8c3f4d34c8bf9b558cb9c01ff68a1e37966aac0064c3c6c3df46abc42eba6918

Analysis

max time kernel
154s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2023, 10:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FileZilla_3.66.0_win64_sponsored2-setup.exe
Size

12.1MB
MD5

6dd9e17c098a5c9d9da2146fadf9d071
SHA1

5637533f19d87a433a7fe12ce78ad7e5518c40b5
SHA256

edca5598fc8715a5ca8bd77e7b8fb8bf1ccebdec3f5543f67058ebd572b3aba9
SHA512

1cb10a00f208a54f6d3a7f4e1939d6d5f7124525bd95f18c3ff45570fa240d8e73c002295a39dafcc560785fef85f61a8450728f3d42e23dfc3addd6af2287f6
SSDEEP

393216:DAScWJzs+eBLT0PO+x7fNDNhGVWHD7ga1PkLQ9:DAxWpsFKvFFjGVOD7ga1Pt9

Score

8^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	avg_secure_browser_setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	avg_secure_browser_setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe

Executes dropped EXE 1 IoCs

pid	Process
1944	avg_secure_browser_setup.exe

Loads dropped DLL 18 IoCs

pid	Process
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg_secure_browser_setup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	avg_secure_browser_setup.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
4636	FileZilla_3.66.0_win64_sponsored2-setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe
1944	avg_secure_browser_setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 1944	4636	FileZilla_3.66.0_win64_sponsored2-setup.exe	113
PID 4636 wrote to memory of 1944	4636	FileZilla_3.66.0_win64_sponsored2-setup.exe	113
PID 4636 wrote to memory of 1944	4636	FileZilla_3.66.0_win64_sponsored2-setup.exe	113

C:\Users\Admin\AppData\Local\Temp\FileZilla_3.66.0_win64_sponsored2-setup.exe
"C:\Users\Admin\AppData\Local\Temp\FileZilla_3.66.0_win64_sponsored2-setup.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\avg_secure_browser_setup.exe
  avg_secure_browser_setup.exe /s /run_source="avg_ads_playanext_filezilla"
  2⤵
  - Checks BIOS information in registry
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avg_secure_browser_setup.exe

Filesize
5.8MB

MD5
7b5634de7f1cdbc27f9b26a0a640caff

SHA1
c7b1a14b83b00a7a8a82bfaa1a08a3219d37ea74

SHA256
34cefdca984e20f08ec6c79908b157b37c8475248fb8bfcb3b8d095038cfcd1a

SHA512
a36500cdf45d4aec23a656569f24414fe339f9738212d2c40427dcdbfe15a342988c277f76aa603b29288342f336c0ecad797de6f50d89e9cc2456a61c1b8923

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj18BC.tmp

Filesize
947KB

MD5
610f4eb991ae0db08785dc4a6c1b1fb2

SHA1
0b28c35f1569eec2dd1cd6c8cfdabb349f6e0866

SHA256
6872cf401483b46c9b0456f676cc6f7e810fe11b7831567b187c6228ec4c0857

SHA512
327647555d35f4dcf567579c4750299d8fe8ead866bfc304efd7f2b855bfd659da407c344c8077041310e214d0395d2f0c85c7d504ecf0403b970aca72496f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5F79.tmp\CR.History.tmp

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5F79.tmp\FF.places.tmp

Filesize
5.0MB

MD5
26b25c45d674d0394712bf091cb83c13

SHA1
5d9d29dcbedd27c086acfc8804ff77a6e4dc897c

SHA256
56a9a478aedec9526fd863a36c767d4d203df37c5cb7c352cb5317a3b9e1a6c0

SHA512
35ed5a38c0b45e8e477e513d2aa6ce811118d650ae7f8ddfe002710e64485dfed396c92b25d5006422c88440c71e083bd61d1e3e1e64c9718a3a85a7e25ee216

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5F79.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
506f6a0c70b4963ea184b5c151c2b11c

SHA1
c65704a0fdd6b54b95c6cf240d7f1b231a5d5a01

SHA256
cc97eb3889e281f7052218d4df726d93cbe7561eb06f7dbfb4643e841daa8f41

SHA512
f3454135ea2bd25c8afb1f5d23a58dc7edf29b5c1c06bcc2b22467dcc7c6f33df7051faa5e40645649c300fc9e1121e0b05da396ec21e640f20702cce890bed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5F79.tmp\Midex.dll

Filesize
126KB

MD5
9c2acf73b6c57d45779039135c04c4fb

SHA1
9d7bd49d99e088e40b46cf3833b7126907e80866

SHA256
640f1790c7f910dd84f6ca04a063be9d16a7752e35c36d2143be168b367ecc17

SHA512
bca59702fdd2095b1af4bed38ecd4cef584d64ba0be18654f5c43514b9e9139be107c465ad10cf9a0460f4c8ac4c15a4701c617dd0458ea59e05c59931cd754d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5F79.tmp\StdUtils.dll

Filesize
195KB

MD5
9632d454727fd9cd1421fcb55645a447

SHA1
eb94353123db606f456796dba05dbdf8c1510f97

SHA256
ddcffa4a0464c30f3a3e75a135b4193b44b9e73c5dceb919da007db2deea09c0

SHA512
0f0626c27bc2083edaece3527499953e20ca47cbffde96ebf58be5e3f13e8ec5fc08043b0fdad510c23a71caae823c636602385630995b8a259f5f563f06bc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5F79.tmp\jsis.dll

Filesize
127KB

MD5
0e539e4d192bfe47fba242d5420f1fed

SHA1
6c88b671a88934f5547cc21561d7bb9686a4a0f8

SHA256
55769512567f84297ca8e01b00ca5cfd7d5098d5ddd132279a459ecaa745a277

SHA512
1aa9297c2aa0d0414c5803112449e358d5783e97279f8b5a3bbb05fec903385024fc871fcdb3833089bb6a5b2de5fb0f4e18ee53c4cd32ccd092d82120b6b5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5F79.tmp\nsJSON.dll

Filesize
36KB

MD5
9d22d71914617f6e67049296293bfd69

SHA1
6418ab33eb3bc2eb0718bbd8673da6d341a019dc

SHA256
b991eab11ee0e62e62e80a3ea4a660e822070457e994cd7eed6ea67107973c22

SHA512
aa951103e741b564234722731733b89198312ec1acc97777cd00d751621af3ad77c786fcb726eab402b05794d4b12bcd4a656f6d9f22e2b2d07e036ef8fc6783

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx5F79.tmp\thirdparty.dll

Filesize
93KB

MD5
d5d71a2caeae0872c18dbb3071695028

SHA1
4c23ac61f25fb39b48b3dab9bdfd61a93ec5953e

SHA256
b7e09e6b24e5b7235f90ac542f619ed1aee1be6b15ad3fdec29e1293ba0033b6

SHA512
2cdc5955b0140a764e6c11e41a387824df4f9ac5f0a6bb1f1daa24024e42f34e39399b3a774802b14ad71326e48ba749c3c01c4605338c6607e5c029baae1da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy28B3.tmp\INetC.dll

Filesize
24KB

MD5
640bff73a5f8e37b202d911e4749b2e9

SHA1
9588dd7561ab7de3bca392b084bec91f3521c879

SHA256
c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502

SHA512
39c6c358e2b480c8cbebcc1da683924c8092fb2947f2da4a8df1b0dc1fdda61003d91d12232a436ec88ff4e0995b7f6ee8c6efbdca935eaa984001f7a72fea0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy28B3.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy28B3.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy28B3.tmp\UserInfo.dll

Filesize
4KB

MD5
d458b8251443536e4a334147e0170e95

SHA1
ba8d4d580f1bc0bb2eaa8b9b02ee9e91b8b50fc3

SHA256
4913d4cccf84cd0534069107cff3e8e2f427160cad841547db9019310ac86cc7

SHA512
6ff523a74c3670b8b5cd92f62dcc6ea50b65a5d0d6e67ee1079bdb8a623b27dd10b9036a41aa8ec928200c85323c1a1f3b5c0948b59c0671de183617b65a96b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy28B3.tmp\nsDialogs.dll

Filesize
9KB

MD5
1d8f01a83ddd259bc339902c1d33c8f1

SHA1
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

SHA256
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

SHA512
28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

Download Submit