Overview
overview
10Static
static
7Fake AV/An...09.exe
windows7-x64
7Fake AV/An...09.exe
windows10-2004-x64
7Fake AV/Ana.exe
windows7-x64
8Fake AV/Ana.exe
windows10-2004-x64
7Fake AV/Antivirus.exe
windows7-x64
7Fake AV/Antivirus.exe
windows10-2004-x64
7Fake AV/An...10.exe
windows7-x64
10Fake AV/An...10.exe
windows10-2004-x64
7Fake AV/An...um.exe
windows7-x64
10Fake AV/An...um.exe
windows10-2004-x64
10Fake AV/An...17.exe
windows7-x64
7Fake AV/An...17.exe
windows10-2004-x64
7Fake AV/CleanThis.exe
windows7-x64
Fake AV/CleanThis.exe
windows10-2004-x64
Fake AV/Fa...er.exe
windows7-x64
7Fake AV/Fa...er.exe
windows10-2004-x64
76AdwCleaner.exe
windows7-x64
66AdwCleaner.exe
windows10-2004-x64
6Fake AV/Fi...ll.exe
windows7-x64
7Fake AV/Fi...ll.exe
windows10-2004-x64
7Fake AV/Ha...us.exe
windows7-x64
1Fake AV/Ha...us.exe
windows10-2004-x64
1Fake AV/In...rd.exe
windows7-x64
10Fake AV/In...rd.exe
windows10-2004-x64
9Fake AV/LPS2019.exe
windows7-x64
7Fake AV/LPS2019.exe
windows10-2004-x64
7Fake AV/Mo...eg.exe
windows7-x64
7Fake AV/Mo...eg.exe
windows10-2004-x64
3Fake AV/Na...ld.exe
windows7-x64
7Fake AV/Na...ld.exe
windows10-2004-x64
7Fake AV/PC...er.exe
windows7-x64
10Fake AV/PC...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 22:34
Behavioral task
behavioral1
Sample
Fake AV/AnViPC2009.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake AV/AnViPC2009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fake AV/Ana.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fake AV/Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Fake AV/Antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Fake AV/Antivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Fake AV/Antivirus2010.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Fake AV/Antivirus2010.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Fake AV/AntivirusPro2017.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Fake AV/AntivirusPro2017.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Fake AV/CleanThis.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Fake AV/CleanThis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
6AdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
6AdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Fake AV/HappyAntivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Fake AV/HappyAntivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Fake AV/LPS2019.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
Fake AV/LPS2019.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Fake AV/Movie.mpeg.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Fake AV/Movie.mpeg.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Fake AV/NavaShield.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Fake AV/NavaShield.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Fake AV/PCDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Fake AV/PCDefender.exe
Resource
win10v2004-20240226-en
General
-
Target
Fake AV/NavaShield.exe
-
Size
9.7MB
-
MD5
1f13396fa59d38ebe76ccc587ccb11bb
-
SHA1
867adb3076c0d335b9bfa64594ef37a7e2c951ff
-
SHA256
83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
-
SHA512
82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc
-
SSDEEP
196608:CtbTP1ErBwMQjd1YTHdmpCP2PVgP/acIE/xQ0zyZejVk+YzbRdTZ:C1E1+dYx6OP9hdyZwV4zd
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2012 NavaShield.exe 436 NavaBridge.exe 1560 NavaDebugger.exe -
Loads dropped DLL 11 IoCs
pid Process 2212 NavaShield.exe 2012 NavaShield.exe 2012 NavaShield.exe 2012 NavaShield.exe 2012 NavaShield.exe 2012 NavaShield.exe 436 NavaBridge.exe 436 NavaBridge.exe 436 NavaBridge.exe 2012 NavaShield.exe 1560 NavaDebugger.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\NavaShield = "c:\\Nava Labs\\Nava Shield\\navashield.exe" NavaShield.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 NavaShield.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString NavaShield.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2012 NavaShield.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2012 NavaShield.exe 2012 NavaShield.exe 2012 NavaShield.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2012 NavaShield.exe 2012 NavaShield.exe 2012 NavaShield.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2012 2212 NavaShield.exe 30 PID 2212 wrote to memory of 2012 2212 NavaShield.exe 30 PID 2212 wrote to memory of 2012 2212 NavaShield.exe 30 PID 2212 wrote to memory of 2012 2212 NavaShield.exe 30 PID 2012 wrote to memory of 436 2012 NavaShield.exe 32 PID 2012 wrote to memory of 436 2012 NavaShield.exe 32 PID 2012 wrote to memory of 436 2012 NavaShield.exe 32 PID 2012 wrote to memory of 436 2012 NavaShield.exe 32 PID 2012 wrote to memory of 1560 2012 NavaShield.exe 33 PID 2012 wrote to memory of 1560 2012 NavaShield.exe 33 PID 2012 wrote to memory of 1560 2012 NavaShield.exe 33 PID 2012 wrote to memory of 1560 2012 NavaShield.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe"C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Nava Labs\Nava Shield\NavaShield.exe"C:\Nava Labs\Nava Shield\NavaShield.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Nava Labs\Nava Shield\NavaBridge.exe"C:\Nava Labs\Nava Shield\NavaBridge.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436
-
-
C:\Nava Labs\Nava Shield\NavaDebugger.exe"C:\Nava Labs\Nava Shield\NavaDebugger.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD56f89df4cde193c0636c3d497cf1a17bf
SHA19faaa0100195e3e81fdade11e7a476a1fd1b23c8
SHA256e7f05380e90dfb15b91b8bbc2ae48a04ba84d573b3c9f7d81bcc12f814215929
SHA512c31848b1dceb8f8351991051b389a38b2ca0ae7ee98ebf626576245ca1588f1f6ee14e3eff7b165ecf9879e7e11ab77888e297cc4ccbb405b0ed64ebcda304b2
-
Filesize
2.1MB
MD557665e9b4d766001862c38bde736f965
SHA105966b1b04e2e2f9e018d8b55f7b589d29d3ddbd
SHA2563613e118d87531b4357b014f23a08551339962a3e0e5cfbdfbca7f989e145848
SHA5126759bb36ebe8316bfbc17ca5fead431813a6aa2accecfa1391c041f8ac50e78ab1f88b5bfc5016fe4e337c32c73d97165d6431d63e84e072fac1a29c015f1872
-
Filesize
92KB
MD5831295342c47b770bf7cc591a6916fa7
SHA12c9063fbf3f3363526abdc241bf90618b82446d1
SHA2568341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656
SHA51201419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e
-
Filesize
2.1MB
MD509e1f0733eb59abeb9180cd8db034053
SHA1209c79c4eca9f4a8ea5ed78561a76c6fc4ecdef8
SHA2567f9b0554775bbb6996de3a20038a08485fc8a211e0a4bb0aa055c3767339d00a
SHA512515ff6df7d80fd81d0c7b3fb8ca64b29eeed5beb3dc42f14c6b17f4dc788e2d75e5df88273e151cb01cb92875eefb314219e48de9991ba4f8a76b0602bc7d532
-
Filesize
2.3MB
MD59111d2f189927c7b49f49d3e2068cb68
SHA1ccb60935e474978efd8e7737d660f77be7720366
SHA2568ede8bbfdd719b86bf6c949412b86ef7ba7573596772a8f506e74c2c04ce430b
SHA5123364416cdb9c7f276e1dd167b1cacf3ec964aac24c3cb1cd160a4e64435ccaed4331486be5c55172f83c2eab5b25ebb05816ada7f81085c68fa3eeee3306f4aa
-
Filesize
3.4MB
MD5ca349faf9fbed80c3eeb0c5735aad99c
SHA14707cd4b771f6c1783c492d1214f1e9e6a5551bc
SHA25658d1784dbac1819d0dd11c60987f4442c99ea71fe8f9522a8299b3cff869194e
SHA5124afb559f861053cb0352cf0d7bb69cfbc64e1c8565fd9fb8e53e3618a089da447f12da9b99626fbe16bf35c64147c4990eba3e601023c26bf53ea44876023bc3
-
Filesize
72KB
MD5de5eefa1b686e3d32e3ae265392492bd
SHA17b37b0ac1061366bf1a7f267392ebc0d606bb3db
SHA256a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744
SHA512c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508
-
Filesize
844KB
MD549d7c9b8aabdde050324079d80855763
SHA1da9aefeae29148f92181f2303ef5804caab67779
SHA256b5f836905e10c181a2c1d089765a0de51fc6b7b6883b4dcd78633b8d26a6e141
SHA5125861e3b1d192f8fa580fdb8cdf8716a27b134b87668e838486a6f48192f0c4052ee63379402d6c48940501c8dea66de48b41fefbff34ac736f5bde9fc177a3d7
-
Filesize
632KB
MD590fff0b193fd143b5b435cfd0604c2a6
SHA1f48f79f814ea2a3c9b368004ec05aaa3c86c6839
SHA256b956e0149d07163bcf85131b671267698321c5590e5e3b1a853be0d69adf3fbb
SHA512d7bd9ca480dc03523d40a4f7533ea57db37ce603d2eb9609184284894014b1a976dc49ffa9b57650e9147367ceedcbd70fa2c2a3c87211a0b0a6945653c09aae
-
Filesize
176B
MD5e66f1107f995d52bcd90421b3cdc0dde
SHA1245acafa2f3dab3f2b7f183d34267dcd976199c0
SHA25645fa6eacea58e682c2ef2bb9e888cb6bf396c37b957fd144ca73c95699ad3c74
SHA5120500f9dec5cfdfb80bc5763943deb3111ccde4b35f19ac124df2e5abde2681154977f160a42e9ef50698b0ea0cc26fc09361a3917534038f141dd047f0287c1f
-
Filesize
4KB
MD5389bf6e15ae0a7250f454da52aa7ced5
SHA11f6a6fe568a1b863bf1f8a9bec9fc8a67e04ca43
SHA2565993325acfe309946c176737a019aa16e22b921fa6387b766bf8bc8a504e220d
SHA51274bf5a1b5aaa4a27777ef98744aa5a4aac9dc2d64def7be42883d965e77c06852b8bd61c9b7620030c0b5d712ddefdbf0786d0696f62459e33a0debfbc62eb22
-
Filesize
4KB
MD5059404ab16e140325da96b8cf871eb0f
SHA1a042d03a013ccea427fa9d776801efd54b2862d8
SHA2566150381c68bdf45a6ce9cf13135dce19886ffd0c252d4b8a0a2ef6d5a983eb47
SHA512fe1472d39f13228c5734a2ab29ba343571cf67df5dc844a1b828806649a6b734d226484e408d0376140670641950d257f0cdf617efbbec39043509088d250874
-
Filesize
255B
MD50bf850cb9d0aa0f4c778cc515b79bd13
SHA1c0cb8a58cba046d2c7539025a39c8a1af81c3914
SHA2569c4723ecb77e39e58eda9c60f532724aa3bf69de30047cc7b6522534cd423f00
SHA512649c13f9f4fccc03ebd6cb2c3752434c69b5a8d7e9b94cac80cd98a7624bfd00648949b18cd720faf89fae050f6b523221db589a550c6ce4513e76ff0895da5b
-
Filesize
679KB
MD569ae1881260e0f7870e0e5508f34a502
SHA1435c610d639c63b1a8e8a4ffd2188d0c47b155b3
SHA25655ea4da6d3f5582a187942aba0a08555c4770731baf3557556aec63edbaf4415
SHA5125232958fff6b2f2cf012e3ade5b60a5db696503e6b24c0781ad1cb30d99084d658e35fce4cde6eee6ed2d046297d6094c8f53b7c1510c3c05977162204617a8b
-
Filesize
96KB
MD5912924f628e277be9cc28a5f2a990cb9
SHA113c0166469a271497043a2f13e9a6a610dc2b336
SHA256bd474c5aafcaa12f20da5ecb29e17555b953eca46b4f56588a72672a36d4a8eb
SHA512b33b430254f9ec32ecd6224124db69af93de3cbfbaf422a0045641f7961834a67cba1b9fd97f4e0e903e27e3360301c5dba214a6b9156c4cdf8a25115b860c39
-
Filesize
2.5MB
MD5beb9a1306c8001258b9df8c7a9c816ff
SHA163ac7fe58e9eedecdc35f2e12d3c263717b18d19
SHA256d39c80e19ddaf2c1d8e2e10136c475778358c389d0caba91eab599efbf0c58ae
SHA5120d4b9ec262993a19260386432acf9fc61819f2cf54e636abb392ac59427d02d4285b0a3c14b773ac709dbfffcb145588a83e9deb154ef52f33c709190bfb7e79
-
Filesize
2.4MB
MD525873e5d9d605d2e0937420b404b22b6
SHA1618a56b176c2edf76c2bfb8295dcf1fb35ef2cc8
SHA2561c23dfea6df21feb5d18b2914f961385608d63fd709209b57cbd701896ad9bb2
SHA5129680c68d1ae95663bc4c137aa4e75514322607132cb7cbccd7ddbf0fcb44a77699f0764b811b7401185c73f7b495a6eed7eb26d70c8b3af072914f125b66e41a
-
Filesize
5KB
MD53d7f80fb0534d24f95ee377c40b72fb3
SHA111b443ed953dae35d9c9905b5bbeb309049f3d36
SHA256abd84867d63a5449101b7171b1cc3907c44d7d327ea97d45b22a1015cc3af4dc
SHA5127fc741bbce281873134b9f4d68b74ae04daf943ea4c0c26e7e44579f2d51883c635972a405dd81cee63079a5ba9d09328a1e26e7878547590569806d219d83c7
-
Filesize
136KB
MD5fcf3ac25f11ba7e8b31c4baf1910f7a6
SHA1fb470541f0b6b8f3ce69dcaa239ca9a7d7e91d72
SHA256e5b3249fbeea8395fd56c20511bfcfdb2b2632d3c8d517b943466a4e47f97b5c
SHA51247c467924d64af4a48a6e640778aca1dce379d16b06bf3f60a44025034c15ce1498ef307b63cb04e5c0cbb6c2ac58022acdb0d6efb1109c5ea31f842a320aa40
-
Filesize
1.1MB
MD58bab9091f9d45d9d83fdebcaa4655e0e
SHA18c92be10d23ec9f0210cd25253a831ecd43f679f
SHA256e1e6024b36a6e2ec620dd6f9db061a5e11b870229b398a25ddcebb4dc75ca7fe
SHA512e970345034b3aa600851410a4f8348c359f606fa4b225d619bef0b24ae9cd7b133a013425dd1a2f884d60a2514ab5a6c85f1887fb32483fbda7d53ba5e018ee1