plugx | 00fbfaf36114d3ff9e2c43885341f1c02fade82b49d1cf451bc756d992c84b06

General

Target

AvastSvcpCP/AvastSvc.exe
Size

60KB
MD5

a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1

049813b955db1dd90952657ae2bd34250153563e
SHA256

85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
SHA512

e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2
SSDEEP

768:Q/WQ3/TymxfsHYPry0bgYh3LKgMoCDGFh9D:Q+QvT7xUHYPDbgYVLWofD

Score

10^/10

plugx discovery persistence trojan

Malware Config

Extracted

Family

plugx

C2

45.142.166.112:443

45.142.166.112:110

Attributes

folder
AvastSvcpCP

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Plugx family
plugx

Executes dropped EXE 1 IoCs

pid	Process
2412	AvastSvc.exe

Loads dropped DLL 3 IoCs

pid	Process
1972	AvastSvc.exe
1972	AvastSvc.exe
2412	AvastSvc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvastSvcpCP = "\"C:\\ProgramData\\AvastSvcpCP\\AvastSvc.exe\" 518"	AvastSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastSvcpCP = "\"C:\\ProgramData\\AvastSvcpCP\\AvastSvc.exe\" 518"	AvastSvc.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	AvastSvc.exe
File opened (read-only)	\??\F:	AvastSvc.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AvastSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AvastSvc.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AvastSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\ms-pu	AvastSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 31003500450038003100300042004300320030003500340042004400430036000000	AvastSvc.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu	AvastSvc.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY	AvastSvc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2412	AvastSvc.exe
2412	AvastSvc.exe
2412	AvastSvc.exe
2412	AvastSvc.exe
2412	AvastSvc.exe
2412	AvastSvc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	AvastSvc.exe
Token: SeDebugPrivilege	2412	AvastSvc.exe
Token: SeTcbPrivilege	2412	AvastSvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2412	1972	AvastSvc.exe	30
PID 1972 wrote to memory of 2412	1972	AvastSvc.exe	30
PID 1972 wrote to memory of 2412	1972	AvastSvc.exe	30
PID 1972 wrote to memory of 2412	1972	AvastSvc.exe	30

C:\Users\Admin\AppData\Local\Temp\AvastSvcpCP\AvastSvc.exe
"C:\Users\Admin\AppData\Local\Temp\AvastSvcpCP\AvastSvc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972
- C:\ProgramData\AvastSvcpCP\AvastSvc.exe
  C:\ProgramData\AvastSvcpCP\AvastSvc.exe 518
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AvastSvcpCP\AvastAuth.dat

Filesize
162KB

MD5
ebb7749069a9b5bcda98d89f04d889db

SHA1
c4ac1c5f4d3faa00ab846dceca67df3a51ad158b

SHA256
432a07eb49473fa8c71d50ccaf2bc980b692d458ec4aaedd52d739cb377f3428

SHA512
a0f75d7aea95d157d6674adbc454f672dd356c75901dfcd8a8defa78d0dc087ae4c092636428f46f613d232d25dd3eb1c00d1e1e2e69b30b3b23bd14532b91e9

Download Submit
C:\ProgramData\AvastSvcpCP\AvastSvc.exe

Filesize
60KB

MD5
a72036f635cecf0dcb1e9c6f49a8fa5b

SHA1
049813b955db1dd90952657ae2bd34250153563e

SHA256
85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654

SHA512
e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2

Download Submit
\ProgramData\AvastSvcpCP\wsc.dll

Filesize
80KB

MD5
722b15bbc15845e4e265a1519c800c34

SHA1
56bac516227d9fddc08ca586dba5c9085d203f99

SHA256
e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d

SHA512
a925614f3e89e37198d875670b3844449d6ab77728d53c1a06a5db035b7117a0b61cd8ada0022b6b5e0e8d6fad9417561a82cdbb5b288273c60b1469816a9d0d

Download Submit
memory/1972-2-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1972-1-0x00000000013E0000-0x0000000005018000-memory.dmp

Filesize
60.2MB

Download
memory/2412-24-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-26-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-17-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-20-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-21-0x0000000000410000-0x0000000000510000-memory.dmp

Filesize
1024KB

Download
memory/2412-22-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-23-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-18-0x0000000000410000-0x0000000000510000-memory.dmp

Filesize
1024KB

Download
memory/2412-25-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-19-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-27-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-28-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-29-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-30-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-31-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-32-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-33-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-34-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download
memory/2412-35-0x0000000000F10000-0x0000000004B48000-memory.dmp

Filesize
60.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads