Overview
overview
10Static
static
7Fake AV/An...09.exe
windows7-x64
7Fake AV/An...09.exe
windows10-2004-x64
7Fake AV/Ana.exe
windows7-x64
8Fake AV/Ana.exe
windows10-2004-x64
7Fake AV/Antivirus.exe
windows7-x64
7Fake AV/Antivirus.exe
windows10-2004-x64
7Fake AV/An...10.exe
windows7-x64
10Fake AV/An...10.exe
windows10-2004-x64
7Fake AV/An...um.exe
windows7-x64
10Fake AV/An...um.exe
windows10-2004-x64
10Fake AV/An...17.exe
windows7-x64
7Fake AV/An...17.exe
windows10-2004-x64
7Fake AV/CleanThis.exe
windows7-x64
Fake AV/CleanThis.exe
windows10-2004-x64
Fake AV/Fa...er.exe
windows7-x64
7Fake AV/Fa...er.exe
windows10-2004-x64
76AdwCleaner.exe
windows7-x64
66AdwCleaner.exe
windows10-2004-x64
6Fake AV/Fi...ll.exe
windows7-x64
7Fake AV/Fi...ll.exe
windows10-2004-x64
7Fake AV/Ha...us.exe
windows7-x64
1Fake AV/Ha...us.exe
windows10-2004-x64
1Fake AV/In...rd.exe
windows7-x64
10Fake AV/In...rd.exe
windows10-2004-x64
9Fake AV/LPS2019.exe
windows7-x64
7Fake AV/LPS2019.exe
windows10-2004-x64
7Fake AV/Mo...eg.exe
windows7-x64
7Fake AV/Mo...eg.exe
windows10-2004-x64
3Fake AV/Na...ld.exe
windows7-x64
7Fake AV/Na...ld.exe
windows10-2004-x64
7Fake AV/PC...er.exe
windows7-x64
10Fake AV/PC...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/03/2024, 22:34
Behavioral task
behavioral1
Sample
Fake AV/AnViPC2009.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake AV/AnViPC2009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fake AV/Ana.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fake AV/Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Fake AV/Antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Fake AV/Antivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Fake AV/Antivirus2010.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Fake AV/Antivirus2010.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Fake AV/AntivirusPro2017.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Fake AV/AntivirusPro2017.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Fake AV/CleanThis.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Fake AV/CleanThis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
6AdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
6AdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Fake AV/HappyAntivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Fake AV/HappyAntivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Fake AV/LPS2019.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
Fake AV/LPS2019.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Fake AV/Movie.mpeg.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Fake AV/Movie.mpeg.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Fake AV/NavaShield.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Fake AV/NavaShield.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Fake AV/PCDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Fake AV/PCDefender.exe
Resource
win10v2004-20240226-en
General
-
Target
Fake AV/Antivirus.exe
-
Size
2.0MB
-
MD5
c7e9746b1b039b8bd1106bca3038c38f
-
SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191
-
SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
-
SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
SSDEEP
49152:FH/1Fdq0wneDrEoYxWFjmYMcKabLVp3diY7kp:FH/1Fdq0nIo2YAcl/NisA
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan" Antivirus.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: Antivirus.exe File opened (read-only) \??\Q: Antivirus.exe File opened (read-only) \??\S: Antivirus.exe File opened (read-only) \??\Y: Antivirus.exe File opened (read-only) \??\U: Antivirus.exe File opened (read-only) \??\W: Antivirus.exe File opened (read-only) \??\E: Antivirus.exe File opened (read-only) \??\H: Antivirus.exe File opened (read-only) \??\I: Antivirus.exe File opened (read-only) \??\K: Antivirus.exe File opened (read-only) \??\P: Antivirus.exe File opened (read-only) \??\X: Antivirus.exe File opened (read-only) \??\B: Antivirus.exe File opened (read-only) \??\L: Antivirus.exe File opened (read-only) \??\R: Antivirus.exe File opened (read-only) \??\T: Antivirus.exe File opened (read-only) \??\V: Antivirus.exe File opened (read-only) \??\Z: Antivirus.exe File opened (read-only) \??\A: Antivirus.exe File opened (read-only) \??\G: Antivirus.exe File opened (read-only) \??\J: Antivirus.exe File opened (read-only) \??\M: Antivirus.exe File opened (read-only) \??\N: Antivirus.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\AnVi\splash.mp3 Antivirus.exe File created C:\Program Files (x86)\AnVi\virus.mp3 Antivirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main Antivirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" Antivirus.exe Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Antivirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Antivirus.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2004 Antivirus.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeSecurityPrivilege 620 mofcomp.exe Token: 33 2004 Antivirus.exe Token: SeIncBasePriorityPrivilege 2004 Antivirus.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe 2004 Antivirus.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2004 wrote to memory of 2232 2004 Antivirus.exe 29 PID 2004 wrote to memory of 2232 2004 Antivirus.exe 29 PID 2004 wrote to memory of 2232 2004 Antivirus.exe 29 PID 2004 wrote to memory of 2232 2004 Antivirus.exe 29 PID 2004 wrote to memory of 2500 2004 Antivirus.exe 30 PID 2004 wrote to memory of 2500 2004 Antivirus.exe 30 PID 2004 wrote to memory of 2500 2004 Antivirus.exe 30 PID 2004 wrote to memory of 2500 2004 Antivirus.exe 30 PID 2004 wrote to memory of 2628 2004 Antivirus.exe 32 PID 2004 wrote to memory of 2628 2004 Antivirus.exe 32 PID 2004 wrote to memory of 2628 2004 Antivirus.exe 32 PID 2004 wrote to memory of 2628 2004 Antivirus.exe 32 PID 2004 wrote to memory of 2380 2004 Antivirus.exe 34 PID 2004 wrote to memory of 2380 2004 Antivirus.exe 34 PID 2004 wrote to memory of 2380 2004 Antivirus.exe 34 PID 2004 wrote to memory of 2380 2004 Antivirus.exe 34 PID 2004 wrote to memory of 620 2004 Antivirus.exe 37 PID 2004 wrote to memory of 620 2004 Antivirus.exe 37 PID 2004 wrote to memory of 620 2004 Antivirus.exe 37 PID 2004 wrote to memory of 620 2004 Antivirus.exe 37 PID 2628 wrote to memory of 2464 2628 net.exe 39 PID 2628 wrote to memory of 2464 2628 net.exe 39 PID 2628 wrote to memory of 2464 2628 net.exe 39 PID 2628 wrote to memory of 2464 2628 net.exe 39 PID 2500 wrote to memory of 2848 2500 net.exe 40 PID 2500 wrote to memory of 2848 2500 net.exe 40 PID 2500 wrote to memory of 2848 2500 net.exe 40 PID 2500 wrote to memory of 2848 2500 net.exe 40 PID 2380 wrote to memory of 2540 2380 net.exe 41 PID 2380 wrote to memory of 2540 2380 net.exe 41 PID 2380 wrote to memory of 2540 2380 net.exe 41 PID 2380 wrote to memory of 2540 2380 net.exe 41 PID 2232 wrote to memory of 2428 2232 net.exe 42 PID 2232 wrote to memory of 2428 2232 net.exe 42 PID 2232 wrote to memory of 2428 2232 net.exe 42 PID 2232 wrote to memory of 2428 2232 net.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\net.exenet stop wscsvc2⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc3⤵PID:2428
-
-
-
C:\Windows\SysWOW64\net.exenet stop winmgmt /y2⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵PID:2848
-
-
-
C:\Windows\SysWOW64\net.exenet start winmgmt2⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start winmgmt3⤵PID:2464
-
-
-
C:\Windows\SysWOW64\net.exenet start wscsvc2⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wscsvc3⤵PID:2540
-
-
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof2⤵
- Suspicious use of AdjustPrivilegeToken
PID:620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IKDEMF4Q\index[1].js
Filesize3KB
MD5d6ccc01f5e7ffed0e34b710cc8f94aea
SHA1d8eebefa67f1b3ba5b4774450514063e2f5f0e84
SHA25613fee64f85f9ed03819cfb90371daea36ab141bc8b6d109b54d6f88dd15b9928
SHA512606b29db366da0738e5c918b7e872c1882ddd5ebec106179f2b599694aad1bca03833940cf11aa9fcef77d555ac89de573f6c358c083d9162e899a682df2ec58
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXAFS242\v84a3a4012de94ce1a686ba8c167c359c1696973893317[1].js
Filesize19KB
MD5dd1d068fdb5fe90b6c05a5b3940e088c
SHA10d96f9df8772633a9df4c81cf323a4ef8998ba59
SHA2566153d13804862b0fc1c016cf1129f34cb7c6185f2cf4bf1a3a862eecdab50101
SHA5127aea051a8c2195a2ea5ec3d6438f2a4a4052085b370cf4728b056edc58d1f7a70c3f1f85afe82959184869f707c2ac02a964b8d9166122e74ebc423e0a47fa30
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U4VLHPRO\pixelplay[1].woff
Filesize25KB
MD5b49e517a8e3605250d8a4231554c1b57
SHA16da51af721bbb147c682f64c130ad97e336d1179
SHA25686f273658594b1fc14337bff6945402bc90cc6b67989b757d0146d83bb07260d
SHA512d4ce376ee0af2244de6ca039bafffa627cb5f795951d9cc4d2f01a0e65f5804d18909148f057edbc0f645072229120dbb8b31165254279fd6bbacf0c9a9acc66
-
Filesize
443B
MD57fad92afda308dca8acfc6ff45c80c24
SHA1a7fa35e7f90f772fc943c2e940737a48b654c295
SHA25676e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f
SHA51249eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63