Overview
overview
10Static
static
7Fake AV/An...09.exe
windows7-x64
7Fake AV/An...09.exe
windows10-2004-x64
7Fake AV/Ana.exe
windows7-x64
8Fake AV/Ana.exe
windows10-2004-x64
7Fake AV/Antivirus.exe
windows7-x64
7Fake AV/Antivirus.exe
windows10-2004-x64
7Fake AV/An...10.exe
windows7-x64
10Fake AV/An...10.exe
windows10-2004-x64
7Fake AV/An...um.exe
windows7-x64
10Fake AV/An...um.exe
windows10-2004-x64
10Fake AV/An...17.exe
windows7-x64
7Fake AV/An...17.exe
windows10-2004-x64
7Fake AV/CleanThis.exe
windows7-x64
Fake AV/CleanThis.exe
windows10-2004-x64
Fake AV/Fa...er.exe
windows7-x64
7Fake AV/Fa...er.exe
windows10-2004-x64
76AdwCleaner.exe
windows7-x64
66AdwCleaner.exe
windows10-2004-x64
6Fake AV/Fi...ll.exe
windows7-x64
7Fake AV/Fi...ll.exe
windows10-2004-x64
7Fake AV/Ha...us.exe
windows7-x64
1Fake AV/Ha...us.exe
windows10-2004-x64
1Fake AV/In...rd.exe
windows7-x64
10Fake AV/In...rd.exe
windows10-2004-x64
9Fake AV/LPS2019.exe
windows7-x64
7Fake AV/LPS2019.exe
windows10-2004-x64
7Fake AV/Mo...eg.exe
windows7-x64
7Fake AV/Mo...eg.exe
windows10-2004-x64
3Fake AV/Na...ld.exe
windows7-x64
7Fake AV/Na...ld.exe
windows10-2004-x64
7Fake AV/PC...er.exe
windows7-x64
10Fake AV/PC...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 22:34
Behavioral task
behavioral1
Sample
Fake AV/AnViPC2009.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake AV/AnViPC2009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fake AV/Ana.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fake AV/Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Fake AV/Antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Fake AV/Antivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Fake AV/Antivirus2010.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Fake AV/Antivirus2010.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Fake AV/AntivirusPro2017.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Fake AV/AntivirusPro2017.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Fake AV/CleanThis.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Fake AV/CleanThis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
6AdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
6AdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Fake AV/HappyAntivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Fake AV/HappyAntivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Fake AV/LPS2019.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
Fake AV/LPS2019.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Fake AV/Movie.mpeg.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Fake AV/Movie.mpeg.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Fake AV/NavaShield.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Fake AV/NavaShield.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Fake AV/PCDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Fake AV/PCDefender.exe
Resource
win10v2004-20240226-en
General
-
Target
Fake AV/NavaShield.exe
-
Size
9.7MB
-
MD5
1f13396fa59d38ebe76ccc587ccb11bb
-
SHA1
867adb3076c0d335b9bfa64594ef37a7e2c951ff
-
SHA256
83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
-
SHA512
82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc
-
SSDEEP
196608:CtbTP1ErBwMQjd1YTHdmpCP2PVgP/acIE/xQ0zyZejVk+YzbRdTZ:C1E1+dYx6OP9hdyZwV4zd
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation NavaShield.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation NavaShield.exe -
Executes dropped EXE 3 IoCs
pid Process 4656 NavaShield.exe 2580 NavaBridge.exe 380 NavaDebugger.exe -
Loads dropped DLL 12 IoCs
pid Process 4656 NavaShield.exe 4656 NavaShield.exe 4656 NavaShield.exe 4656 NavaShield.exe 4656 NavaShield.exe 4656 NavaShield.exe 2580 NavaBridge.exe 2580 NavaBridge.exe 2580 NavaBridge.exe 2580 NavaBridge.exe 2580 NavaBridge.exe 380 NavaDebugger.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NavaShield = "c:\\Nava Labs\\Nava Shield\\navashield.exe" NavaShield.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 NavaShield.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString NavaShield.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4656 NavaShield.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 1832 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1832 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4656 NavaShield.exe 4656 NavaShield.exe 4656 NavaShield.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4656 NavaShield.exe 4656 NavaShield.exe 4656 NavaShield.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1264 wrote to memory of 4656 1264 NavaShield.exe 95 PID 1264 wrote to memory of 4656 1264 NavaShield.exe 95 PID 1264 wrote to memory of 4656 1264 NavaShield.exe 95 PID 4656 wrote to memory of 2580 4656 NavaShield.exe 97 PID 4656 wrote to memory of 2580 4656 NavaShield.exe 97 PID 4656 wrote to memory of 2580 4656 NavaShield.exe 97 PID 4656 wrote to memory of 380 4656 NavaShield.exe 98 PID 4656 wrote to memory of 380 4656 NavaShield.exe 98 PID 4656 wrote to memory of 380 4656 NavaShield.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe"C:\Users\Admin\AppData\Local\Temp\Fake AV\NavaShield.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Nava Labs\Nava Shield\NavaShield.exe"C:\Nava Labs\Nava Shield\NavaShield.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Nava Labs\Nava Shield\NavaBridge.exe"C:\Nava Labs\Nava Shield\NavaBridge.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580
-
-
C:\Nava Labs\Nava Shield\NavaDebugger.exe"C:\Nava Labs\Nava Shield\NavaDebugger.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:380
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x514 0x5101⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5912924f628e277be9cc28a5f2a990cb9
SHA113c0166469a271497043a2f13e9a6a610dc2b336
SHA256bd474c5aafcaa12f20da5ecb29e17555b953eca46b4f56588a72672a36d4a8eb
SHA512b33b430254f9ec32ecd6224124db69af93de3cbfbaf422a0045641f7961834a67cba1b9fd97f4e0e903e27e3360301c5dba214a6b9156c4cdf8a25115b860c39
-
Filesize
3.2MB
MD5903a4e6e78dc62bc7b9e261ff3cce399
SHA1a6a9ae0572ab0ed14cb62441f1f1ed0d3b52d926
SHA2560d12740248a3849bc5f92134502a95dc413fcd6be25fa6893b1c05f920ed2cb7
SHA51231b9fb9bdaa78c18276f1d1da93ce099b19437f1fb27f0e4b0f49b82881aff40bc7d610ba755283461a6fd9c20dc669b86ff453e6b52f4633a38177bb6b89daf
-
Filesize
1.4MB
MD58c54a7f80cc21f50908023844bd88a77
SHA1cf0f590a1c93356b77358d56311578b75b98cc57
SHA2563bf536a387ce91a81936b4f3bb1df34d19e80b22e98c08e7b87b757075ebac67
SHA5125e45edcb0c9c76e1c4b8ad52a2da899547416f69a3f931c04c439b2d447ce5d2fad40ea5a389645a225eb32086b65c91d37b778c6ace0764ff26d95f9f231e1f
-
Filesize
92KB
MD5831295342c47b770bf7cc591a6916fa7
SHA12c9063fbf3f3363526abdc241bf90618b82446d1
SHA2568341ecc0938ca6d90b7e0f02af2d7e6b571c948a03a99d54af61c4557c78d656
SHA51201419defe963a987989cddb0e21cf651ec3eefeae97cf4b257d4caa8da26436a647e8e4d95cdad22bbb0657171f6d3d9c41dc6fb217ffc7d5172ebc9a409d36e
-
Filesize
1024KB
MD5bc379ff85e4b9b5886f7416d7e1014be
SHA1f74a8db0c0c2b19ded9b22ed8ea2183388845d08
SHA25684040973247c112d18ccf5495311df65f2bbe6b98c464cb2562549d03e8ad0ec
SHA51295fb614a24be346c43acf572eed58a46defb4017f771453d83bfdb820f17f4ff1855d6f2c2b6822bf3f939f9bc7743adf81366e315aaf7e2816a6e5abccd668a
-
Filesize
9.2MB
MD5404501846c15ee0774025ded425d4707
SHA187c4af4698aa2294b53fe4c6349ff552cfa38356
SHA256660cc09f9d69a1ff879a811b765e1fa898081019d029d77cf833a9a915ae9873
SHA5124bbb20aea92140c1057e9131141a543c0d3bf46578f92a0b2fc8448b4b8fc106b98a5d44212f6c197d1ec77dbac32d7cb21935fcc72ef31b339c5b8e3080dec6
-
Filesize
5KB
MD53d7f80fb0534d24f95ee377c40b72fb3
SHA111b443ed953dae35d9c9905b5bbeb309049f3d36
SHA256abd84867d63a5449101b7171b1cc3907c44d7d327ea97d45b22a1015cc3af4dc
SHA5127fc741bbce281873134b9f4d68b74ae04daf943ea4c0c26e7e44579f2d51883c635972a405dd81cee63079a5ba9d09328a1e26e7878547590569806d219d83c7
-
Filesize
136KB
MD5fcf3ac25f11ba7e8b31c4baf1910f7a6
SHA1fb470541f0b6b8f3ce69dcaa239ca9a7d7e91d72
SHA256e5b3249fbeea8395fd56c20511bfcfdb2b2632d3c8d517b943466a4e47f97b5c
SHA51247c467924d64af4a48a6e640778aca1dce379d16b06bf3f60a44025034c15ce1498ef307b63cb04e5c0cbb6c2ac58022acdb0d6efb1109c5ea31f842a320aa40
-
Filesize
72KB
MD5de5eefa1b686e3d32e3ae265392492bd
SHA17b37b0ac1061366bf1a7f267392ebc0d606bb3db
SHA256a50e56dfb68410a7927ecd50f55044756b54868e920e462671162d1961bfe744
SHA512c71270a5275f91214444449be4923a70243a9e2cd06afcc6fd28ab9f2cd2d930219ce8ed9ec008750b2611b62ed26b65cb57a75c6035201cd9657263d157d508
-
Filesize
3.6MB
MD5310ee3a3e78d0b21e6e09225a80f6cc0
SHA1b0e1cd52ef63f0ad14049fc4237875794c4f5ecc
SHA25620201d9a8462d9b26908b6482044610c7e1551f0b8e981cae20c2510af0ed12b
SHA512dc6112b43cad6fc13b8976c833231e38809880a966ae544803c0499257e78289b265c0b27d901e2593b554c366eb1cf3372033ab1ca3f492ab81fc52a062d8d8
-
Filesize
4.2MB
MD569f41559fca633978b2bd4032b5c0a49
SHA15fcf9c203b39a7e0ee2a9c92541149310cbe20fa
SHA2567d95aa92c14e385bc35087e143a3bff894c34974da1310c9c5cc9ec4ea17e82c
SHA512e1945fe0db154b5ad6e1e707b89dfd3f1f1d3191d618c8be549e5a7d9ee13bcd1b7a69f8a1f916b9588b756f0e78f19c89df39d99c709e8325c08af55e580744
-
Filesize
176B
MD5e66f1107f995d52bcd90421b3cdc0dde
SHA1245acafa2f3dab3f2b7f183d34267dcd976199c0
SHA25645fa6eacea58e682c2ef2bb9e888cb6bf396c37b957fd144ca73c95699ad3c74
SHA5120500f9dec5cfdfb80bc5763943deb3111ccde4b35f19ac124df2e5abde2681154977f160a42e9ef50698b0ea0cc26fc09361a3917534038f141dd047f0287c1f
-
Filesize
4KB
MD5b0f4924346d2daa81a9f7d241a987d6c
SHA1190356e26e8054f338d1f4b6a4e582e02149f7fa
SHA256da4728e17ae412494f6b548e21b136fbb830abc4a2bac5fd7c1522a2a729271c
SHA5128eddb6eaf687aa5cb4bbdf3f0914e401dd42c488f8d68243d705608197006ee09195d39f80b6ff5b878be4e18238297bf1a38e60d82b72e3f53c7a998a8e1e1e
-
Filesize
4KB
MD53cad4610cca4159318a0e77632d3ef08
SHA1e0d3c55b5992744e5b7d938873c682601a461fc1
SHA2568adfe6ddd57f59595cb026b09726b3146fc59b8f28183146cdd46e499d0ad527
SHA51237034028fc483d1b3bdeea24574c1113c0fca858f09e4bf4c3aa5ffce0a3016997dc559d4b8f4b5f66be415dba9539ce4d06e05ba6c83ac1609a71aba5039c01
-
Filesize
255B
MD50bf850cb9d0aa0f4c778cc515b79bd13
SHA1c0cb8a58cba046d2c7539025a39c8a1af81c3914
SHA2569c4723ecb77e39e58eda9c60f532724aa3bf69de30047cc7b6522534cd423f00
SHA512649c13f9f4fccc03ebd6cb2c3752434c69b5a8d7e9b94cac80cd98a7624bfd00648949b18cd720faf89fae050f6b523221db589a550c6ce4513e76ff0895da5b
-
Filesize
452KB
MD54fe19c390d4cbaaa6faae51a9131923c
SHA1a3c114ab35f37b0444939ae479ed33a3a5ee6f13
SHA256b95cbd2158693bbd3cefedfdc40cf4acae63883fa17ec4e9f8a38fb7b4593c1b
SHA512a7ea9145e9dfeb36adc13bdb2ccc286ab946a219899cb25b384e3788a90b43ee40c88584c64cbb77de074b8ff92fb8db9bd2b68af47b0a11d779c96bc154f24d