Overview
overview
10Static
static
7Fake AV/An...09.exe
windows7-x64
7Fake AV/An...09.exe
windows10-2004-x64
7Fake AV/Ana.exe
windows7-x64
8Fake AV/Ana.exe
windows10-2004-x64
7Fake AV/Antivirus.exe
windows7-x64
7Fake AV/Antivirus.exe
windows10-2004-x64
7Fake AV/An...10.exe
windows7-x64
10Fake AV/An...10.exe
windows10-2004-x64
7Fake AV/An...um.exe
windows7-x64
10Fake AV/An...um.exe
windows10-2004-x64
10Fake AV/An...17.exe
windows7-x64
7Fake AV/An...17.exe
windows10-2004-x64
7Fake AV/CleanThis.exe
windows7-x64
Fake AV/CleanThis.exe
windows10-2004-x64
Fake AV/Fa...er.exe
windows7-x64
7Fake AV/Fa...er.exe
windows10-2004-x64
76AdwCleaner.exe
windows7-x64
66AdwCleaner.exe
windows10-2004-x64
6Fake AV/Fi...ll.exe
windows7-x64
7Fake AV/Fi...ll.exe
windows10-2004-x64
7Fake AV/Ha...us.exe
windows7-x64
1Fake AV/Ha...us.exe
windows10-2004-x64
1Fake AV/In...rd.exe
windows7-x64
10Fake AV/In...rd.exe
windows10-2004-x64
9Fake AV/LPS2019.exe
windows7-x64
7Fake AV/LPS2019.exe
windows10-2004-x64
7Fake AV/Mo...eg.exe
windows7-x64
7Fake AV/Mo...eg.exe
windows10-2004-x64
3Fake AV/Na...ld.exe
windows7-x64
7Fake AV/Na...ld.exe
windows10-2004-x64
7Fake AV/PC...er.exe
windows7-x64
10Fake AV/PC...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
144s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 22:34
Behavioral task
behavioral1
Sample
Fake AV/AnViPC2009.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake AV/AnViPC2009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fake AV/Ana.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fake AV/Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Fake AV/Antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Fake AV/Antivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Fake AV/Antivirus2010.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Fake AV/Antivirus2010.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Fake AV/AntivirusPro2017.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Fake AV/AntivirusPro2017.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Fake AV/CleanThis.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Fake AV/CleanThis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
6AdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
6AdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Fake AV/HappyAntivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Fake AV/HappyAntivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Fake AV/LPS2019.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
Fake AV/LPS2019.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Fake AV/Movie.mpeg.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Fake AV/Movie.mpeg.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Fake AV/NavaShield.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Fake AV/NavaShield.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Fake AV/PCDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Fake AV/PCDefender.exe
Resource
win10v2004-20240226-en
General
-
Target
Fake AV/LPS2019.exe
-
Size
1.1MB
-
MD5
2eb3ce80b26345bd139f7378330b19c1
-
SHA1
10122bd8dd749e20c132d108d176794f140242b0
-
SHA256
8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2
-
SHA512
e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a
-
SSDEEP
24576:pXhZgPlmWcA4Te9+g6+lET/+xRXKRwFSmjTGIWrwg:xInpSe99pCkRXKRMdGIWrN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation LPS2019.exe -
Executes dropped EXE 1 IoCs
pid Process 2924 lpsprt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftProz = "C:\\Program Files (x86)\\HjuTygFcvX\\lpsprt.exe" lpsprt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\HjuTygFcvX LPS2019.exe File created C:\Program Files (x86)\HjuTygFcvX\__tmp_rar_sfx_access_check_240641656 LPS2019.exe File created C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe LPS2019.exe File opened for modification C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe LPS2019.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2924 lpsprt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeBackupPrivilege 3292 dw20.exe Token: SeBackupPrivilege 3292 dw20.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe 2924 lpsprt.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2924 2684 LPS2019.exe 100 PID 2684 wrote to memory of 2924 2684 LPS2019.exe 100 PID 2924 wrote to memory of 3292 2924 lpsprt.exe 107 PID 2924 wrote to memory of 3292 2924 lpsprt.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe"C:\Users\Admin\AppData\Local\Temp\Fake AV\LPS2019.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"C:\Program Files (x86)\HjuTygFcvX\lpsprt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 27803⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:4832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
911KB
MD52e6360eeebcafd207ad6f4cfc81afdb3
SHA16d85d48c8c809ad0ee5f7b1b20ef79e871466072
SHA2563a31f386f4a68827d8cbfeb087c017f871d80ab4565a2266f692fbe6cfea9c3b
SHA51236e1cadeff91158c0e96585d7550dc193a6470f5fccf3cf98845c4291becc6dae39609771cc8157493bc6cb405446ac55a1790108c6c213293bf4a56ecf381e4