fakeav | 21705344fed8a60c329fa0daae82f133cd7af70d563df1bc6ce5d79d66f4e1df

Analysis

max time kernel
123s
max time network
125s
platform
windows7_x64
resource
win7v20201028
submitted
14-12-2020 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2ce33a1fbc3e1eb535eafa0c78a7563.exe
Size

9.0MB
MD5

b2ce33a1fbc3e1eb535eafa0c78a7563
SHA1

5fe94084f917195d747ad8bf058613bb50b1039e
SHA256

21705344fed8a60c329fa0daae82f133cd7af70d563df1bc6ce5d79d66f4e1df
SHA512

da39b3621ec349196d2e65828dbd4b5d57bc3eb407cdcdfbeab4b4eee6947cbe1f9a4e4bdbc01bb65299a11f5eb6c12edce810b1b30bd84525a842fbda0741e0

Score

10^/10

fakeav fakeav persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRLT.EXE = "C:\\Windows\\system32\\CSRLT.EXE"	b2ce33a1fbc3e1eb535eafa0c78a7563.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b2ce33a1fbc3e1eb535eafa0c78a7563.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\MSBLT.EXE = "C:\\Windows\\MSBLT.EXE"	b2ce33a1fbc3e1eb535eafa0c78a7563.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	b2ce33a1fbc3e1eb535eafa0c78a7563.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CSRLT.EXE	b2ce33a1fbc3e1eb535eafa0c78a7563.exe
File opened for modification	C:\Windows\SysWOW64\CSRLT.EXE	b2ce33a1fbc3e1eb535eafa0c78a7563.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MSBLT.EXE	b2ce33a1fbc3e1eb535eafa0c78a7563.exe
File created	C:\Windows\MSBLT.EXE	b2ce33a1fbc3e1eb535eafa0c78a7563.exe

C:\Users\Admin\AppData\Local\Temp\b2ce33a1fbc3e1eb535eafa0c78a7563.exe
"C:\Users\Admin\AppData\Local\Temp\b2ce33a1fbc3e1eb535eafa0c78a7563.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads