Overview
overview
10Static
static
3AntivirusD...t3.exe
windows7-x64
6AntivirusD...t3.exe
windows10-2004-x64
6AntivirusD...t4.exe
windows7-x64
10AntivirusD...t4.exe
windows10-2004-x64
10AntivirusD...te.exe
windows7-x64
1AntivirusD...te.exe
windows10-2004-x64
1AntivirusD...er.exe
windows7-x64
10AntivirusD...er.exe
windows10-2004-x64
AntivirusD...er.exe
windows7-x64
10AntivirusD...er.exe
windows10-2004-x64
10AntivirusD...er.exe
windows7-x64
AntivirusD...er.exe
windows10-2004-x64
AntivirusD....2.bat
windows7-x64
10AntivirusD....2.bat
windows10-2004-x64
8AntivirusD...re.exe
windows7-x64
1AntivirusD...re.exe
windows10-2004-x64
10AntivirusD...st.exe
windows7-x64
1AntivirusD...st.exe
windows10-2004-x64
1AntivirusD...re.exe
windows7-x64
10AntivirusD...re.exe
windows10-2004-x64
10AntivirusD...t3.exe
windows7-x64
6AntivirusD...t3.exe
windows10-2004-x64
6AntivirusD...t3.exe
windows7-x64
6AntivirusD...t3.exe
windows10-2004-x64
6AntivirusD...re.exe
windows7-x64
10AntivirusD...re.exe
windows10-2004-x64
10AntivirusD...us.exe
windows7-x64
9AntivirusD...us.exe
windows10-2004-x64
9AntivirusD.../c.exe
windows7-x64
1AntivirusD.../c.exe
windows10-2004-x64
1AntivirusD.../f.exe
windows7-x64
1AntivirusD.../f.exe
windows10-2004-x64
1Analysis
-
max time kernel
12s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 03:37
Static task
static1
Behavioral task
behavioral1
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/antivirusfalsepositivetest3.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/antivirusfalsepositivetest3.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/antivirusfalsepositivetest4.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/antivirusfalsepositivetest4.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/usbwrite.exe
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/usbwrite.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/bin/Debug/AntivirusDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/bin/Debug/AntivirusDefender.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/bin/Debug/defender.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/bin/Debug/defender.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/obj/Debug/AntivirusDefender.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/obj/Debug/AntivirusDefender.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
AntivirusDefender-main/AntivirusDefender3.2.bat
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
AntivirusDefender-main/AntivirusDefender3.2.bat
Resource
win10v2004-20240419-en
Behavioral task
behavioral15
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/bin/Release/JigsawRansomware.exe
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/bin/Release/JigsawRansomware.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/bin/Release/JigsawRansomware.vshost.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/bin/Release/JigsawRansomware.vshost.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral19
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/obj/Release/JigsawRansomware.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/obj/Release/JigsawRansomware.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
AntivirusDefender-main/antivirusfalsepositivetest3/antivirusfalsepositivetest3/bin/Debug/antivirusfalsepositivetest3.exe
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
AntivirusDefender-main/antivirusfalsepositivetest3/antivirusfalsepositivetest3/bin/Debug/antivirusfalsepositivetest3.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral23
Sample
AntivirusDefender-main/antivirusfalsepositivetest3/antivirusfalsepositivetest3/obj/Debug/antivirusfalsepositivetest3.exe
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
AntivirusDefender-main/antivirusfalsepositivetest3/antivirusfalsepositivetest3/obj/Debug/antivirusfalsepositivetest3.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral25
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/JigsawRansomware.exe
Resource
win7-20240215-en
Behavioral task
behavioral26
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/JigsawRansomware.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral27
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/blacklotus.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/blacklotus.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral29
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/c.exe
Resource
win7-20240220-en
Behavioral task
behavioral30
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/c.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral31
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/f.exe
Resource
win7-20231129-en
Behavioral task
behavioral32
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/f.exe
Resource
win10v2004-20240419-en
Errors
General
-
Target
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/obj/Debug/AntivirusDefender.exe
-
Size
10.6MB
-
MD5
7acbd34db0aa98d2a0cc3ea8716b12b5
-
SHA1
842d24df65449d5722b387f0a28cb746cf615e69
-
SHA256
3bdab09c77fda2c0afe9cafd76202cd33f9a1d7adee9e437a931d2ba366ebf87
-
SHA512
1f564735bb1596a6ba5d1b6654fc3b90a9707117b048d54a1c54324eea5d634dbcfbdff366ef1d65598507660295008f8434054c3f53412cacf49c55aff208d2
-
SSDEEP
196608:DbxNMGrnhzvYf9EfmiAf1qkB8I9r1UhraBMBMBR:bMGr4+BAf1qC1caBMWBR
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AntivirusDefender.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation AntivirusDefender.exe -
Executes dropped EXE 1 IoCs
pid Process 2360 antivirusfalsepositivetest3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupValuex = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AntivirusDefender-main\\AntivirusDefender\\AntivirusDefender\\obj\\Debug\\antivirusfalsepositivetest4.exe" AntivirusDefender.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupValue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AntivirusDefender-main\\AntivirusDefender\\AntivirusDefender\\obj\\Debug\\antivirusfalsepositivetest4.exe" antivirusfalsepositivetest3.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AntivirusDefender.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AntivirusDefender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe 3984 AntivirusDefender.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 3564 shutdown.exe Token: SeRemoteShutdownPrivilege 3564 shutdown.exe Token: SeDebugPrivilege 3984 AntivirusDefender.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3984 wrote to memory of 3564 3984 AntivirusDefender.exe 84 PID 3984 wrote to memory of 3564 3984 AntivirusDefender.exe 84 PID 3984 wrote to memory of 3564 3984 AntivirusDefender.exe 84 PID 3984 wrote to memory of 2804 3984 AntivirusDefender.exe 87 PID 3984 wrote to memory of 2804 3984 AntivirusDefender.exe 87 PID 3984 wrote to memory of 2804 3984 AntivirusDefender.exe 87 PID 3984 wrote to memory of 2360 3984 AntivirusDefender.exe 89 PID 3984 wrote to memory of 2360 3984 AntivirusDefender.exe 89 PID 3984 wrote to memory of 2360 3984 AntivirusDefender.exe 89 PID 3984 wrote to memory of 4296 3984 AntivirusDefender.exe 90 PID 3984 wrote to memory of 4296 3984 AntivirusDefender.exe 90 PID 3984 wrote to memory of 4296 3984 AntivirusDefender.exe 90 PID 3984 wrote to memory of 3188 3984 AntivirusDefender.exe 92 PID 3984 wrote to memory of 3188 3984 AntivirusDefender.exe 92 PID 3984 wrote to memory of 3188 3984 AntivirusDefender.exe 92 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" AntivirusDefender.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\obj\Debug\AntivirusDefender.exe"C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\obj\Debug\AntivirusDefender.exe"1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3984 -
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 302⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\obj\Debug\antivirusfalsepositivetest3.exe" "C:\Users\Admin\defender.exe" & pause2⤵PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\obj\Debug\antivirusfalsepositivetest3.exe"C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\obj\Debug\antivirusfalsepositivetest3.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2360
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\obj\Debug\antivirusfalsepositivetest3.exe" "C:\Users\Admin\antivirusfalsepositivetest3.exe" & pause2⤵PID:4296
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\obj\Debug\antivirusfalsepositivetest4.exe" "C:\Users\Admin\antivirusfalsepositivetest4.exe" & pause2⤵PID:3188
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\obj\Debug\usbwrite.exe" "C:\Users\Admin\usbwrite.exe" & pause2⤵PID:3928
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39af055 /state1:0x41c64e6d1⤵PID:2596
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\obj\Debug\antivirusfalsepositivetest3.exe
Filesize17KB
MD505a9d377f26e6c48b167f64fd802899b
SHA190dc58c88d853ea53fcd54410f0cc7c5fd393f05
SHA25647c889dd63190f07f54b7f3db663a1fb54c1fa981caab5b627885ac92b156337
SHA512aa728441651b381442f09b7188349f926aec5f5ce57226d620aec7210ec19ba32ad52cf9a75cf71180041b5ee87b0245ad5534e4e738a4d174a1fc5f2a04afb0
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\obj\Debug\antivirusfalsepositivetest4.exe
Filesize10.1MB
MD597f44c7df82adc19ce025cfc8958245c
SHA1699fb553ea85db7c6c5fc5118ab7a1a0c3b19602
SHA2560fc9a98ed6bad1f94e0357b6bb833b4eca20bea119abc0cdfa3bb4caeeddcda1
SHA512e2da423ba4eee8f4e836f5eeed82bfe9cf482a911200f805dcdff20d41901c73b40faf187c66ef2e32f9ec8f6d565c43f38229c026285dd0411d4c1c8c22c27e