plugx | dc20e0bcdd7fc623dc93dbafa35c8a8cf1821018155def3aa2612ab2d9bd4788

General

Target

AvastProxyQUY/AvastProxy.exe
Size

56KB
MD5

9381e36ebba4ace88aa190f1b8a30a43
SHA1

21980f1be5e60fd28e340fec103949d28453a3d4
SHA256

95480f8950e9f185c42e34dc045ee802d729e757dd03253ad22e287f566de913
SHA512

06d615c9c55976702b48aa200b1a40bfaecab2427c5dc61f7380f339e7825cd29cdd9acf8f29ba2d830b58c4eeb889b053dfdb53764f1c88afa24643da9eb0c2
SSDEEP

768:Qb1I/PzmESYUawSgUhqr5KgUpDGIwUf2hL+Gx8:Qb1cPz+cwSgU4d68Ufm+M8

Score

10^/10

plugx persistence trojan

Malware Config

Extracted

Family

plugx

C2

www.quochoice.com:53

www.quochoice.com:8080

www.quochoice.com:965

Attributes

folder
AvastProxyQUY

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	52.25.92.0
Destination IP	52.25.92.0
Destination IP	54.65.172.3
Destination IP	52.25.92.0

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AvastProxyQUY = "\"C:\\ProgramData\\AvastProxyQUY\\AvastProxy.exe\" 400"	AvastProxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvastProxyQUY = "\"C:\\ProgramData\\AvastProxyQUY\\AvastProxy.exe\" 400"	AvastProxy.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	AvastProxy.exe

Loads dropped DLL 1 IoCs

pid	Process
2116	AvastProxy.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY	AvastProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu	AvastProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\PROXY	AvastProxy.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2116	AvastProxy.exe
2116	AvastProxy.exe
2116	AvastProxy.exe
2116	AvastProxy.exe
2116	AvastProxy.exe
2116	AvastProxy.exe
2116	AvastProxy.exe
2116	AvastProxy.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	AvastProxy.exe
Token: SeDebugPrivilege	2116	AvastProxy.exe
Token: SeTcbPrivilege	2116	AvastProxy.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 2116	4352	AvastProxy.exe	82
PID 4352 wrote to memory of 2116	4352	AvastProxy.exe	82
PID 4352 wrote to memory of 2116	4352	AvastProxy.exe	82

C:\Users\Admin\AppData\Local\Temp\AvastProxyQUY\AvastProxy.exe
"C:\Users\Admin\AppData\Local\Temp\AvastProxyQUY\AvastProxy.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4352
- C:\ProgramData\AvastProxyQUY\AvastProxy.exe
  C:\ProgramData\AvastProxyQUY\AvastProxy.exe 400
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AvastProxyQUY\AvastProxy.exe

Filesize
56KB

MD5
9381e36ebba4ace88aa190f1b8a30a43

SHA1
21980f1be5e60fd28e340fec103949d28453a3d4

SHA256
95480f8950e9f185c42e34dc045ee802d729e757dd03253ad22e287f566de913

SHA512
06d615c9c55976702b48aa200b1a40bfaecab2427c5dc61f7380f339e7825cd29cdd9acf8f29ba2d830b58c4eeb889b053dfdb53764f1c88afa24643da9eb0c2

Download Submit
C:\ProgramData\AvastProxyQUY\main.dat

Filesize
135KB

MD5
96b743a002c662dd150046b63f7543f9

SHA1
70c973c87f3c683b4239c0c38ee426ade5a7ac6f

SHA256
e74182800eb247a9e0dfb7e6274dec2839571b650143bcd30423abe10f8daac4

SHA512
baad3891f6f66a6ef465d9ee448d2e77350c7687f7a6d16d85bc090fbc691c17ae18373f560de460a46ddd1b34b6d6dcf65c870efa71d1f6483d8674b91a2e7f

Download Submit
C:\ProgramData\AvastProxyQUY\wsc.dll

Filesize
76KB

MD5
53d595328512b3e30d14c69a0c16ebbe

SHA1
1f0a08cd1c4b6558557ad31337f78153e4b55e0e

SHA256
daedb4c0bb841423f66a67d169d6831075c4df98d7823857be76f280752127c7

SHA512
819c61b6867538d33610102f20b1921f19fc940e6f4df7489aae697086869c01405be852a03da78ad18114c98dcf8f1d259e6474c1c9deca24e9216bfe64d4de

Download Submit
memory/2116-13-0x00000000017A0000-0x00000000053D1000-memory.dmp

Filesize
60.2MB

Download
memory/2116-14-0x00000000014D0000-0x00000000015D0000-memory.dmp

Filesize
1024KB

Download
memory/2116-15-0x00000000017A0000-0x00000000053D1000-memory.dmp

Filesize
60.2MB

Download
memory/2116-16-0x00000000017A0000-0x00000000053D1000-memory.dmp

Filesize
60.2MB

Download
memory/2116-17-0x00000000017A0000-0x00000000053D1000-memory.dmp

Filesize
60.2MB

Download
memory/2116-18-0x00000000014D0000-0x00000000015D0000-memory.dmp

Filesize
1024KB

Download
memory/2116-19-0x00000000017A0000-0x00000000053D1000-memory.dmp

Filesize
60.2MB

Download
memory/2116-20-0x00000000017A0000-0x00000000053D1000-memory.dmp

Filesize
60.2MB

Download
memory/2116-21-0x00000000017A0000-0x00000000053D1000-memory.dmp

Filesize
60.2MB

Download
memory/2116-22-0x00000000017A0000-0x00000000053D1000-memory.dmp

Filesize
60.2MB

Download
memory/4352-1-0x0000000000E80000-0x0000000004AB1000-memory.dmp

Filesize
60.2MB

Download
memory/4352-2-0x0000000000D20000-0x0000000000E20000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads