Resubmissions

02/03/2024, 22:38

240302-2kwptaae37 10

02/03/2024, 22:34

240302-2g86qsad96 10

Analysis

  • max time kernel
    144s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 22:34

General

  • Target

    Fake AV/LPS2019.exe

  • Size

    1.1MB

  • MD5

    2eb3ce80b26345bd139f7378330b19c1

  • SHA1

    10122bd8dd749e20c132d108d176794f140242b0

  • SHA256

    8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

  • SHA512

    e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

  • SSDEEP

    24576:pXhZgPlmWcA4Te9+g6+lET/+xRXKRwFSmjTGIWrwg:xInpSe99pCkRXKRMdGIWrN

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe
    "C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe
      "C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        dw20.exe -x -s 2780
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:3292
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4832

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe

            Filesize

            911KB

            MD5

            2e6360eeebcafd207ad6f4cfc81afdb3

            SHA1

            6d85d48c8c809ad0ee5f7b1b20ef79e871466072

            SHA256

            3a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b

            SHA512

            36e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4

          • memory/2924-15-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp

            Filesize

            9.6MB

          • memory/2924-16-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp

            Filesize

            9.6MB

          • memory/2924-17-0x0000000001740000-0x0000000001750000-memory.dmp

            Filesize

            64KB

          • memory/2924-18-0x000000001C1B0000-0x000000001C67E000-memory.dmp

            Filesize

            4.8MB

          • memory/2924-19-0x000000001CD00000-0x000000001CE9C000-memory.dmp

            Filesize

            1.6MB

          • memory/2924-20-0x000000001CF50000-0x000000001CFF6000-memory.dmp

            Filesize

            664KB

          • memory/2924-21-0x000000001D0A0000-0x000000001D13C000-memory.dmp

            Filesize

            624KB

          • memory/2924-22-0x0000000001720000-0x0000000001728000-memory.dmp

            Filesize

            32KB

          • memory/2924-23-0x000000001D1A0000-0x000000001D1EC000-memory.dmp

            Filesize

            304KB

          • memory/2924-24-0x0000000001740000-0x0000000001750000-memory.dmp

            Filesize

            64KB

          • memory/2924-25-0x0000000001740000-0x0000000001750000-memory.dmp

            Filesize

            64KB

          • memory/2924-26-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp

            Filesize

            9.6MB

          • memory/2924-27-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp

            Filesize

            9.6MB

          • memory/2924-28-0x0000000001740000-0x0000000001750000-memory.dmp

            Filesize

            64KB

          • memory/2924-29-0x0000000001740000-0x0000000001750000-memory.dmp

            Filesize

            64KB

          • memory/2924-30-0x0000000001740000-0x0000000001750000-memory.dmp

            Filesize

            64KB

          • memory/2924-31-0x0000000001740000-0x0000000001750000-memory.dmp

            Filesize

            64KB

          • memory/2924-32-0x0000000001740000-0x0000000001750000-memory.dmp

            Filesize

            64KB

          • memory/2924-39-0x00007FFE928C0000-0x00007FFE93261000-memory.dmp

            Filesize

            9.6MB