Malware Analysis Report

2024-11-30 08:02

Sample ID 231228-tzmrfseebr
Target e970733f711e16e343dffe889bff12e9
SHA256 c24a8416ac35c87dd30e5812dafec562b358f87382dfd5100cb62bf20b5c34a4
Tags
fakeav spyware fakeav persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c24a8416ac35c87dd30e5812dafec562b358f87382dfd5100cb62bf20b5c34a4

Threat Level: Known bad

The file e970733f711e16e343dffe889bff12e9 was found to be: Known bad.

Malicious Activity Summary

fakeav spyware fakeav persistence upx

FakeAV payload

FakeAV, RogueAntivirus

Fakeav family

FakeAV payload

Checks computer location settings

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 16:29

Signatures

FakeAV payload

fakeav spyware
Description Indicator Process Target
N/A N/A N/A N/A

Fakeav family

fakeav

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 16:29

Reported

2024-01-03 05:22

Platform

win7-20231215-en

Max time kernel

141s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe"

Signatures

FakeAV, RogueAntivirus

fakeav spyware fakeav

FakeAV payload

fakeav spyware
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\KeyGen.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRLT.EXE = "C:\\Windows\\system32\\CSRLT.EXE" C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\MSBLT.EXE = "C:\\Windows\\MSBLT.EXE" C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\CSRLT.EXE C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A
File opened for modification C:\Windows\SysWOW64\CSRLT.EXE C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\MSBLT.EXE C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A
File opened for modification C:\Windows\MSBLT.EXE C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A
File created C:\Windows\KeyGen.exe C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\KeyGen.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\KeyGen.exe N/A
N/A N/A C:\Windows\KeyGen.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe

"C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe"

C:\Windows\KeyGen.exe

"C:\Windows\KeyGen.exe"

Network

N/A

Files

memory/2200-0-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2296-13-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\KeyGen.exe

MD5 e3c7d489013b51c671aa79c9068a2a00
SHA1 deed13e52afcc9fd2ef326fb6b0aa4bf7fcf14be
SHA256 5ea232ac5ebca4584f8689d5a1ed466404272a5c5496f41934537504368b5da2
SHA512 18a31ffcc796d6352142374dc0e12d83b9b46d56069a5db26a38b0f6a133302f13d7064bfe9bc16e7a705aeeb2cec2d654863d92280a6085c8202a3c8096b240

memory/2200-8-0x0000000002D70000-0x0000000002D8F000-memory.dmp

memory/2200-14-0x0000000002D70000-0x0000000002D8F000-memory.dmp

memory/2200-15-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/2296-16-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-17-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-18-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-19-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-20-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-21-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-22-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-23-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-24-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-25-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-26-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-27-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-28-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-29-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2296-30-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 16:29

Reported

2024-01-03 05:24

Platform

win10v2004-20231215-en

Max time kernel

220s

Max time network

245s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe"

Signatures

FakeAV, RogueAntivirus

fakeav spyware fakeav

FakeAV payload

fakeav spyware
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\KeyGen.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRLT.EXE = "C:\\Windows\\system32\\CSRLT.EXE" C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\MSBLT.EXE = "C:\\Windows\\MSBLT.EXE" C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\CSRLT.EXE C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A
File opened for modification C:\Windows\SysWOW64\CSRLT.EXE C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\MSBLT.EXE C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A
File created C:\Windows\KeyGen.exe C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A
File created C:\Windows\MSBLT.EXE C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\KeyGen.exe N/A
N/A N/A C:\Windows\KeyGen.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe

"C:\Users\Admin\AppData\Local\Temp\e970733f711e16e343dffe889bff12e9.exe"

C:\Windows\KeyGen.exe

"C:\Windows\KeyGen.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/2012-0-0x0000000000640000-0x0000000000641000-memory.dmp

memory/2012-1-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/2012-7-0x0000000000400000-0x00000000004C8000-memory.dmp

C:\Windows\KeyGen.exe

MD5 e3c7d489013b51c671aa79c9068a2a00
SHA1 deed13e52afcc9fd2ef326fb6b0aa4bf7fcf14be
SHA256 5ea232ac5ebca4584f8689d5a1ed466404272a5c5496f41934537504368b5da2
SHA512 18a31ffcc796d6352142374dc0e12d83b9b46d56069a5db26a38b0f6a133302f13d7064bfe9bc16e7a705aeeb2cec2d654863d92280a6085c8202a3c8096b240

memory/4712-18-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2012-19-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/4712-21-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2012-22-0x0000000000400000-0x00000000004C8000-memory.dmp

memory/4712-23-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4712-24-0x0000000000400000-0x000000000041F000-memory.dmp