ff4e0fce646ca82ae0379ccb0

SHA1
3f65f997f350a59ac67e432092cf7f5cfe94a701

SHA256
54d08331f511823755cbbac3aad698bbcdfcde71f47b827dcfc6ada89e753d80

SHA512
be7924f6179d774d0e4f91a6f044abbb12e9cbf1e19a49e115da5a2eeedbe4c0b29879cf41008d27d13fdb80963d846527d53721d94668719d1331bf1867de3e

Download Submit
memory/216-11-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download
memory/216-13-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/216-14-0x00000000021F0000-0x000000000221E000-memory.dmp

Filesize
184KB

Download
memory/216-41-0x00000000021F0000-0x000000000221E000-memory.dmp

Filesize
184KB

Download
memory/1692-65-0x0000000001250000-0x000000000127E000-memory.dmp

Filesize
184KB

Download
memory/1692-62-0x0000000001250000-0x000000000127E000-memory.dmp

Filesize
184KB

Download
memory/1692-67-0x0000000001250000-0x000000000127E000-memory.dmp

Filesize
184KB

Download
memory/1692-63-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/1692-64-0x0000000001250000-0x000000000127E000-memory.dmp

Filesize
184KB

Download
memory/2040-33-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2040-37-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/2040-32-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/2468-56-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/2468-44-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/2468-54-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2468-57-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/2468-55-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/2468-34-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2468-35-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/2468-66-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/2468-36-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/2468-68-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/2468-70-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download
memory/2468-71-0x0000000000D70000-0x0000000000D9E000-memory.dmp

Filesize
184KB

Download