Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 21:37
Static task
static1
Behavioral task
behavioral1
Sample
kav21.3.10.391en_26074.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
kav21.3.10.391en_26074.exe
Resource
win10v2004-20240412-en
General
-
Target
kav21.3.10.391en_26074.exe
-
Size
2.6MB
-
MD5
d0e47e632ba9144605d7bec32e126737
-
SHA1
9c02c04bed4cc77baab6ad8f22a9e780fedb61e3
-
SHA256
915ceba5edafdf1ffc45792ede4269ada50809960c2d0e74fe554010f25b9afc
-
SHA512
62b87616b11ec3299288f6015ad693e869f3dc795dfce7e3186d31e7e24e4490537ef68d739ed6aec1cd306c33057eff8827e8f1022503d0be3b42544b8e04a0
-
SSDEEP
49152:847Nlau3ZiJvDrOV9Gcwb/alTe/iXMNLdcE/EBSDre/2jX8oL:8eNlau3UJOV9GvZbRDe/2zl
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1384 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe -
Checks for any installed AV software in registry 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab kav21.3.10.391en_26074.exe Set value (int) \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseSWRender = "1" kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\CSS_Compat kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Expand Alt Text kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Animations kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Q300829 kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Settings kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Text Scaling kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\3 kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Anchor Underline kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Larger Hit Test kav21.3.10.391en_26074.exe Key queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main kav21.3.10.391en_26074.exe Key queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\International kav21.3.10.391en_26074.exe Key created \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Software\KasperskyLab\IEOverride\Main kav21.3.10.391en_26074.exe Key queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\3 kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Script Debugger kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\RtfConverterFlags kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\4 kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Images kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Expand Alt Text kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Styles kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Print_Background kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Script Debugger kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Software\KasperskyLab\IEOverride kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\MenuExt kav21.3.10.391en_26074.exe Key queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Software\KasperskyLab\IEOverride kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Background_Sounds kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Viewport kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Larger Hit Test kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Cleanup HTCs kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Styles kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Viewport kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Animations kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XDomainRequest kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Settings kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Background_Sounds kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts kav21.3.10.391en_26074.exe Key queried \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride kav21.3.10.391en_26074.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kav21.3.10.391en_26074.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 kav21.3.10.391en_26074.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN kav21.3.10.391en_26074.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1384 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe 1052 kav21.3.10.391en_26074.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1384 wrote to memory of 1052 1384 kav21.3.10.391en_26074.exe 88 PID 1384 wrote to memory of 1052 1384 kav21.3.10.391en_26074.exe 88 PID 1384 wrote to memory of 1052 1384 kav21.3.10.391en_26074.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exeC:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe -sendDump="C:\Users\Admin\AppData\Local\Temp/KAVINST.21.3.10.391_04.18_21.38_1384.SETUP.full.dmp"2⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD57c0418acfb24086ede591a7e1d3df7ac
SHA19bee27188d04bf44fa2e95a8fcb575497396f2b0
SHA256d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a
SHA512e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c
-
Filesize
1KB
MD5b79ab8145423e4714f4d3623a7913eef
SHA10f17053bd76724cb244866c537de47ea6124331a
SHA25659a439debcea1f039382e258a337031f9878450afbce19a2a52a37783009fafe
SHA512239663617d89722d8c4187804901436c456444b92655ade83c1fbf04231467693869efdc689123724dcc58d63665efb5dbb2a835fe49144facbea361c8ae9151
-
C:\Users\Admin\AppData\Local\Temp\F0142414-FDCB-11EE-888B-5EFEAEFCD988\install_error_send_logs_page.html
Filesize2KB
MD5cb59c7593555ec7511f0ce6049c95cfa
SHA109044dd6baf785ce6484b4a861b741990629db45
SHA2569da9c7cea5cc920c9bd110fd4e2ec0b02d91e7bebcc71a95f5efd3bac3d99468
SHA512835b945b061188d95e8cddf91ea06109da2caffb79abca742cfa5aa5b84a83e5f82b2a624f7067caf026f56cd997c0c9ab9d1ac09c016ebd5301ace36f080ae2
-
Filesize
94KB
MD5618538b4ab9639d444e962729a927f15
SHA1dacc1f76630a9708add066819b1aabf8dce01056
SHA25627d92130c0321dad5a03760fd5ac98a3d04ed4c94d88418fe6d50da1f7fc5cbe
SHA512bcb6754ea246939a19a917cc0b810e1753c1b0f1a8b1b7e652128ef15dee4fc79111e4d88fe12f9188449a307e82240d0261af402d783428edfe5785c860372d