plugx | 360a90f4e24859ade78351e58c5c3fc4a54beba94d031ec12b598bda590ea7ef

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iTunesHelper.exe
Size

299KB
MD5

6ce6784df5fc5b8550c44f90382c2cdd
SHA1

cdb8736bc0ef8298377961adc500242dbe47c5d9
SHA256

883c97df8c1e6f310ae655c0dff076dbb845b67df1499e746f63c951c842d6fb
SHA512

1a1d90534a10989c1aa78ea7bda5cad203b75e12f18b4f0b5fc411a1b21af8c38bf6e0b7352458d28e69fe177f87d43a7f816d5a7f5366a5c76507a9228e0df9
SSDEEP

6144:NnD7PE0+kEvmOpQe/u3g83A8+123+FM2+zIv++r:FDAmEvmOpQeX8Bt4f

Score

10^/10

plugx discovery trojan

Malware Config

Signatures

Detects PlugX payload 25 IoCs

resource	yara_rule
behavioral4/memory/2452-2-0x0000000001330000-0x0000000001366000-memory.dmp	family_plugx
behavioral4/memory/2452-5-0x0000000001330000-0x0000000001366000-memory.dmp	family_plugx
behavioral4/memory/4008-30-0x00000000010E0000-0x0000000001116000-memory.dmp	family_plugx
behavioral4/memory/320-35-0x00000000009C0000-0x00000000009F6000-memory.dmp	family_plugx
behavioral4/memory/548-38-0x0000000000CE0000-0x0000000000D16000-memory.dmp	family_plugx
behavioral4/memory/548-53-0x0000000000CE0000-0x0000000000D16000-memory.dmp	family_plugx
behavioral4/memory/548-55-0x0000000000CE0000-0x0000000000D16000-memory.dmp	family_plugx
behavioral4/memory/548-54-0x0000000000CE0000-0x0000000000D16000-memory.dmp	family_plugx
behavioral4/memory/2452-56-0x0000000001330000-0x0000000001366000-memory.dmp	family_plugx
behavioral4/memory/548-57-0x0000000000CE0000-0x0000000000D16000-memory.dmp	family_plugx
behavioral4/memory/548-58-0x0000000000CE0000-0x0000000000D16000-memory.dmp	family_plugx
behavioral4/memory/548-42-0x0000000000CE0000-0x0000000000D16000-memory.dmp	family_plugx
behavioral4/memory/320-41-0x00000000009C0000-0x00000000009F6000-memory.dmp	family_plugx
behavioral4/memory/548-59-0x0000000000CE0000-0x0000000000D16000-memory.dmp	family_plugx
behavioral4/memory/548-40-0x0000000000CE0000-0x0000000000D16000-memory.dmp	family_plugx
behavioral4/memory/548-60-0x0000000000CE0000-0x0000000000D16000-memory.dmp	family_plugx
behavioral4/memory/4008-63-0x00000000010E0000-0x0000000001116000-memory.dmp	family_plugx
behavioral4/memory/3104-66-0x0000000001200000-0x0000000001236000-memory.dmp	family_plugx
behavioral4/memory/3104-70-0x0000000001200000-0x0000000001236000-memory.dmp	family_plugx
behavioral4/memory/3104-71-0x0000000001200000-0x0000000001236000-memory.dmp	family_plugx
behavioral4/memory/3104-69-0x0000000001200000-0x0000000001236000-memory.dmp	family_plugx
behavioral4/memory/3104-67-0x0000000001200000-0x0000000001236000-memory.dmp	family_plugx
behavioral4/memory/3104-65-0x0000000001200000-0x0000000001236000-memory.dmp	family_plugx
behavioral4/memory/548-72-0x0000000000CE0000-0x0000000000D16000-memory.dmp	family_plugx
behavioral4/memory/3104-73-0x0000000001200000-0x0000000001236000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	19	43.230.9.230	548	Synchost.exe

Deletes itself 1 IoCs

pid	Process
4008	iTunesHelper.exe

Executes dropped EXE 2 IoCs

pid	Process
4008	iTunesHelper.exe
320	iTunesHelper.exe

Loads dropped DLL 2 IoCs

pid	Process
4008	iTunesHelper.exe
320	iTunesHelper.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iTunesHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iTunesHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iTunesHelper.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ	Synchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Synchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	Synchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45003400450044004100430039004300360033004300390041004200430032000000	Synchost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
548	Synchost.exe
3104	dllhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	iTunesHelper.exe
2452	iTunesHelper.exe
2452	iTunesHelper.exe
2452	iTunesHelper.exe
4008	iTunesHelper.exe
4008	iTunesHelper.exe
548	Synchost.exe
548	Synchost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
548	Synchost.exe
548	Synchost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
548	Synchost.exe
548	Synchost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
548	Synchost.exe
548	Synchost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
548	Synchost.exe
548	Synchost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe
3104	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
548	Synchost.exe
3104	dllhost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	iTunesHelper.exe
Token: SeTcbPrivilege	2452	iTunesHelper.exe
Token: SeDebugPrivilege	4008	iTunesHelper.exe
Token: SeTcbPrivilege	4008	iTunesHelper.exe
Token: SeDebugPrivilege	320	iTunesHelper.exe
Token: SeTcbPrivilege	320	iTunesHelper.exe
Token: SeDebugPrivilege	548	Synchost.exe
Token: SeTcbPrivilege	548	Synchost.exe
Token: SeDebugPrivilege	3104	dllhost.exe
Token: SeTcbPrivilege	3104	dllhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 548	320	iTunesHelper.exe	91
PID 320 wrote to memory of 548	320	iTunesHelper.exe	91
PID 320 wrote to memory of 548	320	iTunesHelper.exe	91
PID 320 wrote to memory of 548	320	iTunesHelper.exe	91
PID 320 wrote to memory of 548	320	iTunesHelper.exe	91
PID 320 wrote to memory of 548	320	iTunesHelper.exe	91
PID 320 wrote to memory of 548	320	iTunesHelper.exe	91
PID 320 wrote to memory of 548	320	iTunesHelper.exe	91
PID 548 wrote to memory of 3104	548	Synchost.exe	92
PID 548 wrote to memory of 3104	548	Synchost.exe	92
PID 548 wrote to memory of 3104	548	Synchost.exe	92
PID 548 wrote to memory of 3104	548	Synchost.exe	92
PID 548 wrote to memory of 3104	548	Synchost.exe	92
PID 548 wrote to memory of 3104	548	Synchost.exe	92
PID 548 wrote to memory of 3104	548	Synchost.exe	92
PID 548 wrote to memory of 3104	548	Synchost.exe	92

C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe
"C:\Users\Admin\AppData\Local\Temp\iTunesHelper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\ProgramData\Microsoft\Diagnosis\Squadcloud\iTunesHelper.exe
"C:\ProgramData\Microsoft\Diagnosis\Squadcloud\iTunesHelper.exe" 100 2452
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\ProgramData\Microsoft\Diagnosis\Squadcloud\iTunesHelper.exe
"C:\ProgramData\Microsoft\Diagnosis\Squadcloud\iTunesHelper.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\Synchost.exe
  C:\Windows\system32\Synchost.exe 201 0
  2⤵
  - Unexpected DNS network traffic destination
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\dllhost.exe
    C:\Windows\system32\dllhost.exe 209 548
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Diagnosis\Squadcloud\CoreFoundation.dat

Filesize
132KB

MD5
f26a51ad40a4012a008b46567f61f394

SHA1
0ae9ceff0d16b9761027866b317dffc20bb1fed6

SHA256
b84427899190f362573e3bdf0b54fec7a0b91c3da9eb0a3beb8ee2870d6f7b7a

SHA512
449e02040fee80a5e59a26e81a5fe51d5093013ebd5dae852414e06ba7da2ec13fee0f4211c5acbf5e0c9676b5686a5c2347e81b54dc56920a6dbc181fc020fc

Download Submit
C:\ProgramData\Microsoft\Diagnosis\Squadcloud\CoreFoundation.dll

Filesize
53KB

MD5
5afe443ddabb1ade4e5bb4b0eb80894b

SHA1
26de33b0d6db22b956e53958f1e600d732945bdc

SHA256
38428e93bfa1d4130b948826b763806a3fb06cf9323a960fded41fe60cd18057

SHA512
33d27ffc32cd60c51f3d4b19102ecce5c24087691006e778555e53fbc84faa898766da89b1f6a70364e43b49e69c449d16ce0e30daf6f64c19d29af4b2d87823

Download Submit
C:\ProgramData\Microsoft\Diagnosis\Squadcloud\iTunesHelper.exe

Filesize
299KB

MD5
6ce6784df5fc5b8550c44f90382c2cdd

SHA1
cdb8736bc0ef8298377961adc500242dbe47c5d9

SHA256
883c97df8c1e6f310ae655c0dff076dbb845b67df1499e746f63c951c842d6fb

SHA512
1a1d90534a10989c1aa78ea7bda5cad203b75e12f18b4f0b5fc411a1b21af8c38bf6e0b7352458d28e69fe177f87d43a7f816d5a7f5366a5c76507a9228e0df9

Download Submit
memory/320-41-0x00000000009C0000-0x00000000009F6000-memory.dmp

Filesize
216KB

Download
memory/320-35-0x00000000009C0000-0x00000000009F6000-memory.dmp

Filesize
216KB

Download
memory/548-42-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/548-59-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/548-72-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/548-38-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/548-53-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/548-55-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/548-54-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/548-60-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/548-57-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/548-52-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/548-58-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/548-39-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/548-40-0x0000000000CE0000-0x0000000000D16000-memory.dmp

Filesize
216KB

Download
memory/2452-56-0x0000000001330000-0x0000000001366000-memory.dmp

Filesize
216KB

Download
memory/2452-2-0x0000000001330000-0x0000000001366000-memory.dmp

Filesize
216KB

Download
memory/2452-1-0x0000000001230000-0x0000000001330000-memory.dmp

Filesize
1024KB

Download
memory/2452-5-0x0000000001330000-0x0000000001366000-memory.dmp

Filesize
216KB

Download
memory/3104-67-0x0000000001200000-0x0000000001236000-memory.dmp

Filesize
216KB

Download
memory/3104-64-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/3104-66-0x0000000001200000-0x0000000001236000-memory.dmp

Filesize
216KB

Download
memory/3104-70-0x0000000001200000-0x0000000001236000-memory.dmp

Filesize
216KB

Download
memory/3104-71-0x0000000001200000-0x0000000001236000-memory.dmp

Filesize
216KB

Download
memory/3104-69-0x0000000001200000-0x0000000001236000-memory.dmp

Filesize
216KB

Download
memory/3104-68-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/3104-65-0x0000000001200000-0x0000000001236000-memory.dmp

Filesize
216KB

Download
memory/3104-73-0x0000000001200000-0x0000000001236000-memory.dmp

Filesize
216KB

Download
memory/4008-63-0x00000000010E0000-0x0000000001116000-memory.dmp

Filesize
216KB

Download
memory/4008-30-0x00000000010E0000-0x0000000001116000-memory.dmp

Filesize
216KB

Download