Resubmissions

02/03/2024, 22:38

240302-2kwptaae37 10

02/03/2024, 22:34

240302-2g86qsad96 10

General

  • Target

    Fake AV.zip

  • Size

    38.6MB

  • Sample

    240302-2kwptaae37

  • MD5

    5d2863ac5f62a9fee17cd8c6799edba7

  • SHA1

    6f99e22d4f7308713c7262387c9a77f8e8b241b4

  • SHA256

    aee69ef9040e902b7a6639d7594df47e0e73625143a671583db8b85be525a3e5

  • SHA512

    d3e5aaec5fe7d3a81f881f31e1dae14baff0e5a806f50e7d1e2556124bcd1fa556485b073b459b8111de714e5be0eccb49bbe686ecf60a0e30f7e308c19d68a0

  • SSDEEP

    786432:eD3TpOcp9S8a8BvOuL+ZN6AiBFvm2FmlhVgw8PnxMyxGl:A3Fbp9Sl8pNL+mTR7PxnGl

Malware Config

Targets

    • Target

      Fake AV/AnViPC2009.exe

    • Size

      1.2MB

    • MD5

      910dd666c83efd3496f21f9f211cdc1f

    • SHA1

      77cd736ee1697beda0ac65da24455ec566ba7440

    • SHA256

      06effc4c15d371b5c40a84995a7bae75324b690af9fbe2e8980f8c0e0901bf45

    • SHA512

      467d3b4d45a41b90c8e29c8c3d46ddfbdee9875606cd1c1b7652c2c7e26d60fedac54b24b75def125d450d8e811c75974260ba48a79496d2bdaf17d674eddb47

    • SSDEEP

      24576:Lutr5OUF7zfbMEsJiZp8uSOBpik+Qijrcq0y0JL4SprofsCghjmxQ:LuXfbMvGei9yjrcq0y0JL4ggghjv

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Fake AV/Ana.exe

    • Size

      2.1MB

    • MD5

      f571faca510bffe809c76c1828d44523

    • SHA1

      7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2

    • SHA256

      117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb

    • SHA512

      a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51

    • SSDEEP

      49152:OwVYlfBUDiZx8Fa/Q0NuB3btlnCItWNSwoy:OxPUDQmso0NuBZlnCItM

    • Adds policy Run key to start application

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Target

      Fake AV/Antivirus.exe

    • Size

      2.0MB

    • MD5

      c7e9746b1b039b8bd1106bca3038c38f

    • SHA1

      cb93ac887876bafe39c5f9aa64970d5e747fb191

    • SHA256

      b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4

    • SHA512

      cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724

    • SSDEEP

      49152:FH/1Fdq0wneDrEoYxWFjmYMcKabLVp3diY7kp:FH/1Fdq0nIo2YAcl/NisA

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      Fake AV/Antivirus2010.exe

    • Size

      775KB

    • MD5

      f49bcb5336b1e1212ae82cbb98f8dfe4

    • SHA1

      fc87518aee297f9c18e40f4604ea048aec0342c4

    • SHA256

      1501affdcf557a9dcb73ae34d43365d5301532a48328564160fdc1f3acb01e2e

    • SHA512

      51a4b1a5ede81e4dbeb9a335fe3a370e6ae452a46d4f4ce8753b37d6e399b00e0de3b066921febf1b5b20f5e3356e0d93da5df366acd2002b792ecb7eb32a7e4

    • SSDEEP

      12288:msCyG0JUuqby8mkxhZZIQUopL1UnDs1WxWM1W0pdNkFGNjB7tDWYK:j/kxX/ZLwo1WgMPACBv

    • Modifies security service

    • Windows security bypass

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks registry for disk virtualization

      Detecting virtualization disks is order done to detect sandboxing environments.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Fake AV/AntivirusPlatinum.exe

    • Size

      739KB

    • MD5

      382430dd7eae8945921b7feab37ed36b

    • SHA1

      c95ddaebe2ae8fbcb361f3bf080d95a7bb5bf128

    • SHA256

      70e5e902d0ac7534838b743c899f484fe10766aefacc6df697219387a8e3d06b

    • SHA512

      26abc02bde77f0b94613edc32e0843ac71a0a8f3d8ba01cb94a42c047d0be7befef52a81984e9a0fa867400082a8905e7a63aaaf85fa32a03d27f7bc6a548c3b

    • SSDEEP

      12288:kUWA3AheuswygKEOKlC0DaWL8ldxj1UT1fzosC2kyINJATi1v2yUQpf84i:kUWqistgKErL8P6VzosCfE6TNpf8D

    Score
    10/10
    • Windows security bypass

    • Disables RegEdit via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Target

      Fake AV/AntivirusPro2017.exe

    • Size

      816KB

    • MD5

      7dfbfba1e4e64a946cb096bfc937fbad

    • SHA1

      9180d2ce387314cd4a794d148ea6b14084c61e1b

    • SHA256

      312f082ea8f64609d30ff62b11f564107bf7a4ec9e95944dfd3da57c6cdb4e94

    • SHA512

      f47b05b9c294688811dd72d17f815cce6c90f96d78f6835804d5182e2f4bfbd2d6738de854b8a79dea6345f9372ba76a36920e51e6cb556ef4b38b620e887eb4

    • SSDEEP

      12288:De/2dxVZ+ivtwdeOkD5YNfEp5UOc1+A4cMfZIYMlBlfwFyfr7BM9G/9V:6/iBFSkyNfI51cQFhMlvIofZRn

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Fake AV/CleanThis.exe

    • Size

      618KB

    • MD5

      a50fc0da1d2b3c4aa8a6adaccf69a5de

    • SHA1

      e001f4043ab4be644ea10e0d65303d6e57b31ffe

    • SHA256

      cf6eb8377789e316629c0396a2dbb53c69b5fd67bbd0e7163b8d305aaa756e90

    • SHA512

      4bbc7676391ed4085f628d1f4e1f0af16f5cd6fd9efb8c61176bccdb6ee03b06896c6ddfba9fcf363b133ade3a8a1b8cd17ef92d8eb9adeec247f9bd41dbec2b

    • SSDEEP

      12288:EQIfqOiX9P/aazd1ctyDXHrJW2dGMToCRn5VxWRaqsrOkqgyQD:EQIydX/d1rTLRd/TvVUsrOkqFQD

    Score
    10/10
    • Modifies WinLogon for persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      Fake AV/FakeAdwCleaner.exe

    • Size

      190KB

    • MD5

      248aadd395ffa7ffb1670392a9398454

    • SHA1

      c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

    • SHA256

      51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

    • SHA512

      582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

    • SSDEEP

      3072:15TDpNFVbxDSXJFFGhcBR1WLZ37p73G8Wn7GlDOg+ELqdSxo5XtIZjnvxRJgghaR:157TcfFPB6B3GL7g+me5aZjn5VlI9T/

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      6AdwCleaner.exe

    • Size

      168KB

    • MD5

      87e4959fefec297ebbf42de79b5c88f6

    • SHA1

      eba50d6b266b527025cd624003799bdda9a6bc86

    • SHA256

      4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

    • SHA512

      232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

    • SSDEEP

      3072:sqp6y91BH91Be/MbNBQ3MypF06N25xOT5Ng2WV4:Oy/BH/Be00Mypk5sYp4

    Score
    6/10
    • Target

      Fake AV/FileFixPro/FFProInstall.exe

    • Size

      455KB

    • MD5

      d70754abc051edb0248b7287834808e2

    • SHA1

      9266f535d621c52e7603c1f30be7f67025663003

    • SHA256

      25f1979680c26601156c6ba3ad931b555b3f1ce82bf3546f8bf7d6241d3962d8

    • SHA512

      4be8b38129532429c84835197c329ff69d74a567d00f0fa88319656c531bc3af6326fa24a5692a1ebbe9bc4005a53a52aeb818507c773055b76a4e33c34482ea

    • SSDEEP

      12288:qmkOy5ws5qyKxg3Ismvo2gYcfygnXqD+k3TW:qfOy50Jx+IsV2mfXw+7

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Fake AV/HappyAntivirus.exe

    • Size

      1.9MB

    • MD5

      cb02c0438f3f4ddabce36f8a26b0b961

    • SHA1

      48c4fcb17e93b74030415996c0ec5c57b830ea53

    • SHA256

      64677f7767d6e791341b2eac7b43df90d39d9bdf26d21358578d2d38037e2c32

    • SHA512

      373f91981832cd9a1ff0b8744b43c7574b72971b5b6b19ea1f4665b6c878f7a1c7834ac08b92e0eca299eb4b590bf10f48a0485350a77a5f85fc3d2dd6913db3

    • SSDEEP

      49152:p/VoMTzwF77l0VqmuTefhLTtk31XyXb9:ptoMTzwVmq3ettk31ob9

    Score
    1/10
    • Target

      Fake AV/InternetSecurityGuard.exe

    • Size

      6.1MB

    • MD5

      04155ed507699b4e37532e8371192c0b

    • SHA1

      a14107131237dbb0df750e74281c462a2ea61016

    • SHA256

      b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77

    • SHA512

      6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371

    • SSDEEP

      98304:hvOOFJ+Z8eAgy7SH9s76RSvyqJOBgECfMfYv+85JH0DVczt8A:hvOOFJ+ggr9s76R+wcMAv+IHCczt8

    • UAC bypass

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Enumerates VirtualBox registry keys

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Drops file in Drivers directory

    • Sets file execution options in registry

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Target

      Fake AV/LPS2019.exe

    • Size

      1.1MB

    • MD5

      2eb3ce80b26345bd139f7378330b19c1

    • SHA1

      10122bd8dd749e20c132d108d176794f140242b0

    • SHA256

      8abed3ea04d52c42bdd6c9169c59212a7d8c649c12006b8278eda5aa91154cd2

    • SHA512

      e3223cd07d59cd97893304a3632b3a66fd91635848160c33011c103cca2badbfe9b78fe258666b634e455872f3a98889ede5a425d8fae91cae6983da1ea1190a

    • SSDEEP

      24576:pXhZgPlmWcA4Te9+g6+lET/+xRXKRwFSmjTGIWrwg:xInpSe99pCkRXKRMdGIWrN

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      Fake AV/Movie.mpeg.exe

    • Size

      414KB

    • MD5

      d0deb2644c9435ea701e88537787ea6e

    • SHA1

      866e47ecd80da89c4f56557659027a3aee897132

    • SHA256

      ad6cd46f373aadad85fab5ecdb4cb4ad7ebd0cbe44c84db5d2a2ee1b54eb5ec3

    • SHA512

      6faac2e1003290bb3a0613ee84d5c76d3c48a4524e97975e9174d6fcfb5a6a48d6648b06ed5a4c10c3349f70efffc6a08a185fdeb0824250ae044b96ef39fcdf

    • SSDEEP

      6144:BCoFAtv2DDWANPG4F0vwDsl6JEFiGUHzAB4lTa7tKzWNYRbvhLWxsqgyn:koOv2D60PLyvaJTT9Za7kziYD69g

    Score
    7/10
    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      Fake AV/NavaShield.exe

    • Size

      9.7MB

    • MD5

      1f13396fa59d38ebe76ccc587ccb11bb

    • SHA1

      867adb3076c0d335b9bfa64594ef37a7e2c951ff

    • SHA256

      83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d

    • SHA512

      82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc

    • SSDEEP

      196608:CtbTP1ErBwMQjd1YTHdmpCP2PVgP/acIE/xQ0zyZejVk+YzbRdTZ:C1E1+dYx6OP9hdyZwV4zd

    Score
    3/10
    • Target

      Fake AV/PCDefender.exe

    • Size

      878KB

    • MD5

      e4d4a59494265949993e26dee7b077d1

    • SHA1

      83e3d0c7e544117d6054e7d55932a7d2dbaf1163

    • SHA256

      5ae57d8750822c203f5bf5e241c7132377b250df36a215dff2f396c8440b82dd

    • SHA512

      efd176555415e0771a22a6ca6f15a82aec14ca090d2599959612db9d8e07065e38a7b82e2bf7be67cbe1494733344879782f5516bb502e0177e7b540c96fa718

    • SSDEEP

      24576:bUWqistOB98g0Z1hPLX2jOmsQl3eW0a92Vdcvd7wR:bUUZ98g0FPLIRl3sa92Hcvd8R

    Score
    10/10
    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
7/10

behavioral1

Score
7/10

behavioral2

Score
7/10

behavioral3

bootkitdiscoveryevasionpersistencetrojanupx
Score
8/10

behavioral4

bootkitdiscoveryevasionpersistencetrojanupx
Score
7/10

behavioral5

persistencespywarestealer
Score
7/10

behavioral6

persistencespywarestealer
Score
7/10

behavioral7

discoveryevasionpersistencetrojan
Score
10/10

behavioral8

Score
7/10

behavioral9

evasiontrojanupx
Score
10/10

behavioral10

evasiontrojanupx
Score
10/10

behavioral11

bootkitpersistencespywarestealer
Score
7/10

behavioral12

bootkitpersistencespywarestealer
Score
7/10

behavioral13

persistenceupx
Score
10/10

behavioral14

persistenceupx
Score
10/10

behavioral15

persistence
Score
7/10

behavioral16

persistence
Score
7/10

behavioral17

persistence
Score
6/10

behavioral18

persistence
Score
6/10

behavioral19

Score
7/10

behavioral20

Score
7/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

bootkitdiscoveryevasionpersistencespywarestealertrojan
Score
10/10

behavioral24

bootkitdiscoveryevasionpersistencespywarestealer
Score
9/10

behavioral25

persistence
Score
7/10

behavioral26

persistence
Score
7/10

behavioral27

Score
7/10

behavioral28

Score
3/10

behavioral29

Score
3/10

behavioral30

Score
3/10

behavioral31

persistence
Score
10/10

behavioral32

persistence
Score
10/10