Analysis
-
max time kernel
137s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 13:59
Static task
static1
Behavioral task
behavioral1
Sample
c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe
Resource
win10v2004-20241007-en
General
-
Target
c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe
-
Size
219KB
-
MD5
9045545c44bd8c44ce128ca5406d4bbb
-
SHA1
afa3c0449c76a78f0ab947171ffe68868b314514
-
SHA256
c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb
-
SHA512
49b205268782c8614b30c517733d047f7010116501cffd26050b56c73b1427d7ecab07cb062a50d17ea53d95d01f5566a45ab58edc72d91d7f73b1c515989781
-
SSDEEP
3072:y2RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCoKOhh3K0Kh:y0KgGwHqwOOELha+sm2D2+UhngNdK4gt
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 2948 avg_antivirus_free_setup_x64.exe 1100 Process not Found 2380 instup.exe 1536 instup.exe -
Loads dropped DLL 33 IoCs
pid Process 2792 c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe 2792 c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe 2948 avg_antivirus_free_setup_x64.exe 2948 avg_antivirus_free_setup_x64.exe 2948 avg_antivirus_free_setup_x64.exe 2948 avg_antivirus_free_setup_x64.exe 2948 avg_antivirus_free_setup_x64.exe 2948 avg_antivirus_free_setup_x64.exe 2948 avg_antivirus_free_setup_x64.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 2380 instup.exe 1536 instup.exe 1536 instup.exe 1536 instup.exe 1536 instup.exe 1536 instup.exe 1536 instup.exe -
Checks for any installed AV software in registry 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast instup.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast instup.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus instup.exe Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast avg_antivirus_free_setup_x64.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe File opened for modification \??\PhysicalDrive0 avg_antivirus_free_setup_x64.exe File opened for modification \??\PhysicalDrive0 instup.exe File opened for modification \??\PhysicalDrive0 instup.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
resource yara_rule behavioral1/files/0x000500000001945c-53.dat embeds_openssl -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature avg_antivirus_free_setup_x64.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision avg_antivirus_free_setup_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 instup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 avg_antivirus_free_setup_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel avg_antivirus_free_setup_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature instup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision instup.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "42" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "27" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "36" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "46" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "93" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "76" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "35" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "82" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "72" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "56" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "0" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: instup.exe" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "38" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "83" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "85" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "95" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: offertool_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "20" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "54" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "37" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "38" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "92" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "43" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "78" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "34" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "61" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: instcont_x64_ais-c62.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "94" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "92" avg_antivirus_free_setup_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "64" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "0" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "33" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "42" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "100" avg_antivirus_free_setup_x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "DNS resolving" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "5" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "23" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "89" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15" instup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: offertool_x64_ais-c62.vpx" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "1" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "30" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "81" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: setgui_x64_ais-c62.vpx" instup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "74" instup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "85" avg_antivirus_free_setup_x64.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2948 avg_antivirus_free_setup_x64.exe 2948 avg_antivirus_free_setup_x64.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: 32 2948 avg_antivirus_free_setup_x64.exe Token: SeDebugPrivilege 2948 avg_antivirus_free_setup_x64.exe Token: SeDebugPrivilege 2380 instup.exe Token: 32 2380 instup.exe Token: SeDebugPrivilege 1536 instup.exe Token: 32 1536 instup.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2380 instup.exe 1536 instup.exe 1536 instup.exe 1536 instup.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2948 2792 c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe 30 PID 2792 wrote to memory of 2948 2792 c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe 30 PID 2792 wrote to memory of 2948 2792 c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe 30 PID 2792 wrote to memory of 2948 2792 c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe 30 PID 2948 wrote to memory of 2380 2948 avg_antivirus_free_setup_x64.exe 31 PID 2948 wrote to memory of 2380 2948 avg_antivirus_free_setup_x64.exe 31 PID 2948 wrote to memory of 2380 2948 avg_antivirus_free_setup_x64.exe 31 PID 2380 wrote to memory of 1536 2380 instup.exe 33 PID 2380 wrote to memory of 1536 2380 instup.exe 33 PID 2380 wrote to memory of 1536 2380 instup.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe"C:\Users\Admin\AppData\Local\Temp\c88001a4a78208d5b817e7fdca376794d0fd2d2b78668af97a742d84dd2c55bb.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\Temp\asw.2bb7fb3f3f07d4ee\avg_antivirus_free_setup_x64.exe"C:\Windows\Temp\asw.2bb7fb3f3f07d4ee\avg_antivirus_free_setup_x64.exe" /cookie:mmm_bav_tst_007_402_a /ga_clientid:20a63b0c-56de-4f90-91b0-eae90e447366 /edat_dir:C:\Windows\Temp\asw.2bb7fb3f3f07d4ee2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\Temp\asw.fc18fa02687b80af\instup.exe"C:\Windows\Temp\asw.fc18fa02687b80af\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.fc18fa02687b80af /edition:15 /prod:ais /stub_context:af8a9314-20e1-41df-bcfb-91122be373a1:11167936 /guid:2b90b94f-f173-48b2-894a-43391a5de3ba /ga_clientid:20a63b0c-56de-4f90-91b0-eae90e447366 /no_delayed_installation /cookie:mmm_bav_tst_007_402_a /ga_clientid:20a63b0c-56de-4f90-91b0-eae90e447366 /edat_dir:C:\Windows\Temp\asw.2bb7fb3f3f07d4ee3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\Temp\asw.fc18fa02687b80af\New_15020c62\instup.exe"C:\Windows\Temp\asw.fc18fa02687b80af\New_15020c62\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.fc18fa02687b80af /edition:15 /prod:ais /stub_context:af8a9314-20e1-41df-bcfb-91122be373a1:11167936 /guid:2b90b94f-f173-48b2-894a-43391a5de3ba /ga_clientid:20a63b0c-56de-4f90-91b0-eae90e447366 /no_delayed_installation /cookie:mmm_bav_tst_007_402_a /edat_dir:C:\Windows\Temp\asw.2bb7fb3f3f07d4ee /online_installer4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD519c2e692cf6deff095a429f8f031a4c6
SHA18426f92306aecc0fc158cbaf3b263ef8b031b15b
SHA25664abb8946d9ce2f53cfc53ce0e09ca46b726d04435b3a087faf0b49f26638fe1
SHA51236358f8b760ec4641ff7a0cfbe917ea8377002e000fc54f18101946bde20ebad0f08e8c62cd35fbe6d99dc98bb45e60ec6e255de2d0308d06bf1e37522dcc684
-
Filesize
1KB
MD53e055cecbfdcb2390dff9d2874b7c0bb
SHA1feae5d99cf2153c7fd83af1c350f8f12959704ff
SHA256d37761ef4ea763f9d4963c0e8def5c6fe5dfc9e61a212b309ac872fb5cae5694
SHA512f21736d43223bb25a9075d2fa7d74215fed1135c9a9b9e442ae643c1a80dade2828956237ddae64ffa3a2abf67cecc6d54714a8d41c0477f69fdbf39d4287325
-
Filesize
281B
MD5c2b92c24237fd18bfc19a0ebe4bd4a2e
SHA1a6f8befbb51b1e22b6c4e3860557d61668bcc23a
SHA2560b7133f3a0d922f85a5d506449de681f37a160b9900609022fade54d6459aafc
SHA512752ca0b53caf7fad170e198d20d54a9af74cb13a54ba19a2d2b39c920c6c19e5ddbc867508cf12767bbab0f92dc2e8ee0e2a3be7b7436eb385470400bb8c5d7e
-
Filesize
21B
MD5d677cfc138c7e3b65f930cb7d7f1bf69
SHA18b4db4d675a52ac593173e59887e9de1050f863b
SHA25606beace50983367df6680827c0a601df8d297c97c09a6cf53e05f3968131a18c
SHA512e85a85f8c233917fe4c464b36ae718f8ce33cbaf32baa3b0fe30f94997ea6ce79bec0c6ce4f81c5a079297e123471e0ef3e267a3219c9054414c0d5e4adfa844
-
Filesize
4.0MB
MD5b39614a52de7353db442a5e990d8b007
SHA16b9e95a06905267729e721167f99982033a3fa11
SHA25622a35a503c3060365c5107bb0f6b17113cca77f9c76993904140f616858ea10f
SHA5125ad0217ef70eb3baba368ccb5d05c54a479351be706ac95b268ee7dc1aa24ea00674134dc60c143bcbe5cf21d6759c18e965a6bd89bef7d0cc20f77967f56b7c
-
Filesize
21.7MB
MD5868b5c92cbd5394800f72ed7e843a1c0
SHA14292711d86c2f87f813a17ac3cd606fc2d6db305
SHA256e46f6295acd6d09164a8c2e196f02786338c54ebab0056b7e430b50a2c49f481
SHA5123203c12e050a9225d838cdb79ba6348f1b1d381974c44b1c275b713e214d2839c6523d1ee8784b45c76bb5dd33ce70a13c8e621c460171d2d951e6af39cf1694
-
Filesize
3.8MB
MD50b830444a6ef848fb85bfbb173bb6076
SHA127964cc1673ddb68ca3da8018f0e13e9a141605e
SHA25663f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f
SHA51231655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65
-
Filesize
3.1MB
MD5c545527e69a46359a4a45f58794a0fe5
SHA1e233e5837bfe5d1429300fb33f12f5b54689781b
SHA2568d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9
SHA512754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0
-
Filesize
19.1MB
MD5917a284494cbe4a4ec85e1ec768339c9
SHA147ccc0a04ecc7c3c1ff79bf42d424cfda356137c
SHA25657cb03fbc4750eefba0079c3fcdfc1b077e4347e0438f41e13b8614e7f11b772
SHA51290849e580c9da697689c664b126ed97b085bd2fd6016ac9193afd7a7ac625c76db84c9bf55a4bd0308da889a16b27832383738de5ecbec7e97bbd5b7962999d8
-
Filesize
831KB
MD5ce4d45d0b684f591d5a83fdbd99bd306
SHA1e89637b905c37033950afadaca2161bd5b09fb5e
SHA256907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7
SHA512af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1
-
Filesize
15KB
MD5e38cc92cd980a55d811316ac62883e14
SHA1fa83737abe11ee825c3da6843cc4d8e3b459729a
SHA256be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87
SHA5121422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16
-
Filesize
907KB
MD543dc9e69f1e9db4059cf49a5e825cfda
SHA1519298f8a681b41d2d70db2670cc7543f1ee6da4
SHA25698efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d
SHA512d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079
-
Filesize
4.5MB
MD5bbb61ad0f20d3fe17a5227c13f09e82d
SHA101700413fc5470aa0ba29aa1a962d7a719a92a82
SHA25639154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e
SHA512c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4
-
Filesize
18KB
MD5b287ff221fcc9ed0834d24809fe35b97
SHA18bc09ba498c1a33f3226e6e55eb769e7d017cf9c
SHA256292369211d5a83d0a54c28afcb396cc6f9a8626e0ad109c8ddac19742deb5aff
SHA5123da3c73c074b417e4478c8a9e52c9f1debcfe4d5fe58467ca07b6c7a362b5705ad707f7af89af1eead8b699454f77cba364eba3d3759fcaa6c03e971b2b7a056
-
Filesize
19KB
MD59cd992ca3c4ef51e2e62f0fb215985e8
SHA19fbae3ca2f9727df4b0fa3a12c375fedddc27d47
SHA256d77feb5929109586af66d3d6c0a27b1952b9ccadf071445befe02ceb11b46818
SHA5125e30c71917e89b1ecedf2a609e85763ac723c155bd85bfc03ef09294f76b79158710e694fcc15b3425a57b29f885948eb9bc7e8c0efc2851f8e1b9f20d5139ee
-
Filesize
23KB
MD54ffcd447bab370ead37a0b36973eff0d
SHA124f3e1c67333b8444a5214aacb1dd91e25c8b6ae
SHA256758474e34a8cbf435635e63dda335cf01f0946c54ebf4d8775512fed17accf58
SHA512ed4bec256a0dc900118d5dc6058e7844daa47262ec8fd26dfb6c2d815ed6c7668d1dee7484f3c63a7467786fab4c257c8137b6d5d858b7615a0b1121a7e82e5a
-
Filesize
709B
MD548636bf1fb98b0fcfdaa5c081257f74f
SHA1b7c1345cdf6bb418581ceeb3ddcbc94cb5dbf894
SHA256139ed5a28ccb31111464c43e592a4ce06b445ea9fffd693bf9b8fe2af2bd3b0c
SHA512d5265c2637d12b9a2196337e715229f0e10c79d2101e4f7fdaf75aea415d27cb5bdb0e1113f24fde1daabf827beb3bc4d0a11b438b114bfe6c16b8e2611fd925
-
Filesize
1KB
MD505aa66645cdacec3be07c22475868d7c
SHA151d37727b7d9ecfbdf4213b1daf9d4da141a8820
SHA2565ea6599cdbd62386a0093659d1571a5b2c951fe244c6816b9a987e166a4aa078
SHA5122b5616f9df645395c84216b6019d6b9e4c74f6c63622cfc06edff7acc567df651dccb8c7be1d595bbba6c2e9864b562466f626f6571a49f967bf8596c471af82
-
Filesize
698B
MD55bc880518827a6b7685d4750c8a5e33d
SHA1e9182b20b146709f9f488500fee0ea4e46185e6d
SHA2565454282b04ed5eea5862cc6468e5e9e9a6d94db6cb61866db89ec35523718464
SHA512b6d744c5bc4c367158db0a2c540b3ef1c0704dba7b1b093e701c983ef26a288a78bc365ee3f23d6c55421bd79f5def85f70ba6330fcbe4e5d596d832ef7b802a
-
Filesize
175KB
MD529b9bfd25fabf42939e3a6877f9b3ece
SHA1c30d865bc2d680311c68eb0bed0e356845f700f9
SHA256ed586b6ceb3e9dcc7dd21dd7dc7addd89e71a2b90039fe15b751b367e402d475
SHA512a22827a2f9bc3de3c6c0ed5a4e36c383b5f8d4989fc543aa1a4852034c84055925df7456c1f9466ff3923de81f9d58a6f12d8f24e782bb2e805b908ef814a90e
-
Filesize
5KB
MD5d5b798d8816b252e7d718195dfeb8a8c
SHA1860c5807fd491aeeb12d661d8cf2ecca4ca1639b
SHA25675176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499
SHA51216cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5
-
Filesize
11KB
MD589db3168ad5c1073fb7a8cff99ef8adc
SHA1cbe264034101ba3227eb45ca68d90f57cd3619d8
SHA2567f9a95b7b2788f49b97d30da3075dbda7e42a7c389f4bd9cf81f8dcbef4703d7
SHA5121ba734fb3b7a9bbdd72f4b59c043d54be5811e21a9e59880eac46358a85cb1bbe156cab50776fe297ff94ff5c35c01792ec6b84eb087ad2ff6c2ba21201014bb
-
Filesize
570B
MD56c1d9e1205004626b884438704c0631a
SHA100b5fd840f4fdcab41cc89da9fc1141c7594870b
SHA256067a441767c324abf5e72729e70ae1edff257611232c08e5181ccac83f10ebec
SHA512443c896b88520013cd43093ea6f934e179e7a64ce4d3443ab531798ce73298c5eb5dff22a554fbfd1a141daad9344fa69d170e5f727ec61652b3e297a878316e
-
Filesize
343B
MD53db64dd18a9c8b5f30520cb1e4dd1a97
SHA1d52b3cb5111366c8571d545b5c527a0bb339eaf1
SHA2565a6d11525163362dcf13d6557917c4f4af912d9f3de7d9ace9ffa3ca5c01a76b
SHA51292ff3730244782f51fd5ed03534ec87df5c04ccc8d3add3fbb6d30a82898cd69a03cfb628f6f0d210d9d900a7b3a140e4868749ed8270aa35cde52108f6b6077
-
Filesize
343B
MD597a1c5f93087a027038a4fad3f51d287
SHA117d0564c9edb48a60c3d53823701af081e95c564
SHA256d308053e7efab5297e6252a8b54e988276059ce3250fe6276a8ce6f7a9c96cde
SHA5120cd45c2420de2397b171c6f41a0c9f38fc346681f10ee4649bf906fef3b6a3d250ca0396925bea9b9966cd4508cf12c174b8ecbc104bd6bd754e004ec8cc13ae
-
Filesize
27KB
MD5c7e6e4e24e5ab4f8a02a45faa0b0d488
SHA12f07929c3d89cee87b9215b544a853254e0b0954
SHA256f9cb6948ee78d3250299f811168348e554419d70cc33ac0cfd8c7258678fdb7c
SHA512fb988fffa9b8b2c6aab74b605e0d24642042a614094bb35b3a51f80f0dee6bbae365a8fad71af1f004bf405f7ce6396794f9850125ee3a2a293a5e7d9f056a04
-
Filesize
1KB
MD5a5f4c9bc6ea5c71f763b215ded1298d2
SHA187e4f4be5dd37ddb13d220ccef88ae9091d0b452
SHA256057585349fc3568979e1d5ef62c32b801ac23835c2f224464a7300875b9f28c7
SHA51265f625ed27187c68c8d376626b5df38a96869fc1794a956f4fb87b3753dbfd0c1bec9e824a026c363bd0f5f1fbc55dfd37a26dc23f7af17254cf4e4a771f5244
-
Filesize
37KB
MD53fc9d055795a4c01893e5661f300c513
SHA129c64165afecea436a2dcb57dd5b54163a002df4
SHA256425eb69377f5ab3508bca26402d48377ab0362840ef0c77852236f45efc597e0
SHA512e1622c0390a66dba328f5c699b10b32c66aec8a20474a6b5d49c2e0faf3a9997620db0f2162d6763976d70159e53363e9217d372cb19f982241f66ec8761c902
-
Filesize
16KB
MD565102de34e58a65be304b144659b8647
SHA1062183fa6bfc38f64a9ba59ba3c6d642ff19e553
SHA2565b94dc186cb9a01363a4c4220d4ad9940ba5294a354a5013ffb445e94f4eb09d
SHA512b33431c4f0afc0528080505609c5c6efe6b9ac9a71c30380723fec14bcccc56056baede824b105231793e40e0d5342ce8863d4c4d75611cf7ac1b315c534b766
-
Filesize
10.7MB
MD567337e485e2bc58d16b78674194ccf5e
SHA1d9d53590ee45868f5e993e28407d11da18915a49
SHA2562f17ecd381dbb368379d274fc0783a912c6d0e1c1870a741f940d2c71e3f6bef
SHA512bd34d0e4bd321256b7923dffd817923584b99a68bb9b69f30d249f991be2fb0bdc637ca747b2b38c439d8e31dd6ea1b8e1dda742c8df55632c5961b7bdfd306f
-
Filesize
3.7MB
MD5023c18dc05f673644d0b2cce3cd63b8c
SHA1c87b13de1ba7613d5b24dc1b092c810bdb30b608
SHA25666a1b91e2023773c79bd9c3d9d3828b468fcdbc0f3f568619745628ca5a76004
SHA5128229c569e9b909b3e04ce3eab4b3560539df88de6899ec1fc953f1481c25f48f5323aa9ec42e95acc64d9e5a1f09c6514339a654e54c56061e0485664cfdc017
-
Filesize
29KB
MD55c3a0ff89b572f0a54bdc16bc480527f
SHA1917800855ab584ffe8433dd54d2b4de116d29b2e
SHA256fdb1dc6d11fbe94ccce0efe751db6f034cd20741131572411cffb75d9b1f4b34
SHA5120264af292eca657858a015c5848bbaa831e6b55fcfe2be98a12411511f3a5f8b8071e51ea1f83a800a30349da4e32357374ed0b984ad6fe00e1aaf29540adaf9