Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 15:03
Static task
static1
Behavioral task
behavioral1
Sample
3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe
Resource
win10v2004-20241007-en
General
-
Target
3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe
-
Size
255KB
-
MD5
7c3d7d46bf65848821f3b59d9d6aa5ce
-
SHA1
b142bcc8d47ba993fade8673db45cf1e8235a759
-
SHA256
3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3
-
SHA512
e4baf0f2b443baf28da57597d0c3e29544d8b372eea27d186baed2d03d1fdbb87ff90b83f37a8c1fc2048161488e0e868630f677dcf78d7fd8a615a0f9b404c9
-
SSDEEP
3072:OX5bx/ZvAtc0Udi+EhwPAD0JJa+tS5bRZnShxB6xY5LzqUC+8kz5m5pohjhEEn+Y:OBxL0HwPXtShRZSExgQDhuIy
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2836 avast_one_essential_setup_online_x64.exe 1192 Process not Found -
Loads dropped DLL 2 IoCs
pid Process 772 3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe 772 3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe -
Checks for any installed AV software in registry 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast avast_one_essential_setup_online_x64.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast avast_one_essential_setup_online_x64.exe Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast avast_one_essential_setup_online_x64.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe File opened for modification \??\PhysicalDrive0 avast_one_essential_setup_online_x64.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 avast_one_essential_setup_online_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature avast_one_essential_setup_online_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision avast_one_essential_setup_online_x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel avast_one_essential_setup_online_x64.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: 32 2836 avast_one_essential_setup_online_x64.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 772 wrote to memory of 2836 772 3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe 31 PID 772 wrote to memory of 2836 772 3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe 31 PID 772 wrote to memory of 2836 772 3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe 31 PID 772 wrote to memory of 2836 772 3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe"C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe"C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe" /cookie:mmm_aon_998_999_000_m:dlid_AVAST-ONE-FREE-WIN-HP /ga_clientid:8592bc03-3772-46fa-aa2c-3aab605f4c6d /edat_dir:C:\Windows\Temp\asw.207f1679667a49a72⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
10.6MB
MD54c13bc2b1caecbf324785475de2ef0ae
SHA198199b8679aca9c3adad8fe10b5c4a7a8f4c66db
SHA256b817b1a59d48f02d34f28727db9956b932aa89660194289ba14f0a1911a63638
SHA512fcb80682fd302a3f3df8ce1886eaf779e8504ef17dc73e1558bcf2758ae1436be6b29545b2fbe765b8a0d1a82ab459187253be05590a7bf7c22b08a252716c88