fakeav | ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9

Analysis

max time kernel
152s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-05-2022 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9.exe
Size

711KB
MD5

0155bc5b3d509a815f9f424ac5e4655a
SHA1

fab1402287fdfd14f49130ceed389e5bac847874
SHA256

ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9
SHA512

c0b255d11cd342d2a6a795a3e492df474b31c66cf3a3974d6c002e6dda8f82d9d61c34676d4a621e09676450f9b44aee718f12efebfbfab7ff131404441aa541

Score

10^/10

fakeav fakeav persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\MSBLT.EXE = "C:\\Windows\\MSBLT.EXE"	ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRLT.EXE = "C:\\Windows\\system32\\CSRLT.EXE"	ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\CSRLT.EXE	ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9.exe
File created	C:\Windows\SysWOW64\CSRLT.EXE	ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\MSBLT.EXE	ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9.exe
File opened for modification	C:\Windows\MSBLT.EXE	ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9.exe

C:\Users\Admin\AppData\Local\Temp\ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9.exe
"C:\Users\Admin\AppData\Local\Temp\ffcfe2d9615ba871da4ad9ef0977eaef4900621e9c2fbcdb8d7203060cfe59b9.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads