Malware Analysis Report

2024-10-19 02:30

Sample ID 241014-qd9sbawhrb
Target AvastSvcZEg.zip
SHA256 72a7b8fe4b8401120124e8f9460bfd457fbf76b70a0c057b58ff271c5b2aadca
Tags
plugx discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72a7b8fe4b8401120124e8f9460bfd457fbf76b70a0c057b58ff271c5b2aadca

Threat Level: Known bad

The file AvastSvcZEg.zip was found to be: Known bad.

Malicious Activity Summary

plugx discovery persistence trojan

PlugX

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 13:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 13:09

Reported

2024-10-14 13:15

Platform

win10v2004-20241007-en

Max time kernel

320s

Max time network

323s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\AvastSvcZEg\AvastSvc.exe 567 51

Signatures

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\AvastSvcZEg\AvastSvc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\AvastSvcZEg\AvastSvc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AvastSvcZEg = "\"C:\\ProgramData\\AvastSvcZEg\\AvastSvc.exe\" 139" C:\Users\Admin\AppData\Local\Temp\AvastSvcZEg\AvastSvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AvastSvcZEg = "\"C:\\ProgramData\\AvastSvcZEg\\AvastSvc.exe\" 139" C:\Users\Admin\AppData\Local\Temp\AvastSvcZEg\AvastSvc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\ProgramData\AvastSvcZEg\AvastSvc.exe N/A
File opened (read-only) \??\F: C:\ProgramData\AvastSvcZEg\AvastSvc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\AvastSvcZEg\AvastSvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AvastSvcZEg\AvastSvc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 35003100320032003400390046003400420043003900360032004100410043000000 C:\Users\Admin\AppData\Local\Temp\AvastSvcZEg\AvastSvc.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu C:\ProgramData\AvastSvcZEg\AvastSvc.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY C:\ProgramData\AvastSvcZEg\AvastSvc.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu C:\Users\Admin\AppData\Local\Temp\AvastSvcZEg\AvastSvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-pu C:\Users\Admin\AppData\Local\Temp\AvastSvcZEg\AvastSvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\AvastSvcZEg\AvastSvc.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\AvastSvcZEg\AvastSvc.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\AvastSvcZEg\AvastSvc.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\AvastSvcZEg\AvastSvc.exe 567 51

C:\Users\Admin\AppData\Local\Temp\AvastSvcZEg\AvastSvc.exe

C:\Users\Admin\AppData\Local\Temp\AvastSvcZEg\AvastSvc.exe 567 51

C:\ProgramData\AvastSvcZEg\AvastSvc.exe

C:\ProgramData\AvastSvcZEg\AvastSvc.exe 139

Network

Country Destination Domain Proto
AU 103.56.53.46:80 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
AU 103.56.53.46:110 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
AU 103.56.53.46:443 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
AU 103.56.53.46:5938 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
AU 103.56.53.46:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
AU 103.56.53.46:110 tcp
AU 103.56.53.46:443 tcp
AU 103.56.53.46:5938 tcp
AU 103.56.53.46:80 tcp
AU 103.56.53.46:110 tcp
AU 103.56.53.46:443 tcp
AU 103.56.53.46:5938 tcp
AU 103.56.53.46:80 tcp
AU 103.56.53.46:110 tcp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/3016-1-0x00000000012B0000-0x00000000013B0000-memory.dmp

memory/3016-2-0x0000000001560000-0x0000000005197000-memory.dmp

C:\ProgramData\AvastSvcZEg\wsc.dll

MD5 831252e7fa9bd6fa174715647ebce516
SHA1 bf8c5bf141f0db53000805f2629e6e031d137ceb
SHA256 6491c646397025bf02709f1bd3025f1622abdc89b550ac38ce6fac938353b954
SHA512 0be6e898dcb75b32358bb8c2214e7b9453034ecfbe71d092df75b186a28f97ae7d5737f010b9d9e781c6b4cf3da19ee4a7cf5002604d23c527c55a3f7a0dba04

C:\ProgramData\AvastSvcZEg\AvastSvc.exe

MD5 a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1 049813b955db1dd90952657ae2bd34250153563e
SHA256 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
SHA512 e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

memory/2588-14-0x0000000000960000-0x0000000000A60000-memory.dmp

C:\ProgramData\AvastSvcZEg\AvastAuth.dat

MD5 53830fe278811363f93e0906d8b5ce69
SHA1 b133578af848e10500cc8b943483ed71e86a713a
SHA256 8ec409c1537e3030405bc8f8353d2605d1e88f1b245554383682f3aa8b5100ec
SHA512 c87497b49d2924be200053495074e16d82fdc875ecdcd231e185479901020c176c2a478c52eea55a9908fe3605ed3d5b2037fa4c83248d4d2bfea45f9f03dc37

memory/2588-13-0x0000000000B60000-0x0000000004797000-memory.dmp

memory/2588-15-0x0000000000B60000-0x0000000004797000-memory.dmp

memory/2588-16-0x0000000000B60000-0x0000000004797000-memory.dmp

memory/2588-17-0x0000000000960000-0x0000000000A60000-memory.dmp