fa8064a6eca9a30e4525c9135d7ffb45a5d25dda297fa10f0e91bb721ea529f9

Analysis

max time kernel
93s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avg_secure_browser_setup.exe
Size

5.8MB
MD5

307f6d07dffc9c83b9af06a266225959
SHA1

28f5891349c98de90d07d10da8293e3a719aaabb
SHA256

fa8064a6eca9a30e4525c9135d7ffb45a5d25dda297fa10f0e91bb721ea529f9
SHA512

d68162b2965324e10c14fbc809932e675653562225da411e95972491f3300ea63f031822b6d21aff99e3ef90fa46a626140c3c411c9a35bfc23a849b3a5b8ae6
SSDEEP

98304:tALz1JdBgUZrjJeVcqdYwyQ50Fk8ou3xUEBS9/RZJUGXjZvYHiUYDt:tAzPzgUZrt54Yj20Fk8oLEBSZRfUGT6E

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	aj91C3.exe

Executes dropped EXE 1 IoCs

pid	Process
724	aj91C3.exe

Loads dropped DLL 14 IoCs

pid	Process
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	aj91C3.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\AVAST Software\Avast	aj91C3.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aj91C3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aj91C3.exe

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj91C3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aj91C3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
724	aj91C3.exe
724	aj91C3.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
724	aj91C3.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe
3660	avg_secure_browser_setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3660	avg_secure_browser_setup.exe
724	aj91C3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 724	3660	avg_secure_browser_setup.exe	86
PID 3660 wrote to memory of 724	3660	avg_secure_browser_setup.exe	86
PID 3660 wrote to memory of 724	3660	avg_secure_browser_setup.exe	86

C:\Users\Admin\AppData\Local\Temp\avg_secure_browser_setup.exe
"C:\Users\Admin\AppData\Local\Temp\avg_secure_browser_setup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Local\Temp\aj91C3.exe
  "C:\Users\Admin\AppData\Local\Temp\aj91C3.exe" /relaunch=8 /was_elevated=1 /tagdata
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aj91C3.exe

Filesize
5.8MB

MD5
c79bb78a0bad2559a7037913dd1f1f34

SHA1
a5b36348ad93fdf971201f31136d8c9b056984a7

SHA256
f63b47288af395ac9c02c980592691e2d446fe8b4d3813007433ae262af693c3

SHA512
1bd81cbe784427e54903159225e0fd94c0fab1d9498c11db177d86268f34129e6835759a9a3e3822c717349043930e13168390fcc2f9a74f9699f14497cfc888

Download Submit
C:\Users\Admin\AppData\Local\Temp\avg-securebrowser-web-tags

Filesize
68B

MD5
462f2369ac2678023e9dcc30813e49ec

SHA1
224afd81a27150d51950b11025c006c037e892ea

SHA256
b06cfdda3a519e5c7ca0d5802d1ae42c01e71b06b746bb8c488b4c230a6a9209

SHA512
0b5c395e1deb631c99a7f69a566c2a1ef3ebbf825a30ce529d023ea10444f3c7e122bb50354a88f7815aa3e590187f6f9ffec1d7bbb161e3ce74de59a056980d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa92DC.tmp\CR.History.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa92DC.tmp\CR.History.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa92DC.tmp\FF.places.tmp

Filesize
5.0MB

MD5
1e256b0e7a5e0a6451381d3fc3697dfc

SHA1
470fd743da4f7a18cde0ad8f7e70dcfefabd04b8

SHA256
30178a1c937192d3af93c49f9f885dc73f26b37987b130c59fe822b067ea1ce6

SHA512
a3aea8551c3c7efe31a98e4775508401ed2ff20013e4bd7b2aae17590ada67e0a0af21d6213b9da191019c12fc61ec950d48717b18a4126e5db03b74e0cbae01

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa92DC.tmp\Midex.dll

Filesize
126KB

MD5
2597a829e06eb9616af49fcd8052b8bd

SHA1
871801aba3a75f95b10701f31303de705cb0bc5a

SHA256
7359ca1befdb83d480fc1149ac0e8e90354b5224db7420b14b2d96d87cd20a87

SHA512
8e5552b2f6e1c531aaa9fd507aa53c6e3d2f1dd63fe19e6350c5b6fbb009c99d353bb064a9eba4c31af6a020b31c0cd519326d32db4c8b651b83952e265ffb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8975.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
d21ae3f86fc69c1580175b7177484fa7

SHA1
2ed2c1f5c92ff6daa5ea785a44a6085a105ae822

SHA256
a6241f168cacb431bfcd4345dd77f87b378dd861b5d440ae8d3ffd17b9ceb450

SHA512
eda08b6ebdb3f0a3b6b43ef755fc275396a8459b8fc8a41eff55473562c394d015e5fe573b3b134eeed72edff2b0f21a3b9ee69a4541fd9738e880b71730303f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8975.tmp\StdUtils.dll

Filesize
195KB

MD5
34939c7b38bffedbf9b9ed444d689bc9

SHA1
81d844048f7b11cafd7561b7242af56e92825697

SHA256
b127f3e04429d9f841a03bfd9344a0450594004c770d397fb32a76f6b0eabed0

SHA512
bc1b347986a5d2107ad03b65e4b9438530033975fb8cc0a63d8ef7d88c1a96f70191c727c902eb7c3e64aa5de9ce6bb04f829ceb627eda278f44ca3dd343a953

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8975.tmp\jsis.dll

Filesize
127KB

MD5
2027121c3cdeb1a1f8a5f539d1fe2e28

SHA1
bcf79f49f8fc4c6049f33748ded21ec3471002c2

SHA256
1dae8b6de29f2cfc0745d9f2a245b9ecb77f2b272a5b43de1ba5971c43bf73a1

SHA512
5b0d9966ecc08bcc2c127b2bd916617b8de2dcbdc28aff7b4b8449a244983bfbe33c56f5c4a53b7cf21faf1dbab4bb845a5894492e7e10f3f517071f7a59727c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8975.tmp\nsJSON.dll

Filesize
36KB

MD5
f840a9ddd319ee8c3da5190257abde5b

SHA1
3e868939239a5c6ef9acae10e1af721e4f99f24b

SHA256
ddb6c9f8de72ddd589f009e732040250b2124bca6195aa147aa7aac43fc2c73a

SHA512
8e12391027af928e4f7dad1ec4ab83e8359b19a7eb0be0372d051dfd2dd643dc0dfa086bd345760a496e5630c17f53db22f6008ae665033b766cbfcdd930881a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8975.tmp\thirdparty.dll

Filesize
93KB

MD5
7b4bd3b8ad6e913952f8ed1ceef40cd4

SHA1
b15c0b90247a5066bd06d094fa41a73f0f931cb8

SHA256
a49d3e455d7aeca2032c30fc099bfad1b1424a2f55ec7bb0f6acbbf636214754

SHA512
d7168f9504dd6bbac7ee566c3591bfd7ad4e55bcac463cecb70540197dfe0cd969af96d113c6709d6c8ce6e91f2f5f6542a95c1a149caa78ba4bcb971e0c12a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{10B77FD7-9EE3-4481-881D-027C1D822668}\scrt.dll

Filesize
5.7MB

MD5
f36f05628b515262db197b15c7065b40

SHA1
74a8005379f26dd0de952acab4e3fc5459cde243

SHA256
67abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31

SHA512
280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8

Download Submit