Overview
overview
6Static
static
1avgadvisorx.dll
windows7-x64
3avgadvisorx.dll
windows10-2004-x64
3avgapix.dll
windows7-x64
3avgapix.dll
windows10-2004-x64
3avgceix.dll
windows7-x64
3avgceix.dll
windows10-2004-x64
3avgcfgex.exe
windows7-x64
3avgcfgex.exe
windows10-2004-x64
3avgcfgx.dll
windows7-x64
3avgcfgx.dll
windows10-2004-x64
3avgcmgr.exe
windows7-x64
3avgcmgr.exe
windows10-2004-x64
3avgcommx.dll
windows7-x64
3avgcommx.dll
windows10-2004-x64
3avgcslx.dll
windows7-x64
3avgcslx.dll
windows10-2004-x64
3avgdecider.dll
windows7-x64
3avgdecider.dll
windows10-2004-x64
3avgdiagex.exe
windows7-x64
6avgdiagex.exe
windows10-2004-x64
6avgduix.dll
windows7-x64
3avgduix.dll
windows10-2004-x64
3avgdumpx.exe
windows7-x64
1avgdumpx.exe
windows10-2004-x64
3avgidsha.dll
windows7-x64
1avgidsha.dll
windows10-2004-x64
1avgidshx.dll
windows7-x64
3avgidshx.dll
windows10-2004-x64
3avgkrnlapix.dll
windows7-x64
3avgkrnlapix.dll
windows10-2004-x64
3avglngx.dll
windows7-x64
3avglngx.dll
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 05:51
Static task
static1
Behavioral task
behavioral1
Sample
avgadvisorx.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
avgadvisorx.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
avgapix.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
avgapix.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
avgceix.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
avgceix.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
avgcfgex.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
avgcfgex.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
avgcfgx.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
avgcfgx.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
avgcmgr.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
avgcmgr.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
avgcommx.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
avgcommx.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
avgcslx.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
avgcslx.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
avgdecider.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
avgdecider.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
avgdiagex.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
avgdiagex.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
avgduix.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
avgduix.dll
Resource
win10v2004-20240910-en
Behavioral task
behavioral23
Sample
avgdumpx.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
avgdumpx.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
avgidsha.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
avgidsha.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
avgidshx.dll
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
avgidshx.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
avgkrnlapix.dll
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
avgkrnlapix.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
avglngx.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
avglngx.dll
Resource
win10v2004-20240802-en
General
-
Target
avgdiagex.exe
-
Size
2.8MB
-
MD5
79a60194b00b59777dd7539fb49f0a1e
-
SHA1
b2c04a1f13268371ca53c4c752aa2bc4fd8a0de3
-
SHA256
b54be97cff2ff0c114e1e3ff846f65e2dd085922f4df4dbb9c5845b2944aa1bb
-
SHA512
0bf8119e4b2bf2afdf28b2f682d9f120e5b6da432d3d2df95158b58f341e4fb90fbd7dafffa5a39424a8abee5bb6912411ca34e0e2758caad5610d794f299a81
-
SSDEEP
49152:knI3JLy/Q2NEdLdyCCTem+g691KHkxQnTwiJIV4jJlUzvPsU2Eo:kI3JLy/QvdLdsgmHCyom3
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
avgdiagex.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA avgdiagex.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
avgdiagex.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum avgdiagex.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 avgdiagex.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count avgdiagex.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\NextInstance avgdiagex.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum avgdiagex.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum avgdiagex.exe -
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
Processes:
avgdiagex.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LanmanServer\Parameters\NullSessionPipes avgdiagex.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
avgdiagex.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avgdiagex.exe -
Modifies registry class 2 IoCs
Processes:
avgdiagex.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A563CC5-118B-20E8-A494-3B67AD4F7D9C} avgdiagex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A563CC5-118B-20E8-A494-3B67AD4F7D9C} \data = "f3031820a53d47c6962e230c8048aadc" avgdiagex.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
avgdiagex.exepid process 2400 avgdiagex.exe 2400 avgdiagex.exe 2400 avgdiagex.exe 2400 avgdiagex.exe 2400 avgdiagex.exe 2400 avgdiagex.exe 2400 avgdiagex.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
avgdiagex.exedescription pid process Token: SeSecurityPrivilege 2400 avgdiagex.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\avgdiagex.exe"C:\Users\Admin\AppData\Local\Temp\avgdiagex.exe"1⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Remote Services: SMB/Windows Admin Shares
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Avg2013\log\avgdiagex.log.1Filesize
64KB
MD57aef6425f35e56c436e5533fdcb515f0
SHA1ec567509a95e944bb93c14d231da779609b86555
SHA2564365f0e9484ef4008a95aaa4b2cf9424135177b959e927459dd93e44a7609f5a
SHA5125a6496297de233cbca7d4cd8fac15c03b219343b85f86fd0774a0dc2dc570e89375e74b31ce60a9a7fb806c886e4f51fa6a3dd8a6f5a019b37b258d55e25c89d
-
C:\Users\Admin\AppData\Local\Temp\avgdiag2\1f42920b-798d-4e09-bcc1-cf18363dce46\1f42920b-798d-4e09-bcc1-cf18363dce46[f3031820-a53d-47c6-962e-230c8048aadc].txtFilesize
612B
MD55032d60ef90f3564fa8a5f4819f885f8
SHA1687ce3b15218feb39469feab22839a65bea35f0a
SHA256fe0482ce5dd51c25d357f4bd92bcb6d630e161fab43c9d2b480dd1435c490cb3
SHA512e612930b3ec20bb1c1ba7388336fb0ab1ce3b9ada4ad7ed829845a4967066eba7509e695e3fea5e87968dc943b1d4975abb01f381e9870c93d53ef827cdd7d98
-
C:\Users\Admin\AppData\Local\Temp\avgdiag2\1f42920b-798d-4e09-bcc1-cf18363dce46\out\1f42920b-798d-4e09-bcc1-cf18363dce46[f3031820-a53d-47c6-962e-230c8048aadc].zipFilesize
409KB
MD565bc0e3b8223bfee52112efcd2c27a8d
SHA1e5139e70c98f2cfc9c8bfb9fb5d1abeec1ec10ed
SHA256b8e76931ea56f87c6da7f8fd6a25fe3e0c2e5da0ea1b50a0c92184adc6701a57
SHA5125090eb82bb07141cf9d5a362d47b19d76159277518d589feca7fa25bdf9fe4f6e8f0776cfb3bca86f86dd8deeebdb134cdc56f5c5a1f06829fde1af6d166a466