Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 14:07

General

  • Target

    36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe

  • Size

    219KB

  • MD5

    704b6d42185d41549884e65540ede321

  • SHA1

    52ba07c4213cf33bb87cd22cbc1087296480df3b

  • SHA256

    36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422

  • SHA512

    59e6aedb8caea7650617dbd56107b71d3d1b30af6cc2b8f3a78aec0f4a1d93e4b7ea88ccbfa046fe78d18e42031e244909b9be3561658de00e91913f2fe73c1d

  • SSDEEP

    3072:l2RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCoKOhhWK0KK:l0KgGwHqwOOELha+sm2D2+UhngNQK44O

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 27 IoCs
  • Checks for any installed AV software in registry 1 TTPs 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Embeds OpenSSL 1 IoCs

    Embeds OpenSSL, may be used to circumvent TLS interception.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 11 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe
    "C:\Users\Admin\AppData\Local\Temp\36418a06e63b09d0bca8c9fd210a100b0aa48bd11fa11d8734c6d17b42587422.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Windows\Temp\asw.21ee1e2b3d60f032\avg_antivirus_free_setup_x64.exe
      "C:\Windows\Temp\asw.21ee1e2b3d60f032\avg_antivirus_free_setup_x64.exe" /cookie:mmm_bav_003_999_a8a_m:dlid_FREEGSR-FAD /ga_clientid:595ea4a4-c45f-4edf-b58b-550befda0b2d /edat_dir:C:\Windows\Temp\asw.21ee1e2b3d60f032
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks for any installed AV software in registry
      • Writes to the Master Boot Record (MBR)
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\Temp\asw.76b7dcc099c20e5a\instup.exe
        "C:\Windows\Temp\asw.76b7dcc099c20e5a\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.76b7dcc099c20e5a /edition:15 /prod:ais /stub_context:f4768b96-7739-43f7-ab47-580f4e3b51a4:11167936 /guid:71fa9fcb-ae92-4509-b535-07dde8a841a5 /ga_clientid:595ea4a4-c45f-4edf-b58b-550befda0b2d /no_delayed_installation /cookie:mmm_bav_003_999_a8a_m:dlid_FREEGSR-FAD /ga_clientid:595ea4a4-c45f-4edf-b58b-550befda0b2d /edat_dir:C:\Windows\Temp\asw.21ee1e2b3d60f032
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • Writes to the Master Boot Record (MBR)
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2512

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

          Filesize

          1KB

          MD5

          bc7ef17d1cc3839e267a6bd40a9e49b0

          SHA1

          7007017c3145f8f1685d6161560c1bc708ac99bf

          SHA256

          7bb2c32b6d4e5da7ed5de43b857b568538829c95296b962f93ccaf3b78e394ac

          SHA512

          4e7a90d8395686e969da05ae8aa7244819444a45e1b39446577e522d65f63558feddab0ca6f02857dd1cd7f38e70abc4503c63bfd1ea4b83a6cf31aff84a303c

        • C:\Windows\Temp\asw.21ee1e2b3d60f032\avg_antivirus_free_setup_x64.exe

          Filesize

          10.7MB

          MD5

          67337e485e2bc58d16b78674194ccf5e

          SHA1

          d9d53590ee45868f5e993e28407d11da18915a49

          SHA256

          2f17ecd381dbb368379d274fc0783a912c6d0e1c1870a741f940d2c71e3f6bef

          SHA512

          bd34d0e4bd321256b7923dffd817923584b99a68bb9b69f30d249f991be2fb0bdc637ca747b2b38c439d8e31dd6ea1b8e1dda742c8df55632c5961b7bdfd306f

        • C:\Windows\Temp\asw.21ee1e2b3d60f032\ecoo.edat

          Filesize

          38B

          MD5

          834914832cf4e739057be03e60d20884

          SHA1

          352fc1a7c0bb2ebd96ae66c135a0d6a18943cd19

          SHA256

          a0de647574f0a401ed84b266c3a4b71714f51e0dcffbeca4aae395ece61aed66

          SHA512

          987efd1d22fb7d08ac35e8a7b8b89301ad2de51ffc8dac74d811e8e5bae1e107ac409c7d91f043ad814546da3152a3e581a3720249e248463abe2b9a14b454e1

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\Instup.dll

          Filesize

          21.7MB

          MD5

          868b5c92cbd5394800f72ed7e843a1c0

          SHA1

          4292711d86c2f87f813a17ac3cd606fc2d6db305

          SHA256

          e46f6295acd6d09164a8c2e196f02786338c54ebab0056b7e430b50a2c49f481

          SHA512

          3203c12e050a9225d838cdb79ba6348f1b1d381974c44b1c275b713e214d2839c6523d1ee8784b45c76bb5dd33ce70a13c8e621c460171d2d951e6af39cf1694

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\Instup.exe

          Filesize

          3.7MB

          MD5

          023c18dc05f673644d0b2cce3cd63b8c

          SHA1

          c87b13de1ba7613d5b24dc1b092c810bdb30b608

          SHA256

          66a1b91e2023773c79bd9c3d9d3828b468fcdbc0f3f568619745628ca5a76004

          SHA512

          8229c569e9b909b3e04ce3eab4b3560539df88de6899ec1fc953f1481c25f48f5323aa9ec42e95acc64d9e5a1f09c6514339a654e54c56061e0485664cfdc017

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\New_15020c62\asw0569ff89f49b9607.tmp

          Filesize

          19.1MB

          MD5

          917a284494cbe4a4ec85e1ec768339c9

          SHA1

          47ccc0a04ecc7c3c1ff79bf42d424cfda356137c

          SHA256

          57cb03fbc4750eefba0079c3fcdfc1b077e4347e0438f41e13b8614e7f11b772

          SHA512

          90849e580c9da697689c664b126ed97b085bd2fd6016ac9193afd7a7ac625c76db84c9bf55a4bd0308da889a16b27832383738de5ecbec7e97bbd5b7962999d8

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\New_15020c62\asw2ba1507ff7fe10f4.tmp

          Filesize

          831KB

          MD5

          ce4d45d0b684f591d5a83fdbd99bd306

          SHA1

          e89637b905c37033950afadaca2161bd5b09fb5e

          SHA256

          907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7

          SHA512

          af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\New_15020c62\asw8746b970f8c6283a.tmp

          Filesize

          3.8MB

          MD5

          0b830444a6ef848fb85bfbb173bb6076

          SHA1

          27964cc1673ddb68ca3da8018f0e13e9a141605e

          SHA256

          63f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f

          SHA512

          31655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\New_15020c62\aswf7157ecfc05dc94f.tmp

          Filesize

          4.5MB

          MD5

          bbb61ad0f20d3fe17a5227c13f09e82d

          SHA1

          01700413fc5470aa0ba29aa1a962d7a719a92a82

          SHA256

          39154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e

          SHA512

          c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\avdump_x86_ais-c62.vpx

          Filesize

          767KB

          MD5

          f75d663065c0ccd7e63bf2accdafed7a

          SHA1

          daa2d2415cb3d0f27fb4591889d01583c45e5ffd

          SHA256

          0d25e74cf179f4fa2febb01cb647b6ca0e6fa3c6499ed7eee3f1557775e1b6c8

          SHA512

          783a35d57236ec1b5f4d730cf15f201a26356953eeec848beb5125351f3976908495ab6128117f4dae72986480675f880e9268b7ff72b00a1bdcd78042c2ad90

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\config.def

          Filesize

          18KB

          MD5

          b287ff221fcc9ed0834d24809fe35b97

          SHA1

          8bc09ba498c1a33f3226e6e55eb769e7d017cf9c

          SHA256

          292369211d5a83d0a54c28afcb396cc6f9a8626e0ad109c8ddac19742deb5aff

          SHA512

          3da3c73c074b417e4478c8a9e52c9f1debcfe4d5fe58467ca07b6c7a362b5705ad707f7af89af1eead8b699454f77cba364eba3d3759fcaa6c03e971b2b7a056

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\config.def

          Filesize

          19KB

          MD5

          a37c6d8fbae7c03c19b94c4c9da64174

          SHA1

          4417a9503b2be52caaa2bd73224f3359eeb32558

          SHA256

          761b97970c0442c780bd547037f8ab8caca544900ccb99458221e63f1e3d275b

          SHA512

          c8288ed1ac6fce88d52eb831b0e8ecc7be8294189601699e91c90c3166dc5f0db54ea6fc9faf9e7087bde945a5564fb37d482f962b3a13d97cbbb13bd1b2957c

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\config.ini

          Filesize

          689B

          MD5

          f628a6796b03446de2cb2603810d68b9

          SHA1

          314407ecbb643d5b0ada656d734d8872e8af41f0

          SHA256

          1bdecbcbd64244e6999a5ca252ca45738e81c1658ac31a14155224ab12fe6561

          SHA512

          5f1e0bb02f82c3ebca750e327de0d349aafb948ff570bf77a8c7af7941b8b0489e3f75f2a07dd9413cd1926c875eb275238e4c65e88383e99ff7ac7158501b53

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\part-setup_ais-15020c62.vpx

          Filesize

          5KB

          MD5

          d5b798d8816b252e7d718195dfeb8a8c

          SHA1

          860c5807fd491aeeb12d661d8cf2ecca4ca1639b

          SHA256

          75176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499

          SHA512

          16cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\prod-pgm.vpx

          Filesize

          570B

          MD5

          6c1d9e1205004626b884438704c0631a

          SHA1

          00b5fd840f4fdcab41cc89da9fc1141c7594870b

          SHA256

          067a441767c324abf5e72729e70ae1edff257611232c08e5181ccac83f10ebec

          SHA512

          443c896b88520013cd43093ea6f934e179e7a64ce4d3443ab531798ce73298c5eb5dff22a554fbfd1a141daad9344fa69d170e5f727ec61652b3e297a878316e

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\prod-vps.vpx

          Filesize

          343B

          MD5

          3db64dd18a9c8b5f30520cb1e4dd1a97

          SHA1

          d52b3cb5111366c8571d545b5c527a0bb339eaf1

          SHA256

          5a6d11525163362dcf13d6557917c4f4af912d9f3de7d9ace9ffa3ca5c01a76b

          SHA512

          92ff3730244782f51fd5ed03534ec87df5c04ccc8d3add3fbb6d30a82898cd69a03cfb628f6f0d210d9d900a7b3a140e4868749ed8270aa35cde52108f6b6077

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\servers.def

          Filesize

          27KB

          MD5

          c7e6e4e24e5ab4f8a02a45faa0b0d488

          SHA1

          2f07929c3d89cee87b9215b544a853254e0b0954

          SHA256

          f9cb6948ee78d3250299f811168348e554419d70cc33ac0cfd8c7258678fdb7c

          SHA512

          fb988fffa9b8b2c6aab74b605e0d24642042a614094bb35b3a51f80f0dee6bbae365a8fad71af1f004bf405f7ce6396794f9850125ee3a2a293a5e7d9f056a04

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\servers.def.vpx

          Filesize

          1KB

          MD5

          a5f4c9bc6ea5c71f763b215ded1298d2

          SHA1

          87e4f4be5dd37ddb13d220ccef88ae9091d0b452

          SHA256

          057585349fc3568979e1d5ef62c32b801ac23835c2f224464a7300875b9f28c7

          SHA512

          65f625ed27187c68c8d376626b5df38a96869fc1794a956f4fb87b3753dbfd0c1bec9e824a026c363bd0f5f1fbc55dfd37a26dc23f7af17254cf4e4a771f5244

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\setup.def

          Filesize

          37KB

          MD5

          3fc9d055795a4c01893e5661f300c513

          SHA1

          29c64165afecea436a2dcb57dd5b54163a002df4

          SHA256

          425eb69377f5ab3508bca26402d48377ab0362840ef0c77852236f45efc597e0

          SHA512

          e1622c0390a66dba328f5c699b10b32c66aec8a20474a6b5d49c2e0faf3a9997620db0f2162d6763976d70159e53363e9217d372cb19f982241f66ec8761c902

        • C:\Windows\Temp\asw.76b7dcc099c20e5a\uat64.vpx

          Filesize

          16KB

          MD5

          65102de34e58a65be304b144659b8647

          SHA1

          062183fa6bfc38f64a9ba59ba3c6d642ff19e553

          SHA256

          5b94dc186cb9a01363a4c4220d4ad9940ba5294a354a5013ffb445e94f4eb09d

          SHA512

          b33431c4f0afc0528080505609c5c6efe6b9ac9a71c30380723fec14bcccc56056baede824b105231793e40e0d5342ce8863d4c4d75611cf7ac1b315c534b766

        • \Windows\Temp\asw.76b7dcc099c20e5a\HTMLayout.dll

          Filesize

          4.0MB

          MD5

          b39614a52de7353db442a5e990d8b007

          SHA1

          6b9e95a06905267729e721167f99982033a3fa11

          SHA256

          22a35a503c3060365c5107bb0f6b17113cca77f9c76993904140f616858ea10f

          SHA512

          5ad0217ef70eb3baba368ccb5d05c54a479351be706ac95b268ee7dc1aa24ea00674134dc60c143bcbe5cf21d6759c18e965a6bd89bef7d0cc20f77967f56b7c

        • \Windows\Temp\asw.76b7dcc099c20e5a\New_15020c62\aswbdde95224a23627e.tmp

          Filesize

          3.1MB

          MD5

          c545527e69a46359a4a45f58794a0fe5

          SHA1

          e233e5837bfe5d1429300fb33f12f5b54689781b

          SHA256

          8d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9

          SHA512

          754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0

        • \Windows\Temp\asw.76b7dcc099c20e5a\New_15020c62\aswe2d0521a644f7465.tmp

          Filesize

          15KB

          MD5

          e38cc92cd980a55d811316ac62883e14

          SHA1

          fa83737abe11ee825c3da6843cc4d8e3b459729a

          SHA256

          be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87

          SHA512

          1422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16

        • \Windows\Temp\asw.76b7dcc099c20e5a\New_15020c62\aswed923f5ea4907849.tmp

          Filesize

          907KB

          MD5

          43dc9e69f1e9db4059cf49a5e825cfda

          SHA1

          519298f8a681b41d2d70db2670cc7543f1ee6da4

          SHA256

          98efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d

          SHA512

          d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079

        • \Windows\Temp\asw.76b7dcc099c20e5a\uat64.dll

          Filesize

          29KB

          MD5

          5c3a0ff89b572f0a54bdc16bc480527f

          SHA1

          917800855ab584ffe8433dd54d2b4de116d29b2e

          SHA256

          fdb1dc6d11fbe94ccce0efe751db6f034cd20741131572411cffb75d9b1f4b34

          SHA512

          0264af292eca657858a015c5848bbaa831e6b55fcfe2be98a12411511f3a5f8b8071e51ea1f83a800a30349da4e32357374ed0b984ad6fe00e1aaf29540adaf9