fakeav | 934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960

Analysis

max time kernel
191s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-05-2022 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960.exe
Size

1.6MB
MD5

02ac8b53bbd50f1e8897fa22971b6041
SHA1

86dcac9e69c8a23b294c2bc951666f7c4dbb5f61
SHA256

934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960
SHA512

db9c6853cb5d048a2ca2455d6b3c6c015dd3f4d9bb5b817a6d3bd488fa686f51c37e51a4b6ca455460e7eb49b70c1e31bc1d224619b90ec16e7716571080ff6e

Score

10^/10

fakeav fakeav persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRLT.EXE = "C:\\Windows\\system32\\CSRLT.EXE"	934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\MSBLT.EXE = "C:\\Windows\\MSBLT.EXE"	934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CSRLT.EXE	934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960.exe
File opened for modification	C:\Windows\SysWOW64\CSRLT.EXE	934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\MSBLT.EXE	934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960.exe
File opened for modification	C:\Windows\MSBLT.EXE	934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960.exe

C:\Users\Admin\AppData\Local\Temp\934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960.exe
"C:\Users\Admin\AppData\Local\Temp\934979c470575846352e330d8d60bd4e4dc82fb12838b5c440818d20c1b42960.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:3668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads