Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool
Tags
attack-pattern: Data Code Signing - T1553.002 Credentials - T1589.001 Dll Search Order Hijacking - T1574.001 Exploits - T1587.004 Exploits - T1588.005 Malware - T1587.001 Malware - T1588.001 Rundll32 - T1218.011 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Vulnerabilities - T1588.006 Code Signing - T1116 Dll Search Order Hijacking - T1038 Rundll32 - T1085 Scheduled Task - T1053
Show in Graph
Common Information
Type Value
UUID fdfd4f89-01d4-43f6-bba2-dc2342c3c0cc
Fingerprint b5b4991dc13fd749
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 24, 2023, midnight
Added to db Oct. 15, 2024, 8:09 p.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool
Title Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool
Detected Hints/Tags/Attributes 59/1/30
Source URLs
Redirection Url
Details Source https://www.trendmicro.com/en_ph/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html
Details Source https://www.trendmicro.com/en_hk/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html
Details Source https://www.trendmicro.com/en_th/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html
URL Provider
Details Provider Source level domain
Details trendmicro.com www.trendmicro.com
Attributes
Details Type #Events CTI Value
Details File 28 
x32dbg.exe
Details File 2 
d:\recycler.bin
Details File 2126 
cmd.exe
Details File 409 
c:\windows\system32\cmd.exe
Details File 4 
recycler.bin
Details File 1 
d:\ \ \recycler.bin
Details File 1 
c:\programdata\usersdate\windows_nt\windows\user\desktop\x32dbg.exe
Details File 1 
c:\users\public\public mediae\mediae.exe
Details File 2 
x32dbge.exe
Details File 5 
x32bridge.dll
Details File 3 
akm.dat
Details File 1018 
rundll32.exe
Details File 185 
shell32.dll
Details File 4 
x32bridge.dat
Details File 196 
desktop.ini
Details File 3 
mediae.exe
Details File 3 
aug.exe
Details File 11 
dismcore.dll
Details File 3 
groza_1.dat
Details File 22 
dism.exe
Details sha256 1 
ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15
Details sha256 1 
0490ceace858ff7949b90ab4acf4867878815d2557089c179c9971b2dd0918b9
Details sha256 2 
0e9071714a4af0be1f96cffc3b0e58520b827d9e58297cb0e02d97551eca3799
Details sha256 2 
e72e49dc1d95efabc2c12c46df373173f2e20dab715caf58b1be9ca41ec0e172
Details sha256 1 
b4f1cae6622cd459388294afb418cb0af7a5cb82f367933e57ab8c1fb0a8a8a7
Details sha256 1 
553ff37a1eb7e8dc226a83fa143d6aab8a305771bf0cec7b94f4202dcd1f55b2
Details IPv4 2 
160.20.147.254
Details MITRE ATT&CK Techniques 70 
T1574.001
Details Pdb 2 
udpdll.pdb
Details Windows Registry Key 188 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run