fakeav | 192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440

General

Target

192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe
Size

711KB
MD5

c11c38a2dc17558e70902eeb958ffdca
SHA1

dd16882a61da57e21389e0f856740e6d3c8e2b49
SHA256

192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440
SHA512

5483a32cc11c9d1de4859ab859c41e163480e8b98390afe106fab76734a85a983630f20d6572e088d7845cd2cc6944e685344725fe9798c20cc579ed237fef9f

Score

10^/10

fakeav fakeav persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\MSBLT.EXE = "C:\\Windows\\MSBLT.EXE"	192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRLT.EXE = "C:\\Windows\\system32\\CSRLT.EXE"	192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CSRLT.EXE	192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe
File opened for modification	C:\Windows\SysWOW64\CSRLT.EXE	192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\MSBLT.EXE	192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe
File opened for modification	C:\Windows\MSBLT.EXE	192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	taskmgr.exe
Token: SeSystemProfilePrivilege	3520	taskmgr.exe
Token: SeCreateGlobalPrivilege	3520	taskmgr.exe
Token: 33	3520	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3520	taskmgr.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe
3520	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe
"C:\Users\Admin\AppData\Local\Temp\192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe
"C:\Users\Admin\AppData\Local\Temp\192a70a765957bf9e5ded98fe147e6e0e437d30080b572216174a4e94a0a1440.exe"
1⤵
PID:3940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3628-114-0x00000000005D0000-0x000000000071A000-memory.dmp

Filesize
1.3MB

Download
memory/3940-115-0x00000000004C0000-0x000000000060A000-memory.dmp

Filesize
1.3MB

Download

Resubmissions

Analysis

Sharing