Resubmissions

02/03/2024, 22:38

240302-2kwptaae37 10

02/03/2024, 22:34

240302-2g86qsad96 10

Analysis

  • max time kernel
    8s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    02/03/2024, 22:34

Errors

Reason
Machine shutdown

General

  • Target

    Fake AV/CleanThis.exe

  • Size

    618KB

  • MD5

    a50fc0da1d2b3c4aa8a6adaccf69a5de

  • SHA1

    e001f4043ab4be644ea10e0d65303d6e57b31ffe

  • SHA256

    cf6eb8377789e316629c0396a2dbb53c69b5fd67bbd0e7163b8d305aaa756e90

  • SHA512

    4bbc7676391ed4085f628d1f4e1f0af16f5cd6fd9efb8c61176bccdb6ee03b06896c6ddfba9fcf363b133ade3a8a1b8cd17ef92d8eb9adeec247f9bd41dbec2b

  • SSDEEP

    12288:EQIfqOiX9P/aazd1ctyDXHrJW2dGMToCRn5VxWRaqsrOkqgyQD:EQIydX/d1rTLRd/TvVUsrOkqFQD

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe
    "C:\Users\Admin\AppData\Local\Temp\Fake AV\CleanThis.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2368
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2708
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2584

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2368-0-0x0000000000400000-0x000000000057F000-memory.dmp

              Filesize

              1.5MB

            • memory/2368-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

              Filesize

              4KB

            • memory/2368-4-0x0000000000400000-0x000000000057F000-memory.dmp

              Filesize

              1.5MB

            • memory/2584-6-0x0000000002B30000-0x0000000002B31000-memory.dmp

              Filesize

              4KB

            • memory/2708-5-0x0000000002E90000-0x0000000002E91000-memory.dmp

              Filesize

              4KB