fakeav | 595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7

Analysis

max time kernel
38s
max time network
42s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7.exe
Size

5.6MB
MD5

9495e20971b3977f703f407bfffbf363
SHA1

2b21c6a5892854c478bffd08dd85f9416e6d8719
SHA256

595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7
SHA512

a172c95186c0c56b7db282b72287619626151a9bb22892de129b59069e44d32fafe581eca6bcdd128d840efd147dcc956e4f7dce1b5e0192e1ee63d352f8dff9

Score

10^/10

fakeav fakeav persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRLT.EXE = "C:\\Windows\\system32\\CSRLT.EXE"	595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\MSBLT.EXE = "C:\\Windows\\MSBLT.EXE"	595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CSRLT.EXE	595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7.exe
File opened for modification	C:\Windows\SysWOW64\CSRLT.EXE	595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MSBLT.EXE	595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7.exe
File created	C:\Windows\MSBLT.EXE	595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7.exe

C:\Users\Admin\AppData\Local\Temp\595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7.exe
"C:\Users\Admin\AppData\Local\Temp\595b1067a58636adb4dd389f619d7e338ec909485509ce6cc5aff1b834b117f7.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1544-54-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download