Resubmissions

02/03/2024, 22:38

240302-2kwptaae37 10

02/03/2024, 22:34

240302-2g86qsad96 10

Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 22:34

General

  • Target

    Fake AV/AnViPC2009.exe

  • Size

    1.2MB

  • MD5

    910dd666c83efd3496f21f9f211cdc1f

  • SHA1

    77cd736ee1697beda0ac65da24455ec566ba7440

  • SHA256

    06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45

  • SHA512

    467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

  • SSDEEP

    24576:Lutr5OUF7zfbMEsJiZp8uSOBpik+Qijrcq0y0JL4SprofsCghjmxQ:LuXfbMvGei9yjrcq0y0JL4ggghjv

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe
    "C:\Users\Admin\AppData\Local\Temp\Fake AV\AnViPC2009.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Program Files (x86)\antiviruspc2009\avpc2009.exe
      "C:\Program Files (x86)\antiviruspc2009\avpc2009.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2556

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

          Filesize

          8.6MB

          MD5

          5836a2a04328c778e9a485fe7d8c7aaa

          SHA1

          5a3214379be96f52fc6c639de17efa6e66b12188

          SHA256

          98d6b205baa9c6167d2c7a7a4b4804f74a7795724dd894c2de0b6823b83e6f2a

          SHA512

          a66a9c1d97736d63fd9fc38743d9313b726f40c4f522065c71eb0f8f9c0b797e51f5927c7c03041b2cbcb7ae1b23ed46b0fba3eb0f946adb172bcb7ab5551948

        • C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

          Filesize

          4.9MB

          MD5

          d794146696509541e8d1efbd2e9d0934

          SHA1

          dbb5b432734f357a28f42871dcedacfcd55053a7

          SHA256

          bef3c4dda6aafab6d7cc57eb921c51ca4bdba2365405810a551d652773a6d420

          SHA512

          b23ccb74a7cece8d4cca46d86c91688842414b0f28377bf59b29249e5c3743147797c9042806848f6dd40196d3d5e09ac217feb809c4f73139901fb611e50cb5

        • C:\Program Files (x86)\antiviruspc2009\avpc2009.exe

          Filesize

          2.6MB

          MD5

          44d8f1b5659f5512ae3309e65ed77040

          SHA1

          c3f66712509d3613b4b77d02cebdb2227999431b

          SHA256

          a6570473a07f88638779ae2c84598c5536e864e0038fdfb76fa8b0acafae6560

          SHA512

          b30e5ed41d5beacd211a8df120556be52ad65df436fa1a29215799b22ee3014379b986a99e475d51a50df9907f8e1255e26d9cb81201d638833707af13a13efa

        • C:\Program Files (x86)\antiviruspc2009\libltdl3.dll

          Filesize

          34KB

          MD5

          00a71b4afda8033235432b1c433fecc7

          SHA1

          d7b0c218aa8fec1c60ada26a09d9e0d9601985ca

          SHA256

          f9c9d2b92efb80f6d11df52735b8bddd099847cc79ba56650793b21a0923b1cd

          SHA512

          96635e66d9781ad4d2414271f6a0904cf880ed94fc19186ef4da5f88f24e14ef1591fdc90e27db15a6021847c592688d0034f20e2e50ca93bf8c6db27e8c510a

        • C:\Program Files (x86)\antiviruspc2009\pthreadVC2.dll

          Filesize

          84KB

          MD5

          0ab7d0e87f3843f8104b3670f5a9af62

          SHA1

          10c09a12e318f0fbebf70c4c42ad6ee31d9df2e5

          SHA256

          8aecab563b3c629e8f9dcd525dc2d6b1903f6c600637e63b1efe05e3c64d757b

          SHA512

          e08e17167edf461c0fca1e8b649c0c395793e80f5400f5cbb7d7906d0c99e955fcf6be2300db8663d413c4b3ffb075112a6ce5bf259553c0fd3d76200ee0d375

        • \Program Files (x86)\antiviruspc2009\avpc2009.exe

          Filesize

          7.2MB

          MD5

          cfefcac1f28b2c3d8facac87c05fba83

          SHA1

          7370ffee89bea5ee9f298b6a5bdec945f1714175

          SHA256

          78b77d996c5c0f95ad044f219e5899858c2eda73b0c094e9b9228828f22fd501

          SHA512

          efa53779ea99553a3618b10e43ac6dd37cafb1fcf45ab7015f54925ecfe4aa9dd9c62258983f2e0e2f5dc221cc6fc669df2c26d610c58081719c301bc0e4e699

        • \Program Files (x86)\antiviruspc2009\avpc2009.exe

          Filesize

          9.0MB

          MD5

          c18a7323332b3292a8e0f1c81df65698

          SHA1

          bcb8f34cbe0137e888d06acbcb6508417851a087

          SHA256

          9c42eca99e96a7402716fd865b57ea601fb9a18477fe2ab890bdbcd3052f68f8

          SHA512

          4d48d11f3d0a740b9193e17782c77b01f52dd6e8324755aa81188295a0caed0718d330453bb02ca8bc942ee5588928e57a0d89d90d6b1c32690338c5eae8e1ad

        • \Program Files (x86)\antiviruspc2009\bzip2.dll

          Filesize

          67KB

          MD5

          4143d4973e0f5a5180e114bdd868d4d2

          SHA1

          b47fd2cf9db0f37c04e4425085fb953cbce81478

          SHA256

          da25db24809479051d980be5e186926dd53233a76dfe357a455387646befca76

          SHA512

          e21827712a4870461921e7996506ffe456dd2303b69de370aa0499dde2e4747a73d8c0e8bd7d91c5bbc414ed5ee06f36d172237489494b3dd311ccd95ba07ebc

        • memory/2556-25-0x0000000068440000-0x0000000068457000-memory.dmp

          Filesize

          92KB

        • memory/2556-24-0x000000006FDC0000-0x000000006FDCE000-memory.dmp

          Filesize

          56KB

        • memory/2556-32-0x000000006FDC0000-0x000000006FDCE000-memory.dmp

          Filesize

          56KB