f467bbbee3c2082bbac7badb990cd7490fb1cf8eeb91c5d11f98876e0fa66815

Analysis

max time kernel
71s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07-04-2023 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avast_secure_browser_setup.exe
Size

5.8MB
MD5

22c33dcfe60539a919a706412469c9ff
SHA1

871be24183f5c368c17f366bcbed244bf069787e
SHA256

f467bbbee3c2082bbac7badb990cd7490fb1cf8eeb91c5d11f98876e0fa66815
SHA512

2c48decacc96c1fce5ebe60c47853791a8098975843f6a256fe5a3555a82c2a5eff9b6478c97ebad4569f8390d306d1edd894d103bb46ad12bb87d1be602b4ab
SSDEEP

98304:0xGy2FazvN6a6L3U9YwRwWE85whIRlJ9YI7qgoZAhaq2+mvayOMWBM:0wfFazvAa6bUaWw785whI9YR9AhOzC5C

Score

7^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aj6CFA.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aj6CFA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aj6CFA.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

avast_secure_browser_setup.exeaj6CFA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\International\Geo\Nation	avast_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\International\Geo\Nation	aj6CFA.exe

Executes dropped EXE 1 IoCs

Processes:

aj6CFA.exe

pid process

4788 aj6CFA.exe

pid	process
4788	aj6CFA.exe

Loads dropped DLL 13 IoCs

Processes:

avast_secure_browser_setup.exeaj6CFA.exe

pid	process
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
4788	aj6CFA.exe
4788	aj6CFA.exe
4788	aj6CFA.exe
4788	aj6CFA.exe
4788	aj6CFA.exe
4788	aj6CFA.exe
4788	aj6CFA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

avast_secure_browser_setup.exeaj6CFA.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avast_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\SOFTWARE\AVAST Software\Avast	avast_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	aj6CFA.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\SOFTWARE\AVAST Software\Avast	aj6CFA.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

aj6CFA.exe

description ioc process

File opened for modification \??\PhysicalDrive0 aj6CFA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	aj6CFA.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aj6CFA.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj6CFA.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj6CFA.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

avast_secure_browser_setup.exe

pid	process
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

avast_secure_browser_setup.exe

pid	process
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe
3944	avast_secure_browser_setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

avast_secure_browser_setup.exe

description	pid	process	target process
PID 3944 wrote to memory of 4788	3944	avast_secure_browser_setup.exe	aj6CFA.exe
PID 3944 wrote to memory of 4788	3944	avast_secure_browser_setup.exe	aj6CFA.exe
PID 3944 wrote to memory of 4788	3944	avast_secure_browser_setup.exe	aj6CFA.exe

C:\Users\Admin\AppData\Local\Temp\avast_secure_browser_setup.exe
"C:\Users\Admin\AppData\Local\Temp\avast_secure_browser_setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\aj6CFA.exe
"C:\Users\Admin\AppData\Local\Temp\aj6CFA.exe" /relaunch=8 /was_elevated=1 /tagdata
2⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
PID:4788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aj6CFA.exe

Filesize
5.8MB

MD5
5aa7ef11ae6c8e25d985f0eb58c71dc8

SHA1
4b9b0638961eb76cb5c70ebefaf135438fae18da

SHA256
bc58bbb4d972ee14416619ab8505e90385620776bd25cdc89f24e44982a978a6

SHA512
2c2ce7d9bb3eae65d5407090dcb2f6602bc0705993b4d2b649ae5b74aa43d56e501fa48a1abb20b0501356cfea7524d9ea93806d9a576439c90a0e5a2378fbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aj6CFA.exe

Filesize
5.8MB

MD5
5aa7ef11ae6c8e25d985f0eb58c71dc8

SHA1
4b9b0638961eb76cb5c70ebefaf135438fae18da

SHA256
bc58bbb4d972ee14416619ab8505e90385620776bd25cdc89f24e44982a978a6

SHA512
2c2ce7d9bb3eae65d5407090dcb2f6602bc0705993b4d2b649ae5b74aa43d56e501fa48a1abb20b0501356cfea7524d9ea93806d9a576439c90a0e5a2378fbe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\avast-securebrowser-main-tags

Filesize
22B

MD5
dbe13341f51fc1e34375fc0d8b5d1107

SHA1
0af40c935a03162174f045ad1b097a369b32f913

SHA256
af37ffa23875f25b22b074a5aebb980cccd84f565ce9511918c6ecdf00f9808e

SHA512
3b0b59790d7c190e7ef4a96d06e463bd610b57b88ee3ff076e52f19976e8029a87e369682f437f92a4a2fa8df00c91c66a2d1f4e43fb5c1bbae067556443c35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6028.tmp\sciterui.dll

Filesize
6.3MB

MD5
b9375166489134d10113829db8e2e5fe

SHA1
e52955422d111535a35aa0811b95efb12d4681f0

SHA256
cb67805b28090d4cc62156078b55be9d9f36a59b88d0aaa94694855979ca3a24

SHA512
52c9e54fbae21b43079ffeec4265b7a0fb34e925dade48aac1d195ac7c2d81195371573fc7cec4a00d81ff733dc886a62b796e340cd7c31e6d6757c2250a59c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\JsisPlugins.dll

Filesize
2.0MB

MD5
3f4f65c3551435aa4f70b23db238e027

SHA1
10a50d1003a2da42b869527098758bbd0c5a0b93

SHA256
3d52f17598297580cc04e8698010d8234b199250803f826fa03031a8f8507e7f

SHA512
15b9f0ef917167ed1c3fcbf6235ec277665abb662f26bf338bda2dcc815503b27eab4bfea88f5e4609a40a02f88a87a28d02ca1e4a7575905cb9217b58151a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\Midex.dll

Filesize
126KB

MD5
66e8b98ef43de94b138a3833000057fc

SHA1
2396fb82b3f02978b670deb7860244f044f3781f

SHA256
b4c71bd2fc6ad06b577f27d8f53bb105ab691b00b6e7b4e5bfde3f517269e456

SHA512
f4653af12abe46d42f0d71480bf3537606b27e978bba53f9f5708013980469bec5e5e802beba60551b8f577beca1f519564e927190a669bf67e25daa0e06804a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\StdUtils.dll

Filesize
195KB

MD5
d8c7c459bb94182f2ed21c414ad32f93

SHA1
919f3c16e31d566fc14f25e1cf2335444ce9f8c4

SHA256
3afc0e86a5cea9bee44033360188fc90f51344b18937b884af91a86dc2142d51

SHA512
b484e7a2804019ca85bded10a9abf265ef2e291bd09d555e27519d07b6cd324b6532b005ab9504a54739f31012b269a7d433d30d629c0517cde8f31c214aa74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\jsis.dll

Filesize
127KB

MD5
e370ba29cd649d4553491ac95be1e45a

SHA1
4b299e8c31c3efe7b0b094d539eaaa8061f4ef63

SHA256
b6f9a6ffb9d1ccc04657c1628671806e08c1b11dbb63a3809d2cbb8c5596cf39

SHA512
c26a2d41ac847d1549aa94ff62b7d26951d26bbea8e153d6fc020abaf64c90cf05ba7ca2b622573a41b59e9cff0b7f876c0a3d002ec22973874e07485a1a48af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\nsJSON.dll

Filesize
36KB

MD5
ed88f3bee80858dd43c4eab27b59db0e

SHA1
c40f8ee78e84883ba0593f852ff7ecbe83f4c31a

SHA256
cbfe28a6bff5230fb433430dd8e99db13144033754d8f1885394adff6b3e02a4

SHA512
d844f8a7ffa0cc4c7ae0bafbf2b242013edc55df187300b68985811fd2499acbda6bba765641c9889bf92f3d2b686e804c13869911c6089668db706b81f17ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\thirdparty.dll

Filesize
93KB

MD5
1d8305828b1be38c43cb344fcfa7611f

SHA1
5104565bed0ab3e0135708589f100901d8db7baa

SHA256
a3f5f64bfab79a1357b2b9acc807182168495c6d87ce2086fae4f36e53c7f337

SHA512
6eded302bd240006e593ff1d8cb8bf660a6a09d0163b11eea9128d66c47aa00aa8641ddd03d41c7c4ba8b6be9f37d16600587e001e7e3f74a54f133c80445d75

Download Submit
\Users\Admin\AppData\Local\Temp\nse6028.tmp\JsisPlugins.dll

Filesize
2.0MB

MD5
3f4f65c3551435aa4f70b23db238e027

SHA1
10a50d1003a2da42b869527098758bbd0c5a0b93

SHA256
3d52f17598297580cc04e8698010d8234b199250803f826fa03031a8f8507e7f

SHA512
15b9f0ef917167ed1c3fcbf6235ec277665abb662f26bf338bda2dcc815503b27eab4bfea88f5e4609a40a02f88a87a28d02ca1e4a7575905cb9217b58151a07

Download Submit
\Users\Admin\AppData\Local\Temp\nse6028.tmp\StdUtils.dll

Filesize
195KB

MD5
d8c7c459bb94182f2ed21c414ad32f93

SHA1
919f3c16e31d566fc14f25e1cf2335444ce9f8c4

SHA256
3afc0e86a5cea9bee44033360188fc90f51344b18937b884af91a86dc2142d51

SHA512
b484e7a2804019ca85bded10a9abf265ef2e291bd09d555e27519d07b6cd324b6532b005ab9504a54739f31012b269a7d433d30d629c0517cde8f31c214aa74e

Download Submit
\Users\Admin\AppData\Local\Temp\nse6028.tmp\jsis.dll

Filesize
127KB

MD5
e370ba29cd649d4553491ac95be1e45a

SHA1
4b299e8c31c3efe7b0b094d539eaaa8061f4ef63

SHA256
b6f9a6ffb9d1ccc04657c1628671806e08c1b11dbb63a3809d2cbb8c5596cf39

SHA512
c26a2d41ac847d1549aa94ff62b7d26951d26bbea8e153d6fc020abaf64c90cf05ba7ca2b622573a41b59e9cff0b7f876c0a3d002ec22973874e07485a1a48af

Download Submit
\Users\Admin\AppData\Local\Temp\nse6028.tmp\nsJSON.dll

Filesize
36KB

MD5
ed88f3bee80858dd43c4eab27b59db0e

SHA1
c40f8ee78e84883ba0593f852ff7ecbe83f4c31a

SHA256
cbfe28a6bff5230fb433430dd8e99db13144033754d8f1885394adff6b3e02a4

SHA512
d844f8a7ffa0cc4c7ae0bafbf2b242013edc55df187300b68985811fd2499acbda6bba765641c9889bf92f3d2b686e804c13869911c6089668db706b81f17ee4

Download Submit
\Users\Admin\AppData\Local\Temp\nse6028.tmp\thirdparty.dll

Filesize
93KB

MD5
1d8305828b1be38c43cb344fcfa7611f

SHA1
5104565bed0ab3e0135708589f100901d8db7baa

SHA256
a3f5f64bfab79a1357b2b9acc807182168495c6d87ce2086fae4f36e53c7f337

SHA512
6eded302bd240006e593ff1d8cb8bf660a6a09d0163b11eea9128d66c47aa00aa8641ddd03d41c7c4ba8b6be9f37d16600587e001e7e3f74a54f133c80445d75

Download Submit
\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\JsisPlugins.dll

Filesize
2.0MB

MD5
3f4f65c3551435aa4f70b23db238e027

SHA1
10a50d1003a2da42b869527098758bbd0c5a0b93

SHA256
3d52f17598297580cc04e8698010d8234b199250803f826fa03031a8f8507e7f

SHA512
15b9f0ef917167ed1c3fcbf6235ec277665abb662f26bf338bda2dcc815503b27eab4bfea88f5e4609a40a02f88a87a28d02ca1e4a7575905cb9217b58151a07

Download Submit
\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\Midex.dll

Filesize
126KB

MD5
66e8b98ef43de94b138a3833000057fc

SHA1
2396fb82b3f02978b670deb7860244f044f3781f

SHA256
b4c71bd2fc6ad06b577f27d8f53bb105ab691b00b6e7b4e5bfde3f517269e456

SHA512
f4653af12abe46d42f0d71480bf3537606b27e978bba53f9f5708013980469bec5e5e802beba60551b8f577beca1f519564e927190a669bf67e25daa0e06804a

Download Submit
\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\Midex.dll

Filesize
126KB

MD5
66e8b98ef43de94b138a3833000057fc

SHA1
2396fb82b3f02978b670deb7860244f044f3781f

SHA256
b4c71bd2fc6ad06b577f27d8f53bb105ab691b00b6e7b4e5bfde3f517269e456

SHA512
f4653af12abe46d42f0d71480bf3537606b27e978bba53f9f5708013980469bec5e5e802beba60551b8f577beca1f519564e927190a669bf67e25daa0e06804a

Download Submit
\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\StdUtils.dll

Filesize
195KB

MD5
d8c7c459bb94182f2ed21c414ad32f93

SHA1
919f3c16e31d566fc14f25e1cf2335444ce9f8c4

SHA256
3afc0e86a5cea9bee44033360188fc90f51344b18937b884af91a86dc2142d51

SHA512
b484e7a2804019ca85bded10a9abf265ef2e291bd09d555e27519d07b6cd324b6532b005ab9504a54739f31012b269a7d433d30d629c0517cde8f31c214aa74e

Download Submit
\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\jsis.dll

Filesize
127KB

MD5
e370ba29cd649d4553491ac95be1e45a

SHA1
4b299e8c31c3efe7b0b094d539eaaa8061f4ef63

SHA256
b6f9a6ffb9d1ccc04657c1628671806e08c1b11dbb63a3809d2cbb8c5596cf39

SHA512
c26a2d41ac847d1549aa94ff62b7d26951d26bbea8e153d6fc020abaf64c90cf05ba7ca2b622573a41b59e9cff0b7f876c0a3d002ec22973874e07485a1a48af

Download Submit
\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\nsJSON.dll

Filesize
36KB

MD5
ed88f3bee80858dd43c4eab27b59db0e

SHA1
c40f8ee78e84883ba0593f852ff7ecbe83f4c31a

SHA256
cbfe28a6bff5230fb433430dd8e99db13144033754d8f1885394adff6b3e02a4

SHA512
d844f8a7ffa0cc4c7ae0bafbf2b242013edc55df187300b68985811fd2499acbda6bba765641c9889bf92f3d2b686e804c13869911c6089668db706b81f17ee4

Download Submit
\Users\Admin\AppData\Local\Temp\nsg71BC.tmp\thirdparty.dll

Filesize
93KB

MD5
1d8305828b1be38c43cb344fcfa7611f

SHA1
5104565bed0ab3e0135708589f100901d8db7baa

SHA256
a3f5f64bfab79a1357b2b9acc807182168495c6d87ce2086fae4f36e53c7f337

SHA512
6eded302bd240006e593ff1d8cb8bf660a6a09d0163b11eea9128d66c47aa00aa8641ddd03d41c7c4ba8b6be9f37d16600587e001e7e3f74a54f133c80445d75

Download Submit
\Users\Admin\AppData\Local\Temp\{51E051C3-D947-43DC-B2FE-3A6F366A92C0}\scrt.dll

Filesize
5.7MB

MD5
f36f05628b515262db197b15c7065b40

SHA1
74a8005379f26dd0de952acab4e3fc5459cde243

SHA256
67abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31

SHA512
280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8

Download Submit