Overview

overview

10

Static

static

Advance ve...ce.exe

windows7_x64

3

Advance ve...ce.exe

windows10-2004_x64

7

AvastProxy.exe

windows7_x64

10

AvastProxy.exe

windows10-2004_x64

10

Report of ...n).pdf

windows7_x64

1

Report of ...n).pdf

windows10-2004_x64

1

acrord32.dll

windows7_x64

8

acrord32.dll

windows10-2004_x64

8

wsc.dll

windows7_x64

1

wsc.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-06-2022 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AvastProxy.exe

  • Size

    56KB

  • MD5

    feac3e6946ab9b39c66a8756a4a7468f

  • SHA1

    b490fbb91ebf327173940f3ed93f518191abb5e8

  • SHA256

    560055994a2290b3eb3f354afbf5ebcf4b8d78820f238eae70d76ece81b97c23

  • SHA512

    55c3089d2744412e14032e66390d0ccb25fb995994baf77aee0bd315057543c39d13ee9344dab839ab041e4ca950e09c30a320f95cc8b0f1c69174d2e6562f3b

Score
10/10
plugxpersistencetrojan

Malware Config

Extracted

Family

plugx

C2

www.systeminfor.com:80

www.systeminfor.com:53

www.systeminfor.com:25
Mutex

wGPfERFOORursKSkkLoo

Attributes
  • folder

    AvastProxyBpC

Signatures

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AvastProxy.exe
    "C:\Users\Admin\AppData\Local\Temp\AvastProxy.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\ProgramData\AvastProxyBpC\AvastProxy.exe
      C:\ProgramData\AvastProxyBpC\AvastProxy.exe 788
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AvastProxyBpC\AvastProxy.exe
    Filesize

    56KB

    MD5

    feac3e6946ab9b39c66a8756a4a7468f

    SHA1

    b490fbb91ebf327173940f3ed93f518191abb5e8

    SHA256

    560055994a2290b3eb3f354afbf5ebcf4b8d78820f238eae70d76ece81b97c23

    SHA512

    55c3089d2744412e14032e66390d0ccb25fb995994baf77aee0bd315057543c39d13ee9344dab839ab041e4ca950e09c30a320f95cc8b0f1c69174d2e6562f3b

    Download Submit
  • C:\ProgramData\AvastProxyBpC\AvastProxy.exe
    Filesize

    56KB

    MD5

    feac3e6946ab9b39c66a8756a4a7468f

    SHA1

    b490fbb91ebf327173940f3ed93f518191abb5e8

    SHA256

    560055994a2290b3eb3f354afbf5ebcf4b8d78820f238eae70d76ece81b97c23

    SHA512

    55c3089d2744412e14032e66390d0ccb25fb995994baf77aee0bd315057543c39d13ee9344dab839ab041e4ca950e09c30a320f95cc8b0f1c69174d2e6562f3b

    Download Submit
  • C:\ProgramData\AvastProxyBpC\main.dat
    Filesize

    135KB

    MD5

    29aa748c0d3ad949b656528997beca28

    SHA1

    7db32103fefa0612c24f3940a17a5a1793ca7bb7

    SHA256

    f7a7eca072cb07af2a769bff4729478a9ec714c59e3c1c25410184014ccee18e

    SHA512

    764195f1292588f883d87c5f980fced838a6d6d9354d1395c45f8ba2d9ed629bff78d4c1fe2cede4b5b192fe26c18d15006d68332b1da97bcb2e19569efd30ff

    Download Submit
  • C:\ProgramData\AvastProxyBpC\wsc.dll
    Filesize

    76KB

    MD5

    fc83d5c67de996607b0a59d70e6ff711

    SHA1

    c44c923ab0331d3f7cee588eb73464ce93cf4ce4

    SHA256

    5a795c4b2a1a9c76791a516822ae0c9ec9d02780c41d2f6a6960a4ea15d68e34

    SHA512

    11cd6230ec8906dd91a2719bccb82f59bcbc027ba94959a7aae5614c4e8f9669d736abdaade1cc0d1183bb7db3a7391fc7be14c6e5685e312e5f48a625c83f81

    Download Submit
  • C:\ProgramData\AvastProxyBpC\wsc.dll
    Filesize

    76KB

    MD5

    fc83d5c67de996607b0a59d70e6ff711

    SHA1

    c44c923ab0331d3f7cee588eb73464ce93cf4ce4

    SHA256

    5a795c4b2a1a9c76791a516822ae0c9ec9d02780c41d2f6a6960a4ea15d68e34

    SHA512

    11cd6230ec8906dd91a2719bccb82f59bcbc027ba94959a7aae5614c4e8f9669d736abdaade1cc0d1183bb7db3a7391fc7be14c6e5685e312e5f48a625c83f81

    Download Submit
  • memory/1928-130-0x0000000000DB0000-0x00000000049E1000-memory.dmp
    Filesize

    60.2MB

    Download
  • memory/1928-131-0x0000000000CC3000-0x0000000000CE6000-memory.dmp
    Filesize

    140KB

    Download
  • memory/4944-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4944-138-0x0000000001180000-0x0000000004DB1000-memory.dmp
    Filesize

    60.2MB

    Download
  • memory/4944-139-0x0000000001093000-0x00000000010B6000-memory.dmp
    Filesize

    140KB

    Download
  • memory/4944-140-0x0000000001093000-0x00000000010B6000-memory.dmp
    Filesize

    140KB

    Download