plugx | 47521a28f2aec3de8db28f63a88f3af567f7e40228acc5924673f23cd039199f

Resubmissions

09-10-2024 10:14

241009-l9pd2asgjh 10

09-10-2024 08:46

241009-kpetesvckf 10

09-10-2024 08:45

241009-knpbgavbmf 10

25-09-2024 13:48

240925-q4jc2ssaka 10

Analysis

max time kernel
147s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AvastSvcZEg.zip
Size

154KB
MD5

4672c97ef72cfa9845126c6c19a0303d
SHA1

a64ca5018acb426de38f2b20ff9be956d6c35600
SHA256

47521a28f2aec3de8db28f63a88f3af567f7e40228acc5924673f23cd039199f
SHA512

7943fe72e1f16ea034f781abe92b415118987ce87c1f74ae98cf4fcccd976c1622f935d2b211ef9c9a827d18af4c8214a738a254f63aa61de44bf707e7a0a433
SSDEEP

3072:jLGN6+o/5GJB8YoaxwbybSNqnjdNArfqesO89pVBvDjvKWU7bK6GWQ:/G/2ooPHc2yesR9xDTKWU7prQ

Score

10^/10

plugx discovery persistence trojan

Malware Config

Extracted

Family

plugx

103.56.53.46:80

103.56.53.46:110

103.56.53.46:443

103.56.53.46:5938

Attributes

folder
AvastSvcZEg

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 2 IoCs

pid	Process
2872	AvastSvc.exe
2252	AvastSvc.exe

Loads dropped DLL 5 IoCs

pid	Process
2072	AvastSvc.exe
2072	AvastSvc.exe
2872	AvastSvc.exe
2960	AvastSvc.exe
2252	AvastSvc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvastSvcZEg = "\"C:\\ProgramData\\AvastSvcZEg\\AvastSvc.exe\" 849"	AvastSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastSvcZEg = "\"C:\\ProgramData\\AvastSvcZEg\\AvastSvc.exe\" 849"	AvastSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvastSvcZEg = "\"C:\\ProgramData\\AvastSvcZEg\\AvastSvc.exe\" 745"	AvastSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastSvcZEg = "\"C:\\ProgramData\\AvastSvcZEg\\AvastSvc.exe\" 745"	AvastSvc.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	AvastSvc.exe
File opened (read-only)	\??\F:	AvastSvc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AvastSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AvastSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AvastSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AvastSvc.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 45004300430033003200380044003300390041003200340037003200360041000000	AvastSvc.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AvastSvc.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY	AvastSvc.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AvastSvc.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AvastSvc.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AvastSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ms-pu	AvastSvc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2872	AvastSvc.exe
2872	AvastSvc.exe
2872	AvastSvc.exe
2872	AvastSvc.exe
2872	AvastSvc.exe
2872	AvastSvc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	AvastSvc.exe
Token: SeDebugPrivilege	2872	AvastSvc.exe
Token: SeTcbPrivilege	2872	AvastSvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2872	2072	AvastSvc.exe	35
PID 2072 wrote to memory of 2872	2072	AvastSvc.exe	35
PID 2072 wrote to memory of 2872	2072	AvastSvc.exe	35
PID 2072 wrote to memory of 2872	2072	AvastSvc.exe	35
PID 2960 wrote to memory of 2252	2960	AvastSvc.exe	38
PID 2960 wrote to memory of 2252	2960	AvastSvc.exe	38
PID 2960 wrote to memory of 2252	2960	AvastSvc.exe	38
PID 2960 wrote to memory of 2252	2960	AvastSvc.exe	38

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\AvastSvcZEg.zip
1⤵
PID:2380

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2684

C:\AvastSvcZEg\AvastSvc.exe
"C:\AvastSvcZEg\AvastSvc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072
- C:\ProgramData\AvastSvcZEg\AvastSvc.exe
  C:\ProgramData\AvastSvcZEg\AvastSvc.exe 745
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872

C:\AvastSvcZEg\AvastSvc.exe
"C:\AvastSvcZEg\AvastSvc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960
- C:\ProgramData\AvastSvcZEg\AvastSvc.exe
  C:\ProgramData\AvastSvcZEg\AvastSvc.exe 849
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AvastSvcZEg\AvastAuth.dat

Filesize
160KB

MD5
53830fe278811363f93e0906d8b5ce69

SHA1
b133578af848e10500cc8b943483ed71e86a713a

SHA256
8ec409c1537e3030405bc8f8353d2605d1e88f1b245554383682f3aa8b5100ec

SHA512
c87497b49d2924be200053495074e16d82fdc875ecdcd231e185479901020c176c2a478c52eea55a9908fe3605ed3d5b2037fa4c83248d4d2bfea45f9f03dc37

Download Submit
C:\ProgramData\AvastSvcZEg\wsc.dll

Filesize
52KB

MD5
831252e7fa9bd6fa174715647ebce516

SHA1
bf8c5bf141f0db53000805f2629e6e031d137ceb

SHA256
6491c646397025bf02709f1bd3025f1622abdc89b550ac38ce6fac938353b954

SHA512
0be6e898dcb75b32358bb8c2214e7b9453034ecfbe71d092df75b186a28f97ae7d5737f010b9d9e781c6b4cf3da19ee4a7cf5002604d23c527c55a3f7a0dba04

Download Submit
\ProgramData\AvastSvcZEg\AvastSvc.exe

Filesize
60KB

MD5
a72036f635cecf0dcb1e9c6f49a8fa5b

SHA1
049813b955db1dd90952657ae2bd34250153563e

SHA256
85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654

SHA512
e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

Download Submit
memory/2072-2-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2072-1-0x0000000000790000-0x00000000043C7000-memory.dmp

Filesize
60.2MB

Download
memory/2872-18-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/2872-17-0x0000000000F90000-0x0000000004BC7000-memory.dmp

Filesize
60.2MB

Download
memory/2872-19-0x0000000000F90000-0x0000000004BC7000-memory.dmp

Filesize
60.2MB

Download
memory/2872-20-0x0000000000F90000-0x0000000004BC7000-memory.dmp

Filesize
60.2MB

Download
memory/2872-21-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/2960-24-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2960-23-0x0000000000720000-0x0000000004357000-memory.dmp

Filesize
60.2MB

Download