Overview
overview
10Static
static
7Fake AV/An...09.exe
windows7-x64
7Fake AV/An...09.exe
windows10-2004-x64
7Fake AV/Ana.exe
windows7-x64
8Fake AV/Ana.exe
windows10-2004-x64
7Fake AV/Antivirus.exe
windows7-x64
7Fake AV/Antivirus.exe
windows10-2004-x64
7Fake AV/An...10.exe
windows7-x64
10Fake AV/An...10.exe
windows10-2004-x64
7Fake AV/An...um.exe
windows7-x64
10Fake AV/An...um.exe
windows10-2004-x64
10Fake AV/An...17.exe
windows7-x64
7Fake AV/An...17.exe
windows10-2004-x64
7Fake AV/CleanThis.exe
windows7-x64
Fake AV/CleanThis.exe
windows10-2004-x64
Fake AV/Fa...er.exe
windows7-x64
7Fake AV/Fa...er.exe
windows10-2004-x64
76AdwCleaner.exe
windows7-x64
66AdwCleaner.exe
windows10-2004-x64
6Fake AV/Fi...ll.exe
windows7-x64
7Fake AV/Fi...ll.exe
windows10-2004-x64
7Fake AV/Ha...us.exe
windows7-x64
1Fake AV/Ha...us.exe
windows10-2004-x64
1Fake AV/In...rd.exe
windows7-x64
10Fake AV/In...rd.exe
windows10-2004-x64
9Fake AV/LPS2019.exe
windows7-x64
7Fake AV/LPS2019.exe
windows10-2004-x64
7Fake AV/Mo...eg.exe
windows7-x64
7Fake AV/Mo...eg.exe
windows10-2004-x64
3Fake AV/Na...ld.exe
windows7-x64
7Fake AV/Na...ld.exe
windows10-2004-x64
7Fake AV/PC...er.exe
windows7-x64
10Fake AV/PC...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
8s -
max time network
10s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 22:34
Behavioral task
behavioral1
Sample
Fake AV/AnViPC2009.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake AV/AnViPC2009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fake AV/Ana.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fake AV/Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Fake AV/Antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Fake AV/Antivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Fake AV/Antivirus2010.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Fake AV/Antivirus2010.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Fake AV/AntivirusPro2017.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Fake AV/AntivirusPro2017.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Fake AV/CleanThis.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Fake AV/CleanThis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
6AdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
6AdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Fake AV/HappyAntivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Fake AV/HappyAntivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Fake AV/LPS2019.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
Fake AV/LPS2019.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Fake AV/Movie.mpeg.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Fake AV/Movie.mpeg.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Fake AV/NavaShield.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Fake AV/NavaShield.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Fake AV/PCDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Fake AV/PCDefender.exe
Resource
win10v2004-20240226-en
Errors
General
-
Target
Fake AV/CleanThis.exe
-
Size
618KB
-
MD5
a50fc0da1d2b3c4aa8a6adaccf69a5de
-
SHA1
e001f4043ab4be644ea10e0d65303d6e57b31ffe
-
SHA256
cf6eb8377789e316629c0396a2dbb53c69b5fd67bbd0e7163b8d305aaa756e90
-
SHA512
4bbc7676391ed4085f628d1f4e1f0af16f5cd6fd9efb8c61176bccdb6ee03b06896c6ddfba9fcf363b133ade3a8a1b8cd17ef92d8eb9adeec247f9bd41dbec2b
-
SSDEEP
12288:EQIfqOiX9P/aazd1ctyDXHrJW2dGMToCRn5VxWRaqsrOkqgyQD:EQIydX/d1rTLRd/TvVUsrOkqFQD
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\gog.exe" CleanThis.exe -
resource yara_rule behavioral13/memory/2368-0-0x0000000000400000-0x000000000057F000-memory.dmp upx behavioral13/memory/2368-4-0x0000000000400000-0x000000000057F000-memory.dmp upx -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum CleanThis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 CleanThis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 57 IoCs
pid Process 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe 2368 CleanThis.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2368 CleanThis.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2368 CleanThis.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2368 CleanThis.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2368 CleanThis.exe 2368 CleanThis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe"C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe"1⤵
- Modifies WinLogon for persistence
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2368
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2708
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2584