plugx | 8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe
Size

568KB
MD5

b60b6387fb18df16e563a5e1b374e080
SHA1

cf69fdb45dc3ab5958997cc411c664a6f49602c9
SHA256

8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c
SHA512

1463a88c6b93896666117c6c33124c23a9de5edb68fd60f65db97794b5e08fd6763cf4f5b929ee8dd0cc7f9a1d03e4be08dceeb95fa74ee62b99a6984658685c
SSDEEP

12288:XTKfDgWulALVZkES0RgGEVhkyA7F3Xl5MB8vTOvcX6C1dcDbpOZZo+NjrDhWg6jJ:OffuCXpo

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 6 IoCs

resource	yara_rule
behavioral1/memory/2604-14-0x0000000000160000-0x000000000018E000-memory.dmp	family_plugx
behavioral1/memory/2604-15-0x0000000000160000-0x000000000018E000-memory.dmp	family_plugx
behavioral1/memory/2780-25-0x00000000002A0000-0x00000000002CE000-memory.dmp	family_plugx
behavioral1/memory/2780-29-0x00000000002A0000-0x00000000002CE000-memory.dmp	family_plugx
behavioral1/memory/2780-28-0x00000000002A0000-0x00000000002CE000-memory.dmp	family_plugx
behavioral1/memory/2780-30-0x00000000002A0000-0x00000000002CE000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ManagerForwarder.lnk	8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe

Executes dropped EXE 1 IoCs

pid	Process
2604	MsMpEng.exe

Loads dropped DLL 3 IoCs

pid	Process
2060	8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe
2604	MsMpEng.exe
2060	8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	142.4.121.143
Destination IP	142.4.121.143
Destination IP	142.4.121.143
Destination IP	142.4.121.143

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsMpEng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\MJ	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 36003500460046004300430038003800360046004600360038003900450046000000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	iexplore.exe
1496	iexplore.exe
1496	iexplore.exe
1496	iexplore.exe
1496	iexplore.exe
1496	iexplore.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
1496	iexplore.exe
1496	iexplore.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
1496	iexplore.exe
1496	iexplore.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
1496	iexplore.exe
1496	iexplore.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
1496	iexplore.exe
1496	iexplore.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
1496	iexplore.exe
1496	iexplore.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe
2780	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1496	iexplore.exe
2780	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	MsMpEng.exe
Token: SeTcbPrivilege	2604	MsMpEng.exe
Token: SeDebugPrivilege	1496	iexplore.exe
Token: SeTcbPrivilege	1496	iexplore.exe
Token: SeDebugPrivilege	2780	msiexec.exe
Token: SeTcbPrivilege	2780	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2060	8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe
2060	8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2604	2060	8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe	30
PID 2060 wrote to memory of 2604	2060	8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe	30
PID 2060 wrote to memory of 2604	2060	8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe	30
PID 2060 wrote to memory of 2604	2060	8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe	30
PID 2604 wrote to memory of 1496	2604	MsMpEng.exe	31
PID 2604 wrote to memory of 1496	2604	MsMpEng.exe	31
PID 2604 wrote to memory of 1496	2604	MsMpEng.exe	31
PID 2604 wrote to memory of 1496	2604	MsMpEng.exe	31
PID 2604 wrote to memory of 1496	2604	MsMpEng.exe	31
PID 2604 wrote to memory of 1496	2604	MsMpEng.exe	31
PID 2604 wrote to memory of 1496	2604	MsMpEng.exe	31
PID 2604 wrote to memory of 1496	2604	MsMpEng.exe	31
PID 2604 wrote to memory of 1496	2604	MsMpEng.exe	31
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33
PID 1496 wrote to memory of 2780	1496	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe
"C:\Users\Admin\AppData\Local\Temp\8fd2ab26d5397dfcef9a48d4106eec604c8e38b86e2ccc148757a157c83f4f8c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Roaming\3841738885\MsMpEng.exe
  "C:\Users\Admin\AppData\Roaming\3841738885\MsMpEng.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\msiexec.exe
      C:\Windows\SysWOW64\msiexec.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3841738885\mpsvc.dll

Filesize
164KB

MD5
7e48f185aee0d846fa27b33c7df6a3de

SHA1
6bd324c765a3792792366851fcc1f3bb76c61fd6

SHA256
3e68697be5f09dbfa32a5b90ef46525e929f8ff94f6074c3bf35707dc9825655

SHA512
4438eeaaf42371b1958f99d18d5cf2169b7f39aff6cb136448281e7798f8707fcbc51b68ee01dfaaf03149f52c17d3b7d65d7ae76a4cb00546f47d646e254757

Download Submit
\Users\Admin\AppData\Roaming\3841738885\MsMpEng.exe

Filesize
21KB

MD5
b0f49da36f30922f5ddc3b623b778fce

SHA1
dfbd5d8df898f4f36eb8f6c420d644df460df098

SHA256
ee025aefa4a2095afeabfb3a49639da77d78068a3f5eeda6c15d34853afd5609

SHA512
8cedc083f740d609e6e8ad5c5b94c340f38b050c09ee5e9203b2889dd8d9491c72d7279544740fd3d0bd6f76fc71a2785982039032bd0c4f6a0dca55070eb830

Download Submit
memory/2604-8-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2604-9-0x0000000010026000-0x0000000010044000-memory.dmp

Filesize
120KB

Download
memory/2604-14-0x0000000000160000-0x000000000018E000-memory.dmp

Filesize
184KB

Download
memory/2604-15-0x0000000000160000-0x000000000018E000-memory.dmp

Filesize
184KB

Download
memory/2780-22-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download
memory/2780-16-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2780-20-0x00000000000F0000-0x000000000010B000-memory.dmp

Filesize
108KB

Download
memory/2780-24-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2780-25-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download
memory/2780-29-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download
memory/2780-28-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download
memory/2780-27-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2780-30-0x00000000002A0000-0x00000000002CE000-memory.dmp

Filesize
184KB

Download