Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-06-2024 07:08

General

  • Target

    cav_installer.exe

  • Size

    5.4MB

  • MD5

    7be4a95313c926e0233571f89291f487

  • SHA1

    a16e410af1f001434d5ed5194f0755aa24173589

  • SHA256

    4e3da75745b7e4887965862b11ba68bc7aadf3ea000636554dfc8f0b8e3261ae

  • SHA512

    31df4d21db3ddaa96a7f2492572660990621050dc74ec56fe6eca725cc2d9beb63f8b74f8c8ffc85f42fcc32540117f97b9235f0d6256f10e1da7819b5d940bc

  • SSDEEP

    98304:23oeoi7dSeyB6A89FbeCD25kvriejkx9sZjMK6vx6IF/M8aWzBWcPNkNzt/c:23oeoYSeyB6vnKCD25kvmeh6vFF//aF0

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks for any installed AV software in registry 1 TTPs 25 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cav_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\cav_installer.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe" -log -setupname "cav_installer.exe" -sfx "C:\Users\Admin\AppData\Local\Temp" -theme lycia -type web -mode cavfree
      2⤵
      • Checks for any installed AV software in registry
      • Enumerates connected drives
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Comodo Downloader\cis\download\installs\8050\installer_data\binaries\files_info.dat

    Filesize

    34KB

    MD5

    f42c56a1f750bdf43155a2aee0f1407c

    SHA1

    0929dd9594fccffe5e7e43ea33a5eb6467afab0b

    SHA256

    86e8a71d1327fe5f26901c8a7d10bac322dce1ff621e1339db9c7b6ab905244c

    SHA512

    31dc56d6455391a0075ab59d438335c9d38da43e1ef974bcdf14be059d63d48f8a8f7a1f6cd9eb5e790519a3824f59387abafef48417bbeb74e34b526646b8d9

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.dll

    Filesize

    277KB

    MD5

    7baac18fb157c76574ca3d7a2f5eb193

    SHA1

    6460577ce621fa28133096073376f6a88f8acd61

    SHA256

    347144ae998d96c6b8664abf56f3ff8cfa4dcdfd6e13205d7e8ee2f3b77eefc2

    SHA512

    513cc213da81db470f8675c29162f4b724bb92a690edd451025eb68588971eebb937f88cc5a659222f2bbbd99440aa56800bf4167bb8912ea87a0b2648b002ea

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdhtml.dll

    Filesize

    4.2MB

    MD5

    6d9aa26bb18af69dc74ae8e822eb53dd

    SHA1

    6ef20da9b9e70afa742f047f1c6f9d3e58290450

    SHA256

    cf140523b8834de1c37efa29b02adcdc88babc0f8ee90ba93dd98c260d7036c3

    SHA512

    3a9e8f15d207e98bb182f8d1838e93dba9750e6cfc79b72aab0706f969866447e50b3ab28bc1768a7cac7e7733cde80085cabcefefae0d287f08374578935c36

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdinstall.exe

    Filesize

    5.7MB

    MD5

    74cf93a3d559a630911fc94568b99e1e

    SHA1

    a5f164154e164174c715e493f440b1935ec53af8

    SHA256

    fe82eb2103b177370e742aee40a2b840805516ff23867f6b9bd3655a401eb50b

    SHA512

    c000d512e270d7f89058fe52a3ecfac6f60462eed21b134ebb57640cc6425e7ece9b6ce683acc666d8358875c8d621497a8e3eb95b4ad72311efb9d12c03100a

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cmdres.dll

    Filesize

    367KB

    MD5

    a4b3e07a9d407bca7a0ed76ea7c4945f

    SHA1

    af16d87110e2f9e64d5c35a6d522151b69377bbc

    SHA256

    b115a17e7500dbc34cce1f8e84a59f072a26ad49be5dcde6ac5908e4d2ad3555

    SHA512

    77c6ba298f5bd4c04192660d365d2a45ecb23fa441818735bd01050677037e1976670dcb457b6684343fbccb02a6fcfd98f22ae9f2de263057157917ee28d981

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer_langdata.bin

    Filesize

    5KB

    MD5

    b80eda6258e28b537651f8e5ebd997ff

    SHA1

    826741e138e8342f4bc3303838e347a44bb93546

    SHA256

    6e960dfed451c2dfb99352d25d3df8dd46fe7d80c9af79805c0cfbd1a99a2709

    SHA512

    9fce1cb5fe8b6a2bc4d13c1ca3ec31c926c6dd33717f145da6952ae33144eb11a6ee9e751e1d3e2d5d6ce7768e9f9602773a917d9f5f8473670e6d631b932b74

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\themes\ilycia.set

    Filesize

    764KB

    MD5

    7b85f91536c8342ac64d3edece2af7fe

    SHA1

    1e28c62364f606f03078e985222a2e3400a483c6

    SHA256

    918e7aad857776a895ecdf850665c355026882bcf1e0eba279ff4f7aa4b6bbae

    SHA512

    42cbaca95018eba8b05d3d586dbe8537ec1130af9edd813c4e7affef88c804a4ae65d9a446a95326508cd21da03a7e6a7969f6de5a68e69ce86c827f4308ac5a