Overview

overview

10

Static

static

AvastSvcyH...th.dat

windows7-x64

3

AvastSvcyH...th.dat

windows10-2004-x64

3

AvastSvcyH...vc.exe

windows7-x64

10

AvastSvcyH...vc.exe

windows10-2004-x64

10

AvastSvcyHA/wsc.dll

windows7-x64

1

AvastSvcyHA/wsc.dll

windows10-2004-x64

1

Resubmissions

01-02-2024 15:37

240201-s2hpvaahdm 10

23-09-2022 05:24

220923-f363lshbel 10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2022 05:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AvastSvcyHA/AvastSvc.exe

  • Size

    60KB

  • MD5

    a72036f635cecf0dcb1e9c6f49a8fa5b

  • SHA1

    049813b955db1dd90952657ae2bd34250153563e

  • SHA256

    85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654

  • SHA512

    e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

  • SSDEEP

    768:Q/WQ3/TymxfsHYPry0bgYh3LKgMoCDGFh9D:Q+QvT7xUHYPDbgYVLWofD

Score
10/10
plugxpersistencetrojan

Malware Config

Extracted

Family

plugx

C2

103.192.226.100:80

103.192.226.100:8000

103.192.226.100:8080

103.192.226.100:110
Mutex

GJsgXZYVrgqcUMNVXzvU

Attributes
  • folder

    AvastSvcyHA

Signatures

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe
    "C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\ProgramData\AvastSvcyHA\AvastSvc.exe
      C:\ProgramData\AvastSvcyHA\AvastSvc.exe 615
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1428

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AvastSvcyHA\AvastAuth.dat
    Filesize

    160KB

    MD5

    03a75e4fd64e9b46d0dfff2589d27822

    SHA1

    099199fe7bf4e7245e44e9a977178348a37a4f61

    SHA256

    5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028

    SHA512

    0d85b7e220a359a75555ebd929396b73417ebff8d8f713b4053c9ebc99b51325e507220efbca8afa259dc18d6f09fc3f036bfe3190ff1225153db037932a7de1

    Download Submit

  • C:\ProgramData\AvastSvcyHA\AvastSvc.exe
    Filesize

    60KB

    MD5

    a72036f635cecf0dcb1e9c6f49a8fa5b

    SHA1

    049813b955db1dd90952657ae2bd34250153563e

    SHA256

    85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654

    SHA512

    e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

    Download Submit

  • C:\ProgramData\AvastSvcyHA\wsc.dll
    Filesize

    52KB

    MD5

    fd866f6e1b997c31bdb6ba24361663e5

    SHA1

    fdf4296522e9ad7ed6d2b7a8aa53debb15566c19

    SHA256

    28875b1d6206e41ddcdbae56c6001915735c08f11f6a77db5a7107a4236afb34

    SHA512

    05e8aeb4d0f318db1943797f22388cbc43432b8206fc2b2a38505f2cacbcf25b7058015ea5e462d1778f20b3b31e256a1747f7416e26a939e5eb60b8664ad49c

    Download Submit

  • \ProgramData\AvastSvcyHA\AvastSvc.exe
    Filesize

    60KB

    MD5

    a72036f635cecf0dcb1e9c6f49a8fa5b

    SHA1

    049813b955db1dd90952657ae2bd34250153563e

    SHA256

    85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654

    SHA512

    e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

    Download Submit

  • \ProgramData\AvastSvcyHA\AvastSvc.exe
    Filesize

    60KB

    MD5

    a72036f635cecf0dcb1e9c6f49a8fa5b

    SHA1

    049813b955db1dd90952657ae2bd34250153563e

    SHA256

    85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654

    SHA512

    e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

    Download Submit

  • \ProgramData\AvastSvcyHA\wsc.dll
    Filesize

    52KB

    MD5

    fd866f6e1b997c31bdb6ba24361663e5

    SHA1

    fdf4296522e9ad7ed6d2b7a8aa53debb15566c19

    SHA256

    28875b1d6206e41ddcdbae56c6001915735c08f11f6a77db5a7107a4236afb34

    SHA512

    05e8aeb4d0f318db1943797f22388cbc43432b8206fc2b2a38505f2cacbcf25b7058015ea5e462d1778f20b3b31e256a1747f7416e26a939e5eb60b8664ad49c

    Download Submit

  • memory/1428-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1428-64-0x00000000007D0000-0x0000000004407000-memory.dmp

    Filesize

    60.2MB

    Download

  • memory/1428-65-0x00000000006D3000-0x00000000006FC000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1428-67-0x00000000006D3000-0x00000000006FC000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1764-59-0x00000000005B3000-0x00000000005DC000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1764-54-0x0000000000A70000-0x00000000046A7000-memory.dmp

    Filesize

    60.2MB

    Download

  • memory/1764-55-0x0000000076261000-0x0000000076263000-memory.dmp

    Filesize

    8KB

    Download