Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/04/2024, 21:37

General

  • Target

    kav21.3.10.391en_26074.exe

  • Size

    2.6MB

  • MD5

    d0e47e632ba9144605d7bec32e126737

  • SHA1

    9c02c04bed4cc77baab6ad8f22a9e780fedb61e3

  • SHA256

    915ceba5edafdf1ffc45792ede4269ada50809960c2d0e74fe554010f25b9afc

  • SHA512

    62b87616b11ec3299288f6015ad693e869f3dc795dfce7e3186d31e7e24e4490537ef68d739ed6aec1cd306c33057eff8827e8f1022503d0be3b42544b8e04a0

  • SSDEEP

    49152:847Nlau3ZiJvDrOV9Gcwb/alTe/iXMNLdcE/EBSDre/2jX8oL:8eNlau3UJOV9GvZbRDe/2zl

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Checks for any installed AV software in registry 1 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
    "C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"
    1⤵
    • Loads dropped DLL
    • Checks for any installed AV software in registry
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
      C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe -sendDump="C:\Users\Admin\AppData\Local\Temp/KAVINST.21.3.10.391_04.18_21.38_1384.SETUP.full.dmp"
      2⤵
      • Loads dropped DLL
      • Checks for any installed AV software in registry
      • Writes to the Master Boot Record (MBR)
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\6B2B47CEBCDFEE1188B8E5EFEACF9D88\setup.dll

    Filesize

    5.1MB

    MD5

    7c0418acfb24086ede591a7e1d3df7ac

    SHA1

    9bee27188d04bf44fa2e95a8fcb575497396f2b0

    SHA256

    d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a

    SHA512

    e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c

  • C:\Users\Admin\AppData\Local\Temp\EC74B2B7-FDCB-11EE-888B-5EFEAEFCD988\check_new_version.html

    Filesize

    1KB

    MD5

    b79ab8145423e4714f4d3623a7913eef

    SHA1

    0f17053bd76724cb244866c537de47ea6124331a

    SHA256

    59a439debcea1f039382e258a337031f9878450afbce19a2a52a37783009fafe

    SHA512

    239663617d89722d8c4187804901436c456444b92655ade83c1fbf04231467693869efdc689123724dcc58d63665efb5dbb2a835fe49144facbea361c8ae9151

  • C:\Users\Admin\AppData\Local\Temp\F0142414-FDCB-11EE-888B-5EFEAEFCD988\install_error_send_logs_page.html

    Filesize

    2KB

    MD5

    cb59c7593555ec7511f0ce6049c95cfa

    SHA1

    09044dd6baf785ce6484b4a861b741990629db45

    SHA256

    9da9c7cea5cc920c9bd110fd4e2ec0b02d91e7bebcc71a95f5efd3bac3d99468

    SHA512

    835b945b061188d95e8cddf91ea06109da2caffb79abca742cfa5aa5b84a83e5f82b2a624f7067caf026f56cd997c0c9ab9d1ac09c016ebd5301ace36f080ae2

  • C:\Users\Admin\AppData\Local\Temp\F0142414-FDCB-11EE-888B-5EFEAEFCD988\jquery-1.12.4.min.js

    Filesize

    94KB

    MD5

    618538b4ab9639d444e962729a927f15

    SHA1

    dacc1f76630a9708add066819b1aabf8dce01056

    SHA256

    27d92130c0321dad5a03760fd5ac98a3d04ed4c94d88418fe6d50da1f7fc5cbe

    SHA512

    bcb6754ea246939a19a917cc0b810e1753c1b0f1a8b1b7e652128ef15dee4fc79111e4d88fe12f9188449a307e82240d0261af402d783428edfe5785c860372d

  • memory/1052-32-0x0000000077D20000-0x0000000077D30000-memory.dmp

    Filesize

    64KB

  • memory/1052-33-0x0000000077D20000-0x0000000077D30000-memory.dmp

    Filesize

    64KB

  • memory/1052-34-0x0000000077D20000-0x0000000077D30000-memory.dmp

    Filesize

    64KB

  • memory/1384-1-0x0000000077D40000-0x0000000077D50000-memory.dmp

    Filesize

    64KB

  • memory/1384-0-0x0000000077D40000-0x0000000077D50000-memory.dmp

    Filesize

    64KB

  • memory/1384-2-0x0000000077D40000-0x0000000077D50000-memory.dmp

    Filesize

    64KB

  • memory/1384-3-0x0000000077BD2000-0x0000000077BD3000-memory.dmp

    Filesize

    4KB