plugx | 2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe
Size

218KB
MD5

046bb16fd2d9749e07fa07aeffd044d6
SHA1

692d905801968e4736e0a3ded2152d77b6a38088
SHA256

2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064
SHA512

78edaf9c5d326e73198343ee9126317f44325bbf29f255907a409dfbe1b5d301c97ecfb3b07f97ba7ba18fd40a1a977fb8bbb66118e5b65962ff00a957df295d
SSDEEP

6144:KLDyFXg3/QownR9XhQNnrJ0p4ELFvST08ku1tbn:K/F3YoqR9xWrJc4ERvS48/Tz

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 18 IoCs

resource	yara_rule
behavioral1/memory/2368-18-0x0000000000290000-0x00000000002BD000-memory.dmp	family_plugx
behavioral1/memory/2512-21-0x0000000000270000-0x000000000029D000-memory.dmp	family_plugx
behavioral1/memory/3060-27-0x0000000000390000-0x00000000003BD000-memory.dmp	family_plugx
behavioral1/memory/2512-29-0x0000000000270000-0x000000000029D000-memory.dmp	family_plugx
behavioral1/memory/3060-30-0x0000000000390000-0x00000000003BD000-memory.dmp	family_plugx
behavioral1/memory/3060-44-0x0000000000390000-0x00000000003BD000-memory.dmp	family_plugx
behavioral1/memory/3060-43-0x0000000000390000-0x00000000003BD000-memory.dmp	family_plugx
behavioral1/memory/3060-42-0x0000000000390000-0x00000000003BD000-memory.dmp	family_plugx
behavioral1/memory/3060-41-0x0000000000390000-0x00000000003BD000-memory.dmp	family_plugx
behavioral1/memory/3060-45-0x0000000000390000-0x00000000003BD000-memory.dmp	family_plugx
behavioral1/memory/3060-46-0x0000000000390000-0x00000000003BD000-memory.dmp	family_plugx
behavioral1/memory/2368-49-0x0000000000290000-0x00000000002BD000-memory.dmp	family_plugx
behavioral1/memory/3060-50-0x0000000000390000-0x00000000003BD000-memory.dmp	family_plugx
behavioral1/memory/2588-61-0x00000000005C0000-0x00000000005ED000-memory.dmp	family_plugx
behavioral1/memory/2588-60-0x00000000005C0000-0x00000000005ED000-memory.dmp	family_plugx
behavioral1/memory/2588-58-0x00000000005C0000-0x00000000005ED000-memory.dmp	family_plugx
behavioral1/memory/2588-57-0x00000000005C0000-0x00000000005ED000-memory.dmp	family_plugx
behavioral1/memory/3060-62-0x0000000000390000-0x00000000003BD000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Deletes itself 1 IoCs

pid	Process
2368	NvSmart.exe

Executes dropped EXE 2 IoCs

pid	Process
2368	NvSmart.exe
2512	NvSmart.exe

Loads dropped DLL 4 IoCs

pid	Process
1224	2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe
1224	2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe
2368	NvSmart.exe
2512	NvSmart.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NvSmart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NvSmart.exe

Modifies data under HKEY_USERS 33 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC40A603-D342-4BEC-A4CC-263A43A471A1}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-bf-87-d7-3b-9e	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0166000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC40A603-D342-4BEC-A4CC-263A43A471A1}\WpadDecisionTime = 40dba342ff5ddb01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC40A603-D342-4BEC-A4CC-263A43A471A1}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC40A603-D342-4BEC-A4CC-263A43A471A1}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-bf-87-d7-3b-9e\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC40A603-D342-4BEC-A4CC-263A43A471A1}\WpadNetworkName = "Network 2"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-bf-87-d7-3b-9e\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-bf-87-d7-3b-9e\WpadDecisionTime = 40dba342ff5ddb01	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC40A603-D342-4BEC-A4CC-263A43A471A1}\da-bf-87-d7-3b-9e	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39003600320039003500370036003800320030004400350037004500440034000000	svchost.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
3060	svchost.exe
3060	svchost.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
3060	svchost.exe
3060	svchost.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
3060	svchost.exe
3060	svchost.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
3060	svchost.exe
3060	svchost.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
2588	msiexec.exe
3060	svchost.exe
3060	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3060	svchost.exe
2588	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	NvSmart.exe
Token: SeTcbPrivilege	2368	NvSmart.exe
Token: SeDebugPrivilege	2512	NvSmart.exe
Token: SeTcbPrivilege	2512	NvSmart.exe
Token: SeDebugPrivilege	3060	svchost.exe
Token: SeTcbPrivilege	3060	svchost.exe
Token: SeDebugPrivilege	2588	msiexec.exe
Token: SeTcbPrivilege	2588	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2368	1224	2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe	30
PID 1224 wrote to memory of 2368	1224	2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe	30
PID 1224 wrote to memory of 2368	1224	2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe	30
PID 1224 wrote to memory of 2368	1224	2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe	30
PID 2512 wrote to memory of 3060	2512	NvSmart.exe	32
PID 2512 wrote to memory of 3060	2512	NvSmart.exe	32
PID 2512 wrote to memory of 3060	2512	NvSmart.exe	32
PID 2512 wrote to memory of 3060	2512	NvSmart.exe	32
PID 2512 wrote to memory of 3060	2512	NvSmart.exe	32
PID 2512 wrote to memory of 3060	2512	NvSmart.exe	32
PID 2512 wrote to memory of 3060	2512	NvSmart.exe	32
PID 2512 wrote to memory of 3060	2512	NvSmart.exe	32
PID 2512 wrote to memory of 3060	2512	NvSmart.exe	32
PID 3060 wrote to memory of 2588	3060	svchost.exe	33
PID 3060 wrote to memory of 2588	3060	svchost.exe	33
PID 3060 wrote to memory of 2588	3060	svchost.exe	33
PID 3060 wrote to memory of 2588	3060	svchost.exe	33
PID 3060 wrote to memory of 2588	3060	svchost.exe	33
PID 3060 wrote to memory of 2588	3060	svchost.exe	33
PID 3060 wrote to memory of 2588	3060	svchost.exe	33
PID 3060 wrote to memory of 2588	3060	svchost.exe	33
PID 3060 wrote to memory of 2588	3060	svchost.exe	33
PID 3060 wrote to memory of 2588	3060	svchost.exe	33
PID 3060 wrote to memory of 2588	3060	svchost.exe	33
PID 3060 wrote to memory of 2588	3060	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe
"C:\Users\Admin\AppData\Local\Temp\2d06415cf8ff8aacce1b0d994a269c52810c9324254a33a2bea0d134dc17b064.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmart.exe
  "C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmart.exe" 100 1224
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2368

C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmart.exe
"C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmart.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 3060
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmart.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmartMax.dll

Filesize
40KB

MD5
532bcd7258d35fabbfeca5910de8a96f

SHA1
5cf9fbb7afacd602f0df46b64782aae62beaf8fd

SHA256
8d5749552fa4698178ee46c09e8d1fc9c30322583a8301c3d092135d027d7019

SHA512
414c2e57e0b59c320ca53551021824b1eb507067c0c6a6f3d27683699f0a2977dd3a21211a1a16e8d5639f81028dce30c4ca7ec5420346f92de0cf53695f9f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVFILES\NvSmartMax.dll.xml

Filesize
113KB

MD5
6a6ace55c125a82ce2515f11c263fa0f

SHA1
cd9752a4d0aa883ded211e6765d7b11d48e864a3

SHA256
e116af18781cc79d61bfff8db9ae7f67366b72260d858fbbfb898ac81877d4b2

SHA512
44a05ecab291740c7e374f8c5239f27a96caaae47be5489d85cf41f3249e2608b8e37edf66b0aa9b3fa7ce256ed8a9746508ebff9488311fe4252bbef5291889

Download Submit
memory/2368-17-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2368-16-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2368-18-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/2368-49-0x0000000000290000-0x00000000002BD000-memory.dmp

Filesize
180KB

Download
memory/2512-21-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/2512-29-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/2588-56-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2588-57-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/2588-58-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/2588-59-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2588-60-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/2588-61-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/3060-25-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/3060-42-0x0000000000390000-0x00000000003BD000-memory.dmp

Filesize
180KB

Download
memory/3060-41-0x0000000000390000-0x00000000003BD000-memory.dmp

Filesize
180KB

Download
memory/3060-40-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/3060-45-0x0000000000390000-0x00000000003BD000-memory.dmp

Filesize
180KB

Download
memory/3060-46-0x0000000000390000-0x00000000003BD000-memory.dmp

Filesize
180KB

Download
memory/3060-43-0x0000000000390000-0x00000000003BD000-memory.dmp

Filesize
180KB

Download
memory/3060-50-0x0000000000390000-0x00000000003BD000-memory.dmp

Filesize
180KB

Download
memory/3060-44-0x0000000000390000-0x00000000003BD000-memory.dmp

Filesize
180KB

Download
memory/3060-30-0x0000000000390000-0x00000000003BD000-memory.dmp

Filesize
180KB

Download
memory/3060-27-0x0000000000390000-0x00000000003BD000-memory.dmp

Filesize
180KB

Download
memory/3060-26-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3060-22-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3060-24-0x00000000000E0000-0x00000000000FB000-memory.dmp

Filesize
108KB

Download
memory/3060-62-0x0000000000390000-0x00000000003BD000-memory.dmp

Filesize
180KB

Download