Analysis

  • max time kernel
    15s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 16:59

General

  • Target

    12118d48fffbcd5000dcb74258b9200b166b17d56c03c856dad22604c5071bf4.exe

  • Size

    219KB

  • MD5

    b20a6cc6bb92aac556cb1c3f383628d9

  • SHA1

    a37727da979560c8c6fb9cd09f3fc33d78643b84

  • SHA256

    12118d48fffbcd5000dcb74258b9200b166b17d56c03c856dad22604c5071bf4

  • SHA512

    18a2c0b7b533dd6ced92bc8317e62326ff0d31a725705068c37739ffac69b808d695035aad43384af4ad662e4c994d291a63c842df3983426bd224b42f85c0b2

  • SSDEEP

    3072:J2RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCoKOhhWK0Ks:J0KgGwHqwOOELha+sm2D2+UhngNQK4dD

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Checks for any installed AV software in registry 1 TTPs 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Embeds OpenSSL 2 IoCs

    Embeds OpenSSL, may be used to circumvent TLS interception.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 11 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 16 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12118d48fffbcd5000dcb74258b9200b166b17d56c03c856dad22604c5071bf4.exe
    "C:\Users\Admin\AppData\Local\Temp\12118d48fffbcd5000dcb74258b9200b166b17d56c03c856dad22604c5071bf4.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\Temp\asw.ce3ac533494ee479\avg_antivirus_free_setup_x64.exe
      "C:\Windows\Temp\asw.ce3ac533494ee479\avg_antivirus_free_setup_x64.exe" /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /ga_clientid:191e45a5-c43f-42e8-8c76-c307faa8f2cf /edat_dir:C:\Windows\Temp\asw.ce3ac533494ee479
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks for any installed AV software in registry
      • Writes to the Master Boot Record (MBR)
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\Temp\asw.538e4f49c3287e54\instup.exe
        "C:\Windows\Temp\asw.538e4f49c3287e54\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.538e4f49c3287e54 /edition:15 /prod:ais /stub_context:2a3ee586-433b-4ec0-85da-20a9e3d30845:11167936 /guid:4f979405-3cda-41b5-a286-e88d94c622ae /ga_clientid:191e45a5-c43f-42e8-8c76-c307faa8f2cf /no_delayed_installation /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /ga_clientid:191e45a5-c43f-42e8-8c76-c307faa8f2cf /edat_dir:C:\Windows\Temp\asw.ce3ac533494ee479
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • Writes to the Master Boot Record (MBR)
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:2756

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Setup.log

          Filesize

          1KB

          MD5

          1571048721cbdf34def509409dcd8810

          SHA1

          89f4cf816663fc11d92cb0017dc507daea67b69e

          SHA256

          48fdec891e4b6d14c16df234a9475aae2fd519445a2b058945ac838b62bee4bf

          SHA512

          572f2c989257bfa40aa591792f2d5fc142060146faac1fb869957a24ae51888d6e1125b4c301c2b654787ae50c4e3a92769402ff122f6a7a5b9693c125305957

        • C:\Windows\Temp\asw.538e4f49c3287e54\Instup.dll

          Filesize

          19.6MB

          MD5

          529a538a990d89e144388c76b62fd1cb

          SHA1

          c821696da1747c62f1e3cfdc05859aa3cbf4a1f1

          SHA256

          c390495f9c6379c5b567aae79a55969a4be421d22cb243758ceac1c475f88815

          SHA512

          fc711b4e8e40b98d69e8d5859ced153ea81fde13da06061dde08b7da7330582b551669ada26814cdc5119b79f99a79b4b2c48ade6a5025866aadda8167e221c9

        • C:\Windows\Temp\asw.538e4f49c3287e54\New_15020c62\asw165ae72239738eb9.tmp

          Filesize

          3.1MB

          MD5

          c545527e69a46359a4a45f58794a0fe5

          SHA1

          e233e5837bfe5d1429300fb33f12f5b54689781b

          SHA256

          8d86976b5ecd432772d4ac5965ff86bff6da04318f231b3e7ea64818de6211f9

          SHA512

          754c891b4f582948ba5dd776a87edba35f96453a540c20c5dd78f2d816bc83161e0d3f8a0f6052b5d0835f5a0b4eeb6d7a871aa611bd74e61ca25ea7046837e0

        • C:\Windows\Temp\asw.538e4f49c3287e54\New_15020c62\aswa4ab9fc3057c0d38.tmp

          Filesize

          4.9MB

          MD5

          8655bbfd6f4c8a661f83cdf12ae79824

          SHA1

          a5f4fd61c737825c82dba83ff62c8fd547d63376

          SHA256

          0a7270cc3ed0eb64126302d383e70193b63b70f3a0c550dfcd9b29e5af4f670a

          SHA512

          70b29fd81c90898fa26e4e5e3495ba0b4ab14c14085fa813789bd411fc11f77e7ea7ec65bf71886e84b885f7a855e24ca7aeb3def0168d5e46f7b6bf2bebacd0

        • C:\Windows\Temp\asw.538e4f49c3287e54\New_15020c62\aswa4ab9fc3057c0d38.tmp

          Filesize

          4.9MB

          MD5

          081ce3c98acdb5c4690ae5ed2b9a07c6

          SHA1

          7ba9dc179911e3a92f53811027eaa5eb0bc9da93

          SHA256

          92626d7e9cd761fac93d7b027d47dd87258392b39def4ebd1f6a8169360846a2

          SHA512

          09701a9ec5737d142a8e97493cc9f007b872c9fd9502b0c5b29af964a621c74e9d590113ad070fd2316001daa99780c6c0612317c0aa8c55482345338f2b6e8c

        • C:\Windows\Temp\asw.538e4f49c3287e54\New_15020c62\aswbd6f9fcaae49e414.tmp

          Filesize

          4.5MB

          MD5

          bbb61ad0f20d3fe17a5227c13f09e82d

          SHA1

          01700413fc5470aa0ba29aa1a962d7a719a92a82

          SHA256

          39154701a5a844eacf6aa1ccc70297c66bda6e27450fd1043778cead49da859e

          SHA512

          c614246263664268970562908c63e933ddda0a7f1c2f06b63eab9a06a2d8253356636cac948f709c37e66929d5d8b57663bf5f0d34fcf591ac7461c2af5b63e4

        • C:\Windows\Temp\asw.538e4f49c3287e54\New_15020c62\aswe1598fdefb35c983.tmp

          Filesize

          3.8MB

          MD5

          0b830444a6ef848fb85bfbb173bb6076

          SHA1

          27964cc1673ddb68ca3da8018f0e13e9a141605e

          SHA256

          63f361195a989491b2c10499d626ab3306edc36fbcb21a9cd832c4c4c059bb8f

          SHA512

          31655204bfb16d1902bb70a603a47f6bf111c0f36962fea01e15193d72cc1fffcead1f1a7884d2929ceb77ac47c640ca8039a93b4648747496d462ffe6a05e65

        • C:\Windows\Temp\asw.538e4f49c3287e54\New_15020c62\aswf3fa2e4354e753dc.tmp

          Filesize

          831KB

          MD5

          ce4d45d0b684f591d5a83fdbd99bd306

          SHA1

          e89637b905c37033950afadaca2161bd5b09fb5e

          SHA256

          907e054fef8297e3cd31d083299ff0ac495775eaa928e3e10e7000fdf6baaed7

          SHA512

          af0aefc20b9c9c91f63f34fcd70c27e9e304073d51cc9ec45113ab360dd5ba4ad104b5c752e022b8b153f435527b56f6bfbb6022dd4bca98f8d1778e2bfc97d1

        • C:\Windows\Temp\asw.538e4f49c3287e54\asw6ca790a3c8aeb34c.ini

          Filesize

          689B

          MD5

          e23c342912d5b9266df3634029fcd2ed

          SHA1

          55537aab341a1888f4cc70b0a42ea24ee008d8d5

          SHA256

          a45d56771a1bfd798b8f2406c17c00ebdf6c7c979e7c0f1810c505e71e79bb62

          SHA512

          544d93754809e37608b17fbb98e7f08325fa3a27b5ef527b136cdca9cca0c93b2826e9979f8e0010294d895e16d55590ca3c1ce54d6c035cefb545d08298ec83

        • C:\Windows\Temp\asw.538e4f49c3287e54\avbugreport_x64_ais-c62.vpx

          Filesize

          4.3MB

          MD5

          3d3d1bd8cd13497a935b90f2e52e4dd8

          SHA1

          b1a4ad2ad252b7ab5a1e328811fb8d96549b18b8

          SHA256

          a76814cbbd093860c8807d2deba2b4e6b3fac0f1d1c911c16c15578fb14d40b2

          SHA512

          6217610be96881068a41eb81a8664fb9548d58467dac0a3e597198a0f987263e96bd923c499b1b397e2178f3f5c681a69388ed7db4185c568d3648fa031d11a3

        • C:\Windows\Temp\asw.538e4f49c3287e54\avdump_x86_ais-c62.vpx

          Filesize

          767KB

          MD5

          f75d663065c0ccd7e63bf2accdafed7a

          SHA1

          daa2d2415cb3d0f27fb4591889d01583c45e5ffd

          SHA256

          0d25e74cf179f4fa2febb01cb647b6ca0e6fa3c6499ed7eee3f1557775e1b6c8

          SHA512

          783a35d57236ec1b5f4d730cf15f201a26356953eeec848beb5125351f3976908495ab6128117f4dae72986480675f880e9268b7ff72b00a1bdcd78042c2ad90

        • C:\Windows\Temp\asw.538e4f49c3287e54\config.def

          Filesize

          18KB

          MD5

          b287ff221fcc9ed0834d24809fe35b97

          SHA1

          8bc09ba498c1a33f3226e6e55eb769e7d017cf9c

          SHA256

          292369211d5a83d0a54c28afcb396cc6f9a8626e0ad109c8ddac19742deb5aff

          SHA512

          3da3c73c074b417e4478c8a9e52c9f1debcfe4d5fe58467ca07b6c7a362b5705ad707f7af89af1eead8b699454f77cba364eba3d3759fcaa6c03e971b2b7a056

        • C:\Windows\Temp\asw.538e4f49c3287e54\config.def

          Filesize

          19KB

          MD5

          c4e13a43440cdb69c2331c7d0df5b949

          SHA1

          ec36a02b918acc80705fd8787f7929e96648915c

          SHA256

          69ad29646e8e5ef45ccee7d759287c31b2b5c588c0302511be908c8719d47e95

          SHA512

          e7a6145e80394f03089a5191e22d24e0ba59b6ab3475d7317130880213aa8daa0375cc9d42d8ddf5f9369d4a3f2e4e79ae7180c7df28b298ded621ea2bab7753

        • C:\Windows\Temp\asw.538e4f49c3287e54\instup_x64_ais-c62.vpx

          Filesize

          3.4MB

          MD5

          7d61c85e5afdd35cd59b41787c9b5990

          SHA1

          0718d05f76d2748f57631ea8a372ae010718b44f

          SHA256

          42691db9b56695929a5c81f7d909cdb2f8f9d1d7d133dcce088948c5f1f6b724

          SHA512

          8874a02aab2b38809b1d3f6135280334aae8ed6520a70830954e31264ccfcfc9e0dbdee34ab469f414bebc3a716bfceef23e8b7cacd6e58577b5e654fe13f8bc

        • C:\Windows\Temp\asw.538e4f49c3287e54\part-setup_ais-15020c62.vpx

          Filesize

          5KB

          MD5

          d5b798d8816b252e7d718195dfeb8a8c

          SHA1

          860c5807fd491aeeb12d661d8cf2ecca4ca1639b

          SHA256

          75176962c8691f84eb299a555d4c82796b53a12161f1e6616ec50cf97393b499

          SHA512

          16cd2e8f57c05ba2bae79de39867cc35178a6d99cd035d7d20efd8788076360a408affa9b6caf3ea09daf5c32834b995e47b1ab4ec29fcc1fdfddcf0ba96cce5

        • C:\Windows\Temp\asw.538e4f49c3287e54\prod-pgm.vpx

          Filesize

          570B

          MD5

          6c1d9e1205004626b884438704c0631a

          SHA1

          00b5fd840f4fdcab41cc89da9fc1141c7594870b

          SHA256

          067a441767c324abf5e72729e70ae1edff257611232c08e5181ccac83f10ebec

          SHA512

          443c896b88520013cd43093ea6f934e179e7a64ce4d3443ab531798ce73298c5eb5dff22a554fbfd1a141daad9344fa69d170e5f727ec61652b3e297a878316e

        • C:\Windows\Temp\asw.538e4f49c3287e54\prod-vps.vpx

          Filesize

          343B

          MD5

          3db64dd18a9c8b5f30520cb1e4dd1a97

          SHA1

          d52b3cb5111366c8571d545b5c527a0bb339eaf1

          SHA256

          5a6d11525163362dcf13d6557917c4f4af912d9f3de7d9ace9ffa3ca5c01a76b

          SHA512

          92ff3730244782f51fd5ed03534ec87df5c04ccc8d3add3fbb6d30a82898cd69a03cfb628f6f0d210d9d900a7b3a140e4868749ed8270aa35cde52108f6b6077

        • C:\Windows\Temp\asw.538e4f49c3287e54\servers.def

          Filesize

          27KB

          MD5

          c7e6e4e24e5ab4f8a02a45faa0b0d488

          SHA1

          2f07929c3d89cee87b9215b544a853254e0b0954

          SHA256

          f9cb6948ee78d3250299f811168348e554419d70cc33ac0cfd8c7258678fdb7c

          SHA512

          fb988fffa9b8b2c6aab74b605e0d24642042a614094bb35b3a51f80f0dee6bbae365a8fad71af1f004bf405f7ce6396794f9850125ee3a2a293a5e7d9f056a04

        • C:\Windows\Temp\asw.538e4f49c3287e54\servers.def.vpx

          Filesize

          1KB

          MD5

          a5f4c9bc6ea5c71f763b215ded1298d2

          SHA1

          87e4f4be5dd37ddb13d220ccef88ae9091d0b452

          SHA256

          057585349fc3568979e1d5ef62c32b801ac23835c2f224464a7300875b9f28c7

          SHA512

          65f625ed27187c68c8d376626b5df38a96869fc1794a956f4fb87b3753dbfd0c1bec9e824a026c363bd0f5f1fbc55dfd37a26dc23f7af17254cf4e4a771f5244

        • C:\Windows\Temp\asw.538e4f49c3287e54\uat64.vpx

          Filesize

          16KB

          MD5

          65102de34e58a65be304b144659b8647

          SHA1

          062183fa6bfc38f64a9ba59ba3c6d642ff19e553

          SHA256

          5b94dc186cb9a01363a4c4220d4ad9940ba5294a354a5013ffb445e94f4eb09d

          SHA512

          b33431c4f0afc0528080505609c5c6efe6b9ac9a71c30380723fec14bcccc56056baede824b105231793e40e0d5342ce8863d4c4d75611cf7ac1b315c534b766

        • C:\Windows\Temp\asw.ce3ac533494ee479\ecoo.edat

          Filesize

          38B

          MD5

          aaa8f0ca4acc800e63ec0cc3f9598380

          SHA1

          ba82445e4b1eae5bed00d6e5a78411b05700d88d

          SHA256

          9fa614083ebc934b52510cc41eb3246e1b0d199329ab1fd3aea08a5bce62bcdf

          SHA512

          cffec5401f95e8ddfd9edf6c2ea072114d3be913fd48f874938524046f08dea246823ce042fb9d452692c90c50a215c3dcaa19c02270d93534b6ff2da0d88dc0

        • \Windows\Temp\asw.538e4f49c3287e54\HTMLayout.dll

          Filesize

          4.0MB

          MD5

          b39614a52de7353db442a5e990d8b007

          SHA1

          6b9e95a06905267729e721167f99982033a3fa11

          SHA256

          22a35a503c3060365c5107bb0f6b17113cca77f9c76993904140f616858ea10f

          SHA512

          5ad0217ef70eb3baba368ccb5d05c54a479351be706ac95b268ee7dc1aa24ea00674134dc60c143bcbe5cf21d6759c18e965a6bd89bef7d0cc20f77967f56b7c

        • \Windows\Temp\asw.538e4f49c3287e54\Instup.dll

          Filesize

          17.4MB

          MD5

          c04c263d879f127650be0f2070fab860

          SHA1

          49dc2cdd630ffc283d6b45a46159eb9e6266cd74

          SHA256

          9e4be2e96c581b33e6b85f5129821b22039c22e1fedbcce8c7862e981536b2fa

          SHA512

          ba2f42f29319f61276de968431145f2e248e6fc76684ea68bef7b788bb842bcac15d4985d1a8b7f910fb3a3dd824e689f29c66d530f4cefb1d31bfd32f5f3924

        • \Windows\Temp\asw.538e4f49c3287e54\Instup.exe

          Filesize

          3.7MB

          MD5

          023c18dc05f673644d0b2cce3cd63b8c

          SHA1

          c87b13de1ba7613d5b24dc1b092c810bdb30b608

          SHA256

          66a1b91e2023773c79bd9c3d9d3828b468fcdbc0f3f568619745628ca5a76004

          SHA512

          8229c569e9b909b3e04ce3eab4b3560539df88de6899ec1fc953f1481c25f48f5323aa9ec42e95acc64d9e5a1f09c6514339a654e54c56061e0485664cfdc017

        • \Windows\Temp\asw.538e4f49c3287e54\New_15020c62\asw0dac67f01c825591.tmp

          Filesize

          907KB

          MD5

          43dc9e69f1e9db4059cf49a5e825cfda

          SHA1

          519298f8a681b41d2d70db2670cc7543f1ee6da4

          SHA256

          98efeee831a7984d94cf13800aeb1de68e79bea0bb5d95ff7adcbb43b648ed4d

          SHA512

          d0c07cb1e251f2135fdb21893e6ca70efc019a8b759274c87266fb5a2c48ebc0126aecee0020bd48cfd65ef2f794b81b1e417000c91db18e2ac128c86eac4079

        • \Windows\Temp\asw.538e4f49c3287e54\New_15020c62\asw90cec9b7c6edd540.tmp

          Filesize

          15KB

          MD5

          e38cc92cd980a55d811316ac62883e14

          SHA1

          fa83737abe11ee825c3da6843cc4d8e3b459729a

          SHA256

          be4d8a5dc335ca8446c0dbba4ee4ef07553a5c242bed560f11aaef4793855e87

          SHA512

          1422c8f94556ff0409a3cd1ff581f6c4ea56b01be36ba5b2c0e72465f4dad38391eb85bae28b079aa2f1204615d32a17b7e73e92ffcc9964f39c79626b7afe16

        • \Windows\Temp\asw.538e4f49c3287e54\New_15020c62\aswa4ab9fc3057c0d38.tmp

          Filesize

          4.9MB

          MD5

          77989c4b64cbf97027a094d4b20921b7

          SHA1

          fcbaff6a4f82f0aa578d6d8e81dade0655eb2d12

          SHA256

          0558dafdbd26ed375d996cd191741ded214910143e134e1349c5d5ed1c9c1de7

          SHA512

          4aac14acc537ccbb184d08b7596a9f3ab694f99b14e4af44bce5a677a869df37511cdc3a961801d60ed8a7eb2e6d838bf96dbd2992530567942aa922560047c4

        • \Windows\Temp\asw.538e4f49c3287e54\New_15020c62\aswa4ab9fc3057c0d38.tmp

          Filesize

          5.1MB

          MD5

          19d9556c4838564dcc09404968732a63

          SHA1

          612d8259db0e619c4db6fa6b71c073b6d9384d64

          SHA256

          6240c1c0c887d82bb653e1d9a99dcbdc4612d67de185eb62e568ceae51d1922c

          SHA512

          68000dc3ab4c603ffa841a47f4d4dbda02c2e4ea0e45e9c42b05e32f0a957a428826a5a26a18f2e7ce6c662a8c8b818bf39c42d6f441698d85985358cf7ed5af

        • \Windows\Temp\asw.538e4f49c3287e54\uat64.dll

          Filesize

          29KB

          MD5

          5c3a0ff89b572f0a54bdc16bc480527f

          SHA1

          917800855ab584ffe8433dd54d2b4de116d29b2e

          SHA256

          fdb1dc6d11fbe94ccce0efe751db6f034cd20741131572411cffb75d9b1f4b34

          SHA512

          0264af292eca657858a015c5848bbaa831e6b55fcfe2be98a12411511f3a5f8b8071e51ea1f83a800a30349da4e32357374ed0b984ad6fe00e1aaf29540adaf9

        • \Windows\Temp\asw.ce3ac533494ee479\avg_antivirus_free_setup_x64.exe

          Filesize

          10.7MB

          MD5

          67337e485e2bc58d16b78674194ccf5e

          SHA1

          d9d53590ee45868f5e993e28407d11da18915a49

          SHA256

          2f17ecd381dbb368379d274fc0783a912c6d0e1c1870a741f940d2c71e3f6bef

          SHA512

          bd34d0e4bd321256b7923dffd817923584b99a68bb9b69f30d249f991be2fb0bdc637ca747b2b38c439d8e31dd6ea1b8e1dda742c8df55632c5961b7bdfd306f