Overview
overview
10Static
static
7Fake AV/An...09.exe
windows7-x64
7Fake AV/An...09.exe
windows10-2004-x64
7Fake AV/Ana.exe
windows7-x64
8Fake AV/Ana.exe
windows10-2004-x64
7Fake AV/Antivirus.exe
windows7-x64
7Fake AV/Antivirus.exe
windows10-2004-x64
7Fake AV/An...10.exe
windows7-x64
10Fake AV/An...10.exe
windows10-2004-x64
7Fake AV/An...um.exe
windows7-x64
10Fake AV/An...um.exe
windows10-2004-x64
10Fake AV/An...17.exe
windows7-x64
7Fake AV/An...17.exe
windows10-2004-x64
7Fake AV/CleanThis.exe
windows7-x64
Fake AV/CleanThis.exe
windows10-2004-x64
Fake AV/Fa...er.exe
windows7-x64
7Fake AV/Fa...er.exe
windows10-2004-x64
76AdwCleaner.exe
windows7-x64
66AdwCleaner.exe
windows10-2004-x64
6Fake AV/Fi...ll.exe
windows7-x64
7Fake AV/Fi...ll.exe
windows10-2004-x64
7Fake AV/Ha...us.exe
windows7-x64
1Fake AV/Ha...us.exe
windows10-2004-x64
1Fake AV/In...rd.exe
windows7-x64
10Fake AV/In...rd.exe
windows10-2004-x64
9Fake AV/LPS2019.exe
windows7-x64
7Fake AV/LPS2019.exe
windows10-2004-x64
7Fake AV/Mo...eg.exe
windows7-x64
7Fake AV/Mo...eg.exe
windows10-2004-x64
3Fake AV/Na...ld.exe
windows7-x64
7Fake AV/Na...ld.exe
windows10-2004-x64
7Fake AV/PC...er.exe
windows7-x64
10Fake AV/PC...er.exe
windows10-2004-x64
10Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 22:34
Behavioral task
behavioral1
Sample
Fake AV/AnViPC2009.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fake AV/AnViPC2009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fake AV/Ana.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fake AV/Ana.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Fake AV/Antivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Fake AV/Antivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Fake AV/Antivirus2010.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Fake AV/Antivirus2010.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Fake AV/AntivirusPlatinum.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Fake AV/AntivirusPro2017.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Fake AV/AntivirusPro2017.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Fake AV/CleanThis.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Fake AV/CleanThis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Fake AV/FakeAdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
6AdwCleaner.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
6AdwCleaner.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Fake AV/FileFixPro/FFProInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Fake AV/HappyAntivirus.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Fake AV/HappyAntivirus.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Fake AV/InternetSecurityGuard.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Fake AV/LPS2019.exe
Resource
win7-20240220-en
Behavioral task
behavioral26
Sample
Fake AV/LPS2019.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Fake AV/Movie.mpeg.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Fake AV/Movie.mpeg.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Fake AV/NavaShield.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Fake AV/NavaShield.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Fake AV/PCDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Fake AV/PCDefender.exe
Resource
win10v2004-20240226-en
General
-
Target
Fake AV/Antivirus.exe
-
Size
2.0MB
-
MD5
c7e9746b1b039b8bd1106bca3038c38f
-
SHA1
cb93ac887876bafe39c5f9aa64970d5e747fb191
-
SHA256
b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
-
SHA512
cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
-
SSDEEP
49152:FH/1Fdq0wneDrEoYxWFjmYMcKabLVp3diY7kp:FH/1Fdq0nIo2YAcl/NisA
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus = "\"C:\\Program Files (x86)\\AnVi\\avt.exe\" -noscan" Antivirus.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\wbem\repository\MAPPING2.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING3.MAP svchost.exe File opened for modification C:\Windows\system32\wbem\repository\OBJECTS.DATA svchost.exe File opened for modification C:\Windows\system32\wbem\repository\INDEX.BTR svchost.exe File opened for modification C:\Windows\system32\wbem\repository svchost.exe File opened for modification C:\Windows\system32\wbem\repository\WRITABLE.TST svchost.exe File opened for modification C:\Windows\system32\wbem\repository\MAPPING1.MAP svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\AnVi\splash.mp3 Antivirus.exe File created C:\Program Files (x86)\AnVi\virus.mp3 Antivirus.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Internet Explorer\Main Antivirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "Yes" Antivirus.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 876 mofcomp.exe Token: SeAssignPrimaryTokenPrivilege 4384 svchost.exe Token: SeIncreaseQuotaPrivilege 4384 svchost.exe Token: SeSecurityPrivilege 4384 svchost.exe Token: SeTakeOwnershipPrivilege 4384 svchost.exe Token: SeLoadDriverPrivilege 4384 svchost.exe Token: SeSystemtimePrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeRestorePrivilege 4384 svchost.exe Token: SeShutdownPrivilege 4384 svchost.exe Token: SeSystemEnvironmentPrivilege 4384 svchost.exe Token: SeUndockPrivilege 4384 svchost.exe Token: SeManageVolumePrivilege 4384 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4384 svchost.exe Token: SeIncreaseQuotaPrivilege 4384 svchost.exe Token: SeSecurityPrivilege 4384 svchost.exe Token: SeTakeOwnershipPrivilege 4384 svchost.exe Token: SeLoadDriverPrivilege 4384 svchost.exe Token: SeSystemtimePrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeRestorePrivilege 4384 svchost.exe Token: SeShutdownPrivilege 4384 svchost.exe Token: SeSystemEnvironmentPrivilege 4384 svchost.exe Token: SeUndockPrivilege 4384 svchost.exe Token: SeManageVolumePrivilege 4384 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4384 svchost.exe Token: SeIncreaseQuotaPrivilege 4384 svchost.exe Token: SeSecurityPrivilege 4384 svchost.exe Token: SeTakeOwnershipPrivilege 4384 svchost.exe Token: SeLoadDriverPrivilege 4384 svchost.exe Token: SeSystemtimePrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeRestorePrivilege 4384 svchost.exe Token: SeShutdownPrivilege 4384 svchost.exe Token: SeSystemEnvironmentPrivilege 4384 svchost.exe Token: SeUndockPrivilege 4384 svchost.exe Token: SeManageVolumePrivilege 4384 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4384 svchost.exe Token: SeIncreaseQuotaPrivilege 4384 svchost.exe Token: SeSecurityPrivilege 4384 svchost.exe Token: SeTakeOwnershipPrivilege 4384 svchost.exe Token: SeLoadDriverPrivilege 4384 svchost.exe Token: SeSystemtimePrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeRestorePrivilege 4384 svchost.exe Token: SeShutdownPrivilege 4384 svchost.exe Token: SeSystemEnvironmentPrivilege 4384 svchost.exe Token: SeUndockPrivilege 4384 svchost.exe Token: SeManageVolumePrivilege 4384 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4384 svchost.exe Token: SeIncreaseQuotaPrivilege 4384 svchost.exe Token: SeSecurityPrivilege 4384 svchost.exe Token: SeTakeOwnershipPrivilege 4384 svchost.exe Token: SeLoadDriverPrivilege 4384 svchost.exe Token: SeSystemtimePrivilege 4384 svchost.exe Token: SeBackupPrivilege 4384 svchost.exe Token: SeRestorePrivilege 4384 svchost.exe Token: SeShutdownPrivilege 4384 svchost.exe Token: SeSystemEnvironmentPrivilege 4384 svchost.exe Token: SeUndockPrivilege 4384 svchost.exe Token: SeManageVolumePrivilege 4384 svchost.exe Token: SeAssignPrimaryTokenPrivilege 4384 svchost.exe Token: SeIncreaseQuotaPrivilege 4384 svchost.exe Token: SeSecurityPrivilege 4384 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe 3104 Antivirus.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3104 wrote to memory of 1056 3104 Antivirus.exe 91 PID 3104 wrote to memory of 1056 3104 Antivirus.exe 91 PID 3104 wrote to memory of 1056 3104 Antivirus.exe 91 PID 3104 wrote to memory of 4480 3104 Antivirus.exe 92 PID 3104 wrote to memory of 4480 3104 Antivirus.exe 92 PID 3104 wrote to memory of 4480 3104 Antivirus.exe 92 PID 3104 wrote to memory of 4800 3104 Antivirus.exe 93 PID 3104 wrote to memory of 4800 3104 Antivirus.exe 93 PID 3104 wrote to memory of 4800 3104 Antivirus.exe 93 PID 3104 wrote to memory of 1032 3104 Antivirus.exe 94 PID 3104 wrote to memory of 1032 3104 Antivirus.exe 94 PID 3104 wrote to memory of 1032 3104 Antivirus.exe 94 PID 3104 wrote to memory of 876 3104 Antivirus.exe 95 PID 3104 wrote to memory of 876 3104 Antivirus.exe 95 PID 3104 wrote to memory of 876 3104 Antivirus.exe 95 PID 1056 wrote to memory of 2120 1056 net.exe 101 PID 1056 wrote to memory of 2120 1056 net.exe 101 PID 1056 wrote to memory of 2120 1056 net.exe 101 PID 1032 wrote to memory of 4984 1032 net.exe 102 PID 1032 wrote to memory of 4984 1032 net.exe 102 PID 1032 wrote to memory of 4984 1032 net.exe 102 PID 4480 wrote to memory of 4832 4480 net.exe 103 PID 4480 wrote to memory of 4832 4480 net.exe 103 PID 4480 wrote to memory of 4832 4480 net.exe 103 PID 4800 wrote to memory of 764 4800 net.exe 104 PID 4800 wrote to memory of 764 4800 net.exe 104 PID 4800 wrote to memory of 764 4800 net.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe"C:\Users\Admin\AppData\Local\Temp\Fake AV\Antivirus.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\net.exenet stop wscsvc2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc3⤵PID:2120
-
-
-
C:\Windows\SysWOW64\net.exenet stop winmgmt /y2⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵PID:4832
-
-
-
C:\Windows\SysWOW64\net.exenet start winmgmt2⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start winmgmt3⤵PID:764
-
-
-
C:\Windows\SysWOW64\net.exenet start wscsvc2⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wscsvc3⤵PID:4984
-
-
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof2⤵
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
443B
MD57fad92afda308dca8acfc6ff45c80c24
SHA1a7fa35e7f90f772fc943c2e940737a48b654c295
SHA25676e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f
SHA51249eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea