Analysis
-
max time kernel
91s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 12:51
Static task
static1
Behavioral task
behavioral1
Sample
kav21.3.10.391en_26074.exe
Resource
win7-20240508-en
General
-
Target
kav21.3.10.391en_26074.exe
-
Size
2.6MB
-
MD5
b5af88375274f483302082b0732c3fe3
-
SHA1
f88dd4162e4cd03602156b4ca80bf72cd40189ca
-
SHA256
2718dbeb8322435219fedc9e55ef236052c9e8f1e85429a3c98d963ad733b9b6
-
SHA512
6f1a5b0fdd67126047563520ce603e761208b0d745198e6bccd1ec95af8388ccd22c3e1af60472e94ff610defcdab16f52459506b27f455b2386993ab63b6cf3
-
SSDEEP
49152:247Nlau3Z6JvDrOV9Gcwb/alTe/iXMNLdcE/EBSDre/2jX8oN:2eNlau3MJOV9GvZbRDe/2zb
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 4664 kav21.3.10.391en_26074.exe -
Checks for any installed AV software in registry 1 TTPs 45 IoCs
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize kav21.3.10.391en_26074.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no" kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Images kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Q300829 kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage kav21.3.10.391en_26074.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\KasperskyLab\IEOverride\Main kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Anchor Underline kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\CSS_Compat kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Styles kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Viewport kav21.3.10.391en_26074.exe Key queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Expand Alt Text kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Settings kav21.3.10.391en_26074.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab kav21.3.10.391en_26074.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseSWRender = "1" kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XDomainRequest kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\3 kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Background_Sounds kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Animations kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Print_Background kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts kav21.3.10.391en_26074.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\KasperskyLab\IEOverride kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\RtfConverterFlags kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay kav21.3.10.391en_26074.exe Key queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride kav21.3.10.391en_26074.exe Key queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Cleanup HTCs kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\International kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Text Scaling kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Larger Hit Test kav21.3.10.391en_26074.exe Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\MenuExt kav21.3.10.391en_26074.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\SmoothScroll kav21.3.10.391en_26074.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Script Debugger kav21.3.10.391en_26074.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kav21.3.10.391en_26074.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4664 kav21.3.10.391en_26074.exe 4664 kav21.3.10.391en_26074.exe 4664 kav21.3.10.391en_26074.exe 4664 kav21.3.10.391en_26074.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4664 kav21.3.10.391en_26074.exe 4664 kav21.3.10.391en_26074.exe 4664 kav21.3.10.391en_26074.exe 4664 kav21.3.10.391en_26074.exe 4664 kav21.3.10.391en_26074.exe 4664 kav21.3.10.391en_26074.exe 4664 kav21.3.10.391en_26074.exe 4664 kav21.3.10.391en_26074.exe 4664 kav21.3.10.391en_26074.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD57c0418acfb24086ede591a7e1d3df7ac
SHA19bee27188d04bf44fa2e95a8fcb575497396f2b0
SHA256d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a
SHA512e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c
-
Filesize
1KB
MD5b79ab8145423e4714f4d3623a7913eef
SHA10f17053bd76724cb244866c537de47ea6124331a
SHA25659a439debcea1f039382e258a337031f9878450afbce19a2a52a37783009fafe
SHA512239663617d89722d8c4187804901436c456444b92655ade83c1fbf04231467693869efdc689123724dcc58d63665efb5dbb2a835fe49144facbea361c8ae9151