plugx | 3c5d9ac0741850b5e6bf3af8c807b7ccfdb1bfc702cd75d8897a27b1387031c7

General

Target

AvastSvcyHA/AvastSvc.exe
Size

60KB
MD5

a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1

049813b955db1dd90952657ae2bd34250153563e
SHA256

85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
SHA512

e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2
SSDEEP

768:Q/WQ3/TymxfsHYPry0bgYh3LKgMoCDGFh9D:Q+QvT7xUHYPDbgYVLWofD

Score

10^/10

plugx persistence trojan

Malware Config

Extracted

Family

plugx

C2

103.192.226.100:80

103.192.226.100:8000

103.192.226.100:8080

103.192.226.100:110

Mutex

GJsgXZYVrgqcUMNVXzvU

Attributes

folder
AvastSvcyHA

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 1 IoCs

Processes:

AvastSvc.exe

pid process

1952 AvastSvc.exe
Loads dropped DLL 3 IoCs

Processes:

AvastSvc.exeAvastSvc.exe

pid process

1376 AvastSvc.exe
1376 AvastSvc.exe
1952 AvastSvc.exe

pid	process
1952	AvastSvc.exe

pid	process
1376	AvastSvc.exe
1376	AvastSvc.exe
1952	AvastSvc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AvastSvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	AvastSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 161"	AvastSvc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	AvastSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 161"	AvastSvc.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

AvastSvc.exe

description ioc process

File opened (read-only) \??\D: AvastSvc.exe

description	ioc	process
File opened (read-only)	\??\D:	AvastSvc.exe

Modifies registry class 5 IoCs

Processes:

AvastSvc.exeAvastSvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AvastSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ms-pu	AvastSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 41003000380045003300410039003600340038003500460044003600310038000000	AvastSvc.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AvastSvc.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY	AvastSvc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

AvastSvc.exe

pid process

1952 AvastSvc.exe
1952 AvastSvc.exe
1952 AvastSvc.exe
1952 AvastSvc.exe
1952 AvastSvc.exe
1952 AvastSvc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AvastSvc.exe

description pid process

Token: SeDebugPrivilege 1952 AvastSvc.exe
Token: SeDebugPrivilege 1952 AvastSvc.exe
Token: SeTcbPrivilege 1952 AvastSvc.exe

pid	process
1952	AvastSvc.exe
1952	AvastSvc.exe
1952	AvastSvc.exe
1952	AvastSvc.exe
1952	AvastSvc.exe
1952	AvastSvc.exe

description	pid	process
Token: SeDebugPrivilege	1952	AvastSvc.exe
Token: SeDebugPrivilege	1952	AvastSvc.exe
Token: SeTcbPrivilege	1952	AvastSvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

AvastSvc.exe

description	pid	process	target process
PID 1376 wrote to memory of 1952	1376	AvastSvc.exe	AvastSvc.exe
PID 1376 wrote to memory of 1952	1376	AvastSvc.exe	AvastSvc.exe
PID 1376 wrote to memory of 1952	1376	AvastSvc.exe	AvastSvc.exe
PID 1376 wrote to memory of 1952	1376	AvastSvc.exe	AvastSvc.exe

C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe
"C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1376

C:\ProgramData\AvastSvcyHA\AvastSvc.exe
C:\ProgramData\AvastSvcyHA\AvastSvc.exe 161
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AvastSvcyHA\AvastAuth.dat
Filesize
160KB

MD5
03a75e4fd64e9b46d0dfff2589d27822

SHA1
099199fe7bf4e7245e44e9a977178348a37a4f61

SHA256
5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028

SHA512
0d85b7e220a359a75555ebd929396b73417ebff8d8f713b4053c9ebc99b51325e507220efbca8afa259dc18d6f09fc3f036bfe3190ff1225153db037932a7de1

Download Submit
C:\ProgramData\AvastSvcyHA\AvastSvc.exe
Filesize
60KB

MD5
a72036f635cecf0dcb1e9c6f49a8fa5b

SHA1
049813b955db1dd90952657ae2bd34250153563e

SHA256
85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654

SHA512
e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

Download Submit
C:\ProgramData\AvastSvcyHA\wsc.dll
Filesize
52KB

MD5
fd866f6e1b997c31bdb6ba24361663e5

SHA1
fdf4296522e9ad7ed6d2b7a8aa53debb15566c19

SHA256
28875b1d6206e41ddcdbae56c6001915735c08f11f6a77db5a7107a4236afb34

SHA512
05e8aeb4d0f318db1943797f22388cbc43432b8206fc2b2a38505f2cacbcf25b7058015ea5e462d1778f20b3b31e256a1747f7416e26a939e5eb60b8664ad49c

Download Submit
\ProgramData\AvastSvcyHA\AvastSvc.exe
Filesize
60KB

MD5
a72036f635cecf0dcb1e9c6f49a8fa5b

SHA1
049813b955db1dd90952657ae2bd34250153563e

SHA256
85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654

SHA512
e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

Download Submit
\ProgramData\AvastSvcyHA\AvastSvc.exe
Filesize
60KB

MD5
a72036f635cecf0dcb1e9c6f49a8fa5b

SHA1
049813b955db1dd90952657ae2bd34250153563e

SHA256
85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654

SHA512
e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

Download Submit
\ProgramData\AvastSvcyHA\wsc.dll
Filesize
52KB

MD5
fd866f6e1b997c31bdb6ba24361663e5

SHA1
fdf4296522e9ad7ed6d2b7a8aa53debb15566c19

SHA256
28875b1d6206e41ddcdbae56c6001915735c08f11f6a77db5a7107a4236afb34

SHA512
05e8aeb4d0f318db1943797f22388cbc43432b8206fc2b2a38505f2cacbcf25b7058015ea5e462d1778f20b3b31e256a1747f7416e26a939e5eb60b8664ad49c

Download Submit
memory/1376-54-0x00000000011D0000-0x0000000004E07000-memory.dmp

Filesize
60.2MB

Download
memory/1376-59-0x0000000000463000-0x000000000048C000-memory.dmp

Filesize
164KB

Download
memory/1376-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1952-58-0x0000000000000000-mapping.dmp

Download
memory/1952-64-0x00000000011A0000-0x0000000004DD7000-memory.dmp

Filesize
60.2MB

Download
memory/1952-66-0x0000000000183000-0x00000000001AC000-memory.dmp

Filesize
164KB

Download
memory/1952-67-0x0000000000183000-0x00000000001AC000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads