fakeav | 9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308

Analysis

max time kernel
127s
max time network
130s
platform
windows10_x64
resource
win10v20210410
submitted
11-05-2021 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308.exe
Size

711KB
MD5

a4f365c53c586eb74fb84c34060d5688
SHA1

48c8c9f24ba5cfb44abb080ed1e879ff55dd37ae
SHA256

9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308
SHA512

805473f987e851c81c7208b020e12ba422e78aff04b5bbcc2c369a8b2553395f2f30dfecd9dddbea92dc42ad8b5ed98c9b09a60f6bb929d8d352c583c33505d9

Score

10^/10

fakeav fakeav persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\MSBLT.EXE = "C:\\Windows\\MSBLT.EXE"	9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRLT.EXE = "C:\\Windows\\system32\\CSRLT.EXE"	9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CSRLT.EXE	9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308.exe
File opened for modification	C:\Windows\SysWOW64\CSRLT.EXE	9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\MSBLT.EXE	9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308.exe
File opened for modification	C:\Windows\MSBLT.EXE	9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308.exe

C:\Users\Admin\AppData\Local\Temp\9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308.exe
"C:\Users\Admin\AppData\Local\Temp\9e904a8c4916c0d96c9acbae0f7fe12caf6d80e672d4bb84bd654995d0866308.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3984-114-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download