Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
15-09-2024 05:51
General
-
Target
avgdiagex.exe
-
Size
2.8MB
-
MD5
79a60194b00b59777dd7539fb49f0a1e
-
SHA1
b2c04a1f13268371ca53c4c752aa2bc4fd8a0de3
-
SHA256
b54be97cff2ff0c114e1e3ff846f65e2dd085922f4df4dbb9c5845b2944aa1bb
-
SHA512
0bf8119e4b2bf2afdf28b2f682d9f120e5b6da432d3d2df95158b58f341e4fb90fbd7dafffa5a39424a8abee5bb6912411ca34e0e2758caad5610d794f299a81
-
SSDEEP
49152:knI3JLy/Q2NEdLdyCCTem+g691KHkxQnTwiJIV4jJlUzvPsU2Eo:kI3JLy/QvdLdsgmHCyom3
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\avgdiagex.exe"C:\Users\Admin\AppData\Local\Temp\avgdiagex.exe"1⤵
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Remote Services: SMB/Windows Admin Shares
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Avg2013\log\avgdiagex.log.1Filesize
64KB
MD57aef6425f35e56c436e5533fdcb515f0
SHA1ec567509a95e944bb93c14d231da779609b86555
SHA2564365f0e9484ef4008a95aaa4b2cf9424135177b959e927459dd93e44a7609f5a
SHA5125a6496297de233cbca7d4cd8fac15c03b219343b85f86fd0774a0dc2dc570e89375e74b31ce60a9a7fb806c886e4f51fa6a3dd8a6f5a019b37b258d55e25c89d
-
C:\Users\Admin\AppData\Local\Temp\avgdiag2\1f42920b-798d-4e09-bcc1-cf18363dce46\1f42920b-798d-4e09-bcc1-cf18363dce46[f3031820-a53d-47c6-962e-230c8048aadc].txtFilesize
612B
MD55032d60ef90f3564fa8a5f4819f885f8
SHA1687ce3b15218feb39469feab22839a65bea35f0a
SHA256fe0482ce5dd51c25d357f4bd92bcb6d630e161fab43c9d2b480dd1435c490cb3
SHA512e612930b3ec20bb1c1ba7388336fb0ab1ce3b9ada4ad7ed829845a4967066eba7509e695e3fea5e87968dc943b1d4975abb01f381e9870c93d53ef827cdd7d98
-
C:\Users\Admin\AppData\Local\Temp\avgdiag2\1f42920b-798d-4e09-bcc1-cf18363dce46\out\1f42920b-798d-4e09-bcc1-cf18363dce46[f3031820-a53d-47c6-962e-230c8048aadc].zipFilesize
409KB
MD565bc0e3b8223bfee52112efcd2c27a8d
SHA1e5139e70c98f2cfc9c8bfb9fb5d1abeec1ec10ed
SHA256b8e76931ea56f87c6da7f8fd6a25fe3e0c2e5da0ea1b50a0c92184adc6701a57
SHA5125090eb82bb07141cf9d5a362d47b19d76159277518d589feca7fa25bdf9fe4f6e8f0776cfb3bca86f86dd8deeebdb134cdc56f5c5a1f06829fde1af6d166a466