plugx | 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe
Size

554KB
MD5

9310477537d5d7c92bc711547a4c9621
SHA1

5b90d064de8955cf26ac9c1e59a60c106871aa79
SHA256

7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f
SHA512

31b3367c2736e4549bfe7a7511c76ced47f14faf2200439e973f1b7c96dacb90412bad4bf3467e9d8e2b3b38367a674075360940d5749a5e697bb92e4ecd5707
SSDEEP

12288:YUomEFRu3xEPE6HuRurMRFs7hm7p0fdINC//TZSIy:YmOMSPE6ORIMPT0fdIkHTZSR

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 22 IoCs

resource	yara_rule
behavioral2/memory/4392-22-0x0000000002C40000-0x0000000002C75000-memory.dmp	family_plugx
behavioral2/memory/4056-44-0x0000000002E60000-0x0000000002E95000-memory.dmp	family_plugx
behavioral2/memory/4056-46-0x0000000002E60000-0x0000000002E95000-memory.dmp	family_plugx
behavioral2/memory/1060-51-0x0000000001B00000-0x0000000001B35000-memory.dmp	family_plugx
behavioral2/memory/2464-52-0x00000000017B0000-0x00000000017E5000-memory.dmp	family_plugx
behavioral2/memory/2464-64-0x00000000017B0000-0x00000000017E5000-memory.dmp	family_plugx
behavioral2/memory/2464-67-0x00000000017B0000-0x00000000017E5000-memory.dmp	family_plugx
behavioral2/memory/2464-68-0x00000000017B0000-0x00000000017E5000-memory.dmp	family_plugx
behavioral2/memory/2464-69-0x00000000017B0000-0x00000000017E5000-memory.dmp	family_plugx
behavioral2/memory/2464-70-0x00000000017B0000-0x00000000017E5000-memory.dmp	family_plugx
behavioral2/memory/2464-71-0x00000000017B0000-0x00000000017E5000-memory.dmp	family_plugx
behavioral2/memory/2464-66-0x00000000017B0000-0x00000000017E5000-memory.dmp	family_plugx
behavioral2/memory/2464-65-0x00000000017B0000-0x00000000017E5000-memory.dmp	family_plugx
behavioral2/memory/2464-53-0x00000000017B0000-0x00000000017E5000-memory.dmp	family_plugx
behavioral2/memory/1060-74-0x0000000001B00000-0x0000000001B35000-memory.dmp	family_plugx
behavioral2/memory/4392-75-0x0000000002C40000-0x0000000002C75000-memory.dmp	family_plugx
behavioral2/memory/4056-77-0x0000000002E60000-0x0000000002E95000-memory.dmp	family_plugx
behavioral2/memory/4708-79-0x0000000002090000-0x00000000020C5000-memory.dmp	family_plugx
behavioral2/memory/4708-81-0x0000000002090000-0x00000000020C5000-memory.dmp	family_plugx
behavioral2/memory/4708-83-0x0000000002090000-0x00000000020C5000-memory.dmp	family_plugx
behavioral2/memory/4708-84-0x0000000002090000-0x00000000020C5000-memory.dmp	family_plugx
behavioral2/memory/4708-82-0x0000000002090000-0x00000000020C5000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe

Executes dropped EXE 3 IoCs

pid	Process
4392	SoftManager.exe
4056	SoftManager.exe
1060	SoftManager.exe

Loads dropped DLL 9 IoCs

pid	Process
4392	SoftManager.exe
4392	SoftManager.exe
4392	SoftManager.exe
4056	SoftManager.exe
4056	SoftManager.exe
4056	SoftManager.exe
1060	SoftManager.exe
1060	SoftManager.exe
1060	SoftManager.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	100.101.229.219
Destination IP	100.82.5.104
Destination IP	100.85.113.3
Destination IP	100.83.90.111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoftManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoftManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoftManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 37004400340030003900460038004300390038004400330038003700450032000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
2464	svchost.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
2464	svchost.exe
2464	svchost.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
2464	svchost.exe
2464	svchost.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
2464	svchost.exe
2464	svchost.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
2464	svchost.exe
2464	svchost.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
4708	msiexec.exe
2464	svchost.exe
2464	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2464	svchost.exe
4708	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4392	SoftManager.exe
Token: SeTcbPrivilege	4392	SoftManager.exe
Token: SeDebugPrivilege	4056	SoftManager.exe
Token: SeTcbPrivilege	4056	SoftManager.exe
Token: SeDebugPrivilege	1060	SoftManager.exe
Token: SeTcbPrivilege	1060	SoftManager.exe
Token: SeDebugPrivilege	2464	svchost.exe
Token: SeTcbPrivilege	2464	svchost.exe
Token: SeDebugPrivilege	4708	msiexec.exe
Token: SeTcbPrivilege	4708	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 4392	4272	7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe	83
PID 4272 wrote to memory of 4392	4272	7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe	83
PID 4272 wrote to memory of 4392	4272	7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe	83
PID 1060 wrote to memory of 2464	1060	SoftManager.exe	88
PID 1060 wrote to memory of 2464	1060	SoftManager.exe	88
PID 1060 wrote to memory of 2464	1060	SoftManager.exe	88
PID 1060 wrote to memory of 2464	1060	SoftManager.exe	88
PID 1060 wrote to memory of 2464	1060	SoftManager.exe	88
PID 1060 wrote to memory of 2464	1060	SoftManager.exe	88
PID 1060 wrote to memory of 2464	1060	SoftManager.exe	88
PID 1060 wrote to memory of 2464	1060	SoftManager.exe	88
PID 2464 wrote to memory of 4708	2464	svchost.exe	95
PID 2464 wrote to memory of 4708	2464	svchost.exe	95
PID 2464 wrote to memory of 4708	2464	svchost.exe	95
PID 2464 wrote to memory of 4708	2464	svchost.exe	95
PID 2464 wrote to memory of 4708	2464	svchost.exe	95
PID 2464 wrote to memory of 4708	2464	svchost.exe	95
PID 2464 wrote to memory of 4708	2464	svchost.exe	95
PID 2464 wrote to memory of 4708	2464	svchost.exe	95

C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe
"C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
  "C:\Users\Admin\AppData\Local\Temp\SoftManager.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4392

C:\ProgramData\360SoftManager\softmgr\SoftManager.exe
"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 100 4392
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\ProgramData\360SoftManager\softmgr\SoftManager.exe
"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2464
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SoftManager.dat

Filesize
148KB

MD5
e46f18ec2a13ef883c1b6a50ec157971

SHA1
816e48a51827797bf3ab2204b962ab1edcb018d6

SHA256
31ba90be019b15895da9b3a0943e88115fc08769d7857fc2fedc6eb7b13fd9c9

SHA512
6c9da9296390c050af8255f1dead0bc18835bc5dbe2fd0e2baa6d00ed5c58b5109f06b4edd76e826b1976ce513cb0c097243ce5812f17b6be518469b10e35b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoftManager.exe

Filesize
337KB

MD5
cffab901ec1573799473a7b4d110cf08

SHA1
4dae9fc43de6bb4b3b47fcac5348a104c4792988

SHA256
5ea1bb2021e94cd70d21bc51d586a1edc0cc1e584986cfc4460a2a98a828db97

SHA512
8ab0334dbad12047e743c51cd44aec3287e4c938b904b01b9586e73c10d3aa1f36347f00045c89a2ca2399d140b804be789c502251b9d5b9dc7610ab9dc9cd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
33KB

MD5
ce07ef4ef68a65715bb2c2beabdd289e

SHA1
bc9565fc5b790cb6e6c7097248a3f4063db33ce6

SHA256
ddd19d60f37f04e33fb74f6ef2e45f24be1bab8423aba608987804eed9316567

SHA512
d24023ac21524e5e9d7d885c65038533ef055a9ada45a0a6f5b8218a88328dec27ea83fbff0423daf331b038da4fae2df3b450e3bfe41882b29e57fbea689227

Download Submit
memory/1060-74-0x0000000001B00000-0x0000000001B35000-memory.dmp

Filesize
212KB

Download
memory/1060-51-0x0000000001B00000-0x0000000001B35000-memory.dmp

Filesize
212KB

Download
memory/2464-63-0x0000000001790000-0x0000000001791000-memory.dmp

Filesize
4KB

Download
memory/2464-65-0x00000000017B0000-0x00000000017E5000-memory.dmp

Filesize
212KB

Download
memory/2464-53-0x00000000017B0000-0x00000000017E5000-memory.dmp

Filesize
212KB

Download
memory/2464-66-0x00000000017B0000-0x00000000017E5000-memory.dmp

Filesize
212KB

Download
memory/2464-52-0x00000000017B0000-0x00000000017E5000-memory.dmp

Filesize
212KB

Download
memory/2464-64-0x00000000017B0000-0x00000000017E5000-memory.dmp

Filesize
212KB

Download
memory/2464-67-0x00000000017B0000-0x00000000017E5000-memory.dmp

Filesize
212KB

Download
memory/2464-68-0x00000000017B0000-0x00000000017E5000-memory.dmp

Filesize
212KB

Download
memory/2464-69-0x00000000017B0000-0x00000000017E5000-memory.dmp

Filesize
212KB

Download
memory/2464-70-0x00000000017B0000-0x00000000017E5000-memory.dmp

Filesize
212KB

Download
memory/2464-71-0x00000000017B0000-0x00000000017E5000-memory.dmp

Filesize
212KB

Download
memory/4056-46-0x0000000002E60000-0x0000000002E95000-memory.dmp

Filesize
212KB

Download
memory/4056-44-0x0000000002E60000-0x0000000002E95000-memory.dmp

Filesize
212KB

Download
memory/4056-77-0x0000000002E60000-0x0000000002E95000-memory.dmp

Filesize
212KB

Download
memory/4392-22-0x0000000002C40000-0x0000000002C75000-memory.dmp

Filesize
212KB

Download
memory/4392-23-0x0000000002B10000-0x0000000002B68000-memory.dmp

Filesize
352KB

Download
memory/4392-21-0x0000000002B10000-0x0000000002C10000-memory.dmp

Filesize
1024KB

Download
memory/4392-75-0x0000000002C40000-0x0000000002C75000-memory.dmp

Filesize
212KB

Download
memory/4708-79-0x0000000002090000-0x00000000020C5000-memory.dmp

Filesize
212KB

Download
memory/4708-80-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/4708-81-0x0000000002090000-0x00000000020C5000-memory.dmp

Filesize
212KB

Download
memory/4708-83-0x0000000002090000-0x00000000020C5000-memory.dmp

Filesize
212KB

Download
memory/4708-84-0x0000000002090000-0x00000000020C5000-memory.dmp

Filesize
212KB

Download
memory/4708-82-0x0000000002090000-0x00000000020C5000-memory.dmp

Filesize
212KB

Download