Overview
overview
10Static
static
10TotalAV_Setup.exe
windows7-x64
4TotalAV_Setup.exe
windows10-2004-x64
4$APPDATA/T...wf.dat
windows7-x64
3$APPDATA/T...wf.dat
windows10-2004-x64
3$APPDATA/T...wf.dat
windows7-x64
3$APPDATA/T...wf.dat
windows10-2004-x64
3$APPDATA/T...en.dat
windows7-x64
3$APPDATA/T...en.dat
windows10-2004-x64
3$APPDATA/T...wf.dat
windows7-x64
3$APPDATA/T...wf.dat
windows10-2004-x64
3$APPDATA/T...mv.dat
windows7-x64
3$APPDATA/T...mv.dat
windows10-2004-x64
3$APPDATA/T...db.dat
windows7-x64
3$APPDATA/T...db.dat
windows10-2004-x64
3$APPDATA/T...ce.dll
windows7-x64
3$APPDATA/T...ce.dll
windows10-2004-x64
3$APPDATA/T...wf.dat
windows7-x64
3$APPDATA/T...wf.dat
windows10-2004-x64
3$APPDATA/T...mv.dat
windows7-x64
3$APPDATA/T...mv.dat
windows10-2004-x64
3$APPDATA/T...et.dat
windows7-x64
3$APPDATA/T...et.dat
windows10-2004-x64
3$APPDATA/T...df.dat
windows7-x64
3$APPDATA/T...df.dat
windows10-2004-x64
3$APPDATA/T...e.conf
windows7-x64
3$APPDATA/T...e.conf
windows10-2004-x64
3$APPDATA/T...sg.avr
windows7-x64
3$APPDATA/T...sg.avr
windows10-2004-x64
3$APPDATA/T...rt.crt
windows7-x64
1$APPDATA/T...rt.crt
windows10-2004-x64
1$APPDATA/T...README
windows7-x64
1$APPDATA/T...README
windows10-2004-x64
1Resubmissions
07/08/2024, 12:20
240807-ph2rtsyejj 10Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07/08/2024, 12:20
Behavioral task
behavioral1
Sample
TotalAV_Setup.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
TotalAV_Setup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aedroid_gwf.dat
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aedroid_gwf.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeexp_gwf.dat
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeexp_gwf.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeheur_agen.dat
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeheur_agen.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeheur_gwf.dat
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeheur_gwf.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeheur_mv.dat
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeheur_mv.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aelidb.dat
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aelidb.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeoffice.dll
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeoffice.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeoffice_gwf.dat
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeoffice_gwf.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeoffice_mv.dat
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeoffice_mv.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeset.dat
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeset.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aevdf.dat
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aevdf.dat
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/avupdate-savapilib-engine.conf
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/avupdate-savapilib-engine.conf
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/avupdate_msg.avr
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/avupdate_msg.avr
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/cacert.crt
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/cacert.crt
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/on_access/README
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/on_access/README
Resource
win10v2004-20240802-en
General
-
Target
$APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeheur_gwf.dat
-
Size
912B
-
MD5
27dbb4a716dc8d87eac34a14f814dbc8
-
SHA1
2f3c673d444a0b996d609136d8741f6dfc47ba6a
-
SHA256
b90baa70bd07bc5b3573909b37a6cf4fcccc3d7c9702806c94bd843988d0ed5d
-
SHA512
dcfba0317f02771d40fa190e78c19fa2e178d0ffadd6b8d22da4be7f66a3e7983da2a0c14741ab9df0d9f034754c4ea758d758ec7a65c53f77f922d13648e9a5
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\dat_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\dat_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.dat rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\dat_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\dat_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\dat_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.dat\ = "dat_auto_file" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2836 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2836 AcroRd32.exe 2836 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2580 2888 cmd.exe 31 PID 2888 wrote to memory of 2580 2888 cmd.exe 31 PID 2888 wrote to memory of 2580 2888 cmd.exe 31 PID 2580 wrote to memory of 2836 2580 rundll32.exe 32 PID 2580 wrote to memory of 2836 2580 rundll32.exe 32 PID 2580 wrote to memory of 2836 2580 rundll32.exe 32 PID 2580 wrote to memory of 2836 2580 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\$APPDATA\TotalAV\updates\SAVAPI 8.0.1\aeheur_gwf.dat"1⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$APPDATA\TotalAV\updates\SAVAPI 8.0.1\aeheur_gwf.dat2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\$APPDATA\TotalAV\updates\SAVAPI 8.0.1\aeheur_gwf.dat"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2836
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD562452e70547f9395e0e5bf228ccd169f
SHA153a89dd73fba344d98a1f0ac3d160f5e6cdfd384
SHA256d20ee459b999c70b909be2c80ba3bf684f29c6af95cc335aeb05e53cb549bc9b
SHA512409df9c4e327c750c5a154f2c9c148e906e0180fddd6dc402ec5ccf7c0d3cf148cfd7f9b489335d2631b8f72375990ebacee016c2591545cbc47baa827f106cf