fakeav | 00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432

Analysis

max time kernel
123s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
09-03-2022 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432.exe
Size

711KB
MD5

00b0fbf4bd38e5c70e253ef424b18ae3
SHA1

2185f0daeb67174bc62bec1be378e82096d3cfb7
SHA256

00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432
SHA512

8da2f5e859e5a7d7b0bedc1301b54141f6094b1d635ae6ce7a78ca766d0ebb73837b12de99db94b0cbfec94c3181db04f0408d04f5ca65144dca6b2ac0c2a97f

Score

10^/10

fakeav fakeav persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRLT.EXE = "C:\\Windows\\system32\\CSRLT.EXE"	00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\MSBLT.EXE = "C:\\Windows\\MSBLT.EXE"	00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CSRLT.EXE	00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432.exe
File opened for modification	C:\Windows\SysWOW64\CSRLT.EXE	00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\MSBLT.EXE	00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432.exe
File opened for modification	C:\Windows\MSBLT.EXE	00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432.exe

C:\Users\Admin\AppData\Local\Temp\00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432.exe
"C:\Users\Admin\AppData\Local\Temp\00346855aa455305ae1938607941029913cdcf70a535468f66aae4c68c09a432.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3676-130-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download