Malware Analysis Report

2024-07-11 07:38

Sample ID 240201-s2hpvaahdm
Target 3c5d9ac0741850b5e6bf3af8c807b7ccfdb1bfc702cd75d8897a27b1387031c7.zip
SHA256 2e1e9fcdf5c97ef55077a8c62ee0b60f614fa76e0fc5c06a7ac8a262ae67b21f
Tags
plugx persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e1e9fcdf5c97ef55077a8c62ee0b60f614fa76e0fc5c06a7ac8a262ae67b21f

Threat Level: Known bad

The file 3c5d9ac0741850b5e6bf3af8c807b7ccfdb1bfc702cd75d8897a27b1387031c7.zip was found to be: Known bad.

Malicious Activity Summary

plugx persistence trojan

PlugX

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-01 15:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-01 15:37

Reported

2024-02-01 17:35

Platform

win10v2004-20231215-en

Max time kernel

593s

Max time network

601s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\wsc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1784 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1784 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\wsc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\wsc.dll,#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 15:37

Reported

2024-02-01 17:29

Platform

win7-20231215-en

Max time kernel

580s

Max time network

592s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"

Signatures

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 264" C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 264" C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A
File opened (read-only) \??\F: C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\ms-pu C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 43004100460034004600390041003100310046004400380033003800310038000000 C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe

"C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"

C:\ProgramData\AvastSvcyHA\AvastSvc.exe

C:\ProgramData\AvastSvcyHA\AvastSvc.exe 264

Network

Country Destination Domain Proto
HK 103.192.226.100:80 tcp
HK 103.192.226.100:8000 tcp
HK 103.192.226.100:8080 tcp
HK 103.192.226.100:110 tcp
HK 103.192.226.100:80 tcp
HK 103.192.226.100:8000 tcp
HK 103.192.226.100:8080 tcp
HK 103.192.226.100:110 tcp
HK 103.192.226.100:80 tcp
HK 103.192.226.100:8000 tcp
HK 103.192.226.100:8080 tcp
HK 103.192.226.100:110 tcp
HK 103.192.226.100:80 tcp
HK 103.192.226.100:8000 tcp
HK 103.192.226.100:8080 tcp
HK 103.192.226.100:110 tcp
HK 103.192.226.100:80 tcp
HK 103.192.226.100:8000 tcp
HK 103.192.226.100:8080 tcp
HK 103.192.226.100:110 tcp
HK 103.192.226.100:80 tcp
HK 103.192.226.100:8000 tcp
HK 103.192.226.100:8080 tcp
HK 103.192.226.100:110 tcp
HK 103.192.226.100:80 tcp

Files

memory/812-2-0x0000000000420000-0x0000000000520000-memory.dmp

memory/812-1-0x0000000001200000-0x0000000004E37000-memory.dmp

C:\ProgramData\AvastSvcyHA\wsc.dll

MD5 fd866f6e1b997c31bdb6ba24361663e5
SHA1 fdf4296522e9ad7ed6d2b7a8aa53debb15566c19
SHA256 28875b1d6206e41ddcdbae56c6001915735c08f11f6a77db5a7107a4236afb34
SHA512 05e8aeb4d0f318db1943797f22388cbc43432b8206fc2b2a38505f2cacbcf25b7058015ea5e462d1778f20b3b31e256a1747f7416e26a939e5eb60b8664ad49c

C:\ProgramData\AvastSvcyHA\AvastSvc.exe

MD5 a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1 049813b955db1dd90952657ae2bd34250153563e
SHA256 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
SHA512 e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

C:\ProgramData\AvastSvcyHA\AvastAuth.dat

MD5 03a75e4fd64e9b46d0dfff2589d27822
SHA1 099199fe7bf4e7245e44e9a977178348a37a4f61
SHA256 5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028
SHA512 0d85b7e220a359a75555ebd929396b73417ebff8d8f713b4053c9ebc99b51325e507220efbca8afa259dc18d6f09fc3f036bfe3190ff1225153db037932a7de1

memory/2416-18-0x0000000000510000-0x0000000000610000-memory.dmp

memory/2416-17-0x0000000000710000-0x0000000004347000-memory.dmp

memory/2416-19-0x0000000000710000-0x0000000004347000-memory.dmp

memory/2416-20-0x0000000000710000-0x0000000004347000-memory.dmp

memory/2416-21-0x0000000000510000-0x0000000000610000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 15:37

Reported

2024-02-01 17:31

Platform

win10v2004-20231215-en

Max time kernel

586s

Max time network

607s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"

Signatures

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 748" C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 748" C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A
File opened (read-only) \??\F: C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 31004500340038003600340030004300460035003500440030003000380038000000 C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\ms-pu C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\AvastSvcyHA\AvastSvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe

"C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"

C:\ProgramData\AvastSvcyHA\AvastSvc.exe

C:\ProgramData\AvastSvcyHA\AvastSvc.exe 748

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
HK 103.192.226.100:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
HK 103.192.226.100:8000 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
HK 103.192.226.100:8080 tcp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
HK 103.192.226.100:110 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
HK 103.192.226.100:80 tcp
HK 103.192.226.100:8000 tcp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp
HK 103.192.226.100:8080 tcp
HK 103.192.226.100:110 tcp
HK 103.192.226.100:80 tcp
HK 103.192.226.100:8000 tcp
HK 103.192.226.100:8080 tcp
HK 103.192.226.100:110 tcp
HK 103.192.226.100:80 tcp
HK 103.192.226.100:8000 tcp
HK 103.192.226.100:8080 tcp
HK 103.192.226.100:110 tcp
HK 103.192.226.100:80 tcp
HK 103.192.226.100:8000 tcp
HK 103.192.226.100:8080 tcp
HK 103.192.226.100:110 tcp
HK 103.192.226.100:80 tcp
HK 103.192.226.100:8000 tcp
HK 103.192.226.100:8080 tcp
HK 103.192.226.100:110 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
HK 103.192.226.100:80 tcp

Files

memory/3324-1-0x0000000000D90000-0x0000000000E90000-memory.dmp

memory/3324-2-0x0000000000F90000-0x0000000004BC7000-memory.dmp

C:\ProgramData\AvastSvcyHA\AvastSvc.exe

MD5 a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1 049813b955db1dd90952657ae2bd34250153563e
SHA256 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
SHA512 e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

C:\ProgramData\AvastSvcyHA\wsc.dll

MD5 fd866f6e1b997c31bdb6ba24361663e5
SHA1 fdf4296522e9ad7ed6d2b7a8aa53debb15566c19
SHA256 28875b1d6206e41ddcdbae56c6001915735c08f11f6a77db5a7107a4236afb34
SHA512 05e8aeb4d0f318db1943797f22388cbc43432b8206fc2b2a38505f2cacbcf25b7058015ea5e462d1778f20b3b31e256a1747f7416e26a939e5eb60b8664ad49c

C:\ProgramData\AvastSvcyHA\AvastAuth.dat

MD5 03a75e4fd64e9b46d0dfff2589d27822
SHA1 099199fe7bf4e7245e44e9a977178348a37a4f61
SHA256 5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028
SHA512 0d85b7e220a359a75555ebd929396b73417ebff8d8f713b4053c9ebc99b51325e507220efbca8afa259dc18d6f09fc3f036bfe3190ff1225153db037932a7de1

memory/1500-14-0x0000000000760000-0x0000000000860000-memory.dmp

memory/1500-13-0x0000000000DB0000-0x00000000049E7000-memory.dmp

memory/1500-15-0x0000000000DB0000-0x00000000049E7000-memory.dmp

memory/1500-16-0x0000000000DB0000-0x00000000049E7000-memory.dmp

memory/1500-17-0x0000000000760000-0x0000000000860000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-01 15:37

Reported

2024-02-01 17:35

Platform

win7-20231215-en

Max time kernel

361s

Max time network

364s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\wsc.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2512 wrote to memory of 2884 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\wsc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\wsc.dll,#1

Network

N/A

Files

N/A