Overview
overview
7Static
static
73739d14235...4a.exe
windows11-21h2-x64
7$PLUGINSDI...ol.dll
windows11-21h2-x64
5$PLUGINSDI...ns.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3$PLUGINSDI...fo.dll
windows11-21h2-x64
3$PLUGINSDI...al.ini
windows11-21h2-x64
3$PLUGINSDI...er.bmp
windows11-21h2-x64
3$PLUGINSDI...rd.bmp
windows11-21h2-x64
3AVStrike.exe
windows11-21h2-x64
6AVStrike.exe.config
windows11-21h2-x64
3CButtonLib.dll
windows11-21h2-x64
1Common Tools.dll
windows11-21h2-x64
1Core.dll
windows11-21h2-x64
1Interop.IW...ry.dll
windows11-21h2-x64
1KernelBase.dll
windows11-21h2-x64
3LumenWorks...IO.dll
windows11-21h2-x64
1System.Dat...te.dll
windows11-21h2-x64
3TaskScheduler.dll
windows11-21h2-x64
1Uninstall.exe
windows11-21h2-x64
7$PLUGINSDI...em.dll
windows11-21h2-x64
3db/AVStrikeDB.ldb
windows11-21h2-x64
3db/AVStrikeDB.ldb.bak
windows11-21h2-x64
3db/bytecode.cld
windows11-21h2-x64
3db/daily.cld
windows11-21h2-x64
3db/main.cld
windows11-21h2-x64
3db/mirrors.dat
windows11-21h2-x64
3libclamav.dll
windows11-21h2-x64
3libclamavd.dll
windows11-21h2-x64
3log4net.dll
windows11-21h2-x64
1scandll.dll
windows11-21h2-x64
3update_db.exe
windows11-21h2-x64
Analysis
-
max time kernel
209s -
max time network
285s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/11/2024, 10:46
Behavioral task
behavioral1
Sample
3739d14235ff791ab9f138b769613880d3426004e42eb8c96da33cc00b18f14a.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win11-20241023-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/ioSpecial.ini
Resource
win11-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/modern-header.bmp
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/modern-wizard.bmp
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
AVStrike.exe
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
AVStrike.exe.config
Resource
win11-20241007-en
Behavioral task
behavioral11
Sample
CButtonLib.dll
Resource
win11-20241007-en
Behavioral task
behavioral12
Sample
Common Tools.dll
Resource
win11-20241023-en
Behavioral task
behavioral13
Sample
Core.dll
Resource
win11-20241007-en
Behavioral task
behavioral14
Sample
Interop.IWshRuntimeLibrary.dll
Resource
win11-20241007-en
Behavioral task
behavioral15
Sample
KernelBase.dll
Resource
win11-20241007-en
Behavioral task
behavioral16
Sample
LumenWorks.Framework.IO.dll
Resource
win11-20241007-en
Behavioral task
behavioral17
Sample
System.Data.SQLite.dll
Resource
win11-20241007-en
Behavioral task
behavioral18
Sample
TaskScheduler.dll
Resource
win11-20241007-en
Behavioral task
behavioral19
Sample
Uninstall.exe
Resource
win11-20241007-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/System.dll
Resource
win11-20241007-en
Behavioral task
behavioral21
Sample
db/AVStrikeDB.ldb
Resource
win11-20241007-en
Behavioral task
behavioral22
Sample
db/AVStrikeDB.ldb.bak
Resource
win11-20241007-en
Behavioral task
behavioral23
Sample
db/bytecode.cld
Resource
win11-20241007-en
Behavioral task
behavioral24
Sample
db/daily.cld
Resource
win11-20241023-en
Behavioral task
behavioral25
Sample
db/main.cld
Resource
win11-20241007-en
Behavioral task
behavioral26
Sample
db/mirrors.dat
Resource
win11-20241007-en
Behavioral task
behavioral27
Sample
libclamav.dll
Resource
win11-20241007-en
Behavioral task
behavioral28
Sample
libclamavd.dll
Resource
win11-20241007-en
Behavioral task
behavioral29
Sample
log4net.dll
Resource
win11-20241007-en
Behavioral task
behavioral30
Sample
scandll.dll
Resource
win11-20241007-en
Behavioral task
behavioral31
Sample
update_db.exe
Resource
win11-20241007-en
General
-
Target
Uninstall.exe
-
Size
82KB
-
MD5
36fa034cda60273c9741364387ad84e1
-
SHA1
a772b823b150b57826ab1ada00fbca4021d52499
-
SHA256
88e2b9e458da15730c4ea538127b2f7dea75e511e9418f458ab93c8a4b9b8a86
-
SHA512
8b8db29532b5193831e27fbd2d83b388678241209bf74b0e0448f53ecfc74a482fd7bd837d4a3a219ee446d5b4c6ae1c42dbfa861b9a6dab46a578f1fc18d9b4
-
SSDEEP
1536:6pgpHzb9dZVX9fHMvG0D3XJtgLLiK/YjiHLCAyN/t65aVxw6jSJAlfQ1ef2X:4gXdZt9P6D3XJtkhCAUcaVC6jSUfQ1e2
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral19/files/0x001900000002aacf-11.dat acprotect -
Deletes itself 1 IoCs
pid Process 1452 Au_.exe -
Executes dropped EXE 1 IoCs
pid Process 1452 Au_.exe -
Loads dropped DLL 5 IoCs
pid Process 1452 Au_.exe 1452 Au_.exe 1452 Au_.exe 1452 Au_.exe 1452 Au_.exe -
resource yara_rule behavioral19/files/0x001900000002aacf-11.dat upx behavioral19/memory/1452-12-0x00000000040A0000-0x00000000040B4000-memory.dmp upx behavioral19/memory/1452-19-0x00000000040A0000-0x00000000040B4000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Au_.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral19/files/0x001e00000002aaa2-3.dat nsis_installer_1 behavioral19/files/0x001e00000002aaa2-3.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1452 Au_.exe 1452 Au_.exe 1452 Au_.exe 1452 Au_.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1452 1684 Uninstall.exe 81 PID 1684 wrote to memory of 1452 1684 Uninstall.exe 81 PID 1684 wrote to memory of 1452 1684 Uninstall.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1452
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD56c2b245e89428fb917a5805815a4054e
SHA15bcd987700dd761f02d2d1d024b8f20077985051
SHA2560558bbdfe61eefb680e8560a7d4b174447a9516098f9cd8b4c84bf1552cee5c5
SHA512ecb3fb77532d6ffa1ca08df05a6a86b18138356e63cb40edf68f97fc7fdf2e781a4ebeb1efdb9f13f947304312dd19ef5c4a78ddc60843f5f726cde69b2c57d4
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
82KB
MD536fa034cda60273c9741364387ad84e1
SHA1a772b823b150b57826ab1ada00fbca4021d52499
SHA25688e2b9e458da15730c4ea538127b2f7dea75e511e9418f458ab93c8a4b9b8a86
SHA5128b8db29532b5193831e27fbd2d83b388678241209bf74b0e0448f53ecfc74a482fd7bd837d4a3a219ee446d5b4c6ae1c42dbfa861b9a6dab46a578f1fc18d9b4