Analysis
-
max time kernel
586s -
max time network
607s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
01-02-2024 15:37
General
-
Target
AvastSvcyHA/AvastSvc.exe
-
Size
60KB
-
MD5
a72036f635cecf0dcb1e9c6f49a8fa5b
-
SHA1
049813b955db1dd90952657ae2bd34250153563e
-
SHA256
85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
-
SHA512
e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2
-
SSDEEP
768:Q/WQ3/TymxfsHYPry0bgYh3LKgMoCDGFh9D:Q+QvT7xUHYPDbgYVLWofD
Malware Config
Extracted
plugx
103.192.226.100:80
103.192.226.100:8000
103.192.226.100:8080
103.192.226.100:110
-
folder
AvastSvcyHA
Signatures
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\AvastSvcyHA\AvastSvc.exeC:\ProgramData\AvastSvcyHA\AvastSvc.exe 7482⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD503a75e4fd64e9b46d0dfff2589d27822
SHA1099199fe7bf4e7245e44e9a977178348a37a4f61
SHA2565eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028
SHA5120d85b7e220a359a75555ebd929396b73417ebff8d8f713b4053c9ebc99b51325e507220efbca8afa259dc18d6f09fc3f036bfe3190ff1225153db037932a7de1
-
Filesize
60KB
MD5a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1049813b955db1dd90952657ae2bd34250153563e
SHA25685ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
SHA512e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2
-
Filesize
52KB
MD5fd866f6e1b997c31bdb6ba24361663e5
SHA1fdf4296522e9ad7ed6d2b7a8aa53debb15566c19
SHA25628875b1d6206e41ddcdbae56c6001915735c08f11f6a77db5a7107a4236afb34
SHA51205e8aeb4d0f318db1943797f22388cbc43432b8206fc2b2a38505f2cacbcf25b7058015ea5e462d1778f20b3b31e256a1747f7416e26a939e5eb60b8664ad49c
-
Filesize
1024KB
-
Filesize
60.2MB
-
Filesize
60.2MB
-
Filesize
60.2MB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
60.2MB