Analysis

  • max time kernel
    717s
  • max time network
    736s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 20:57

General

  • Target

    avast_premier_antivirus_setup_offline.exe

  • Size

    628.0MB

  • MD5

    eed5aae4ad69cb60304d8cfacd0ef2e3

  • SHA1

    a996f80593df5336b652565e07a07917a9707f99

  • SHA256

    c2647f7dbad73035b124cf61a997c1788511982891e0a431c47e4ebf9e5d5cef

  • SHA512

    8eb915e738621fb5c9ef3859b3eb6694df175c944c79a0752bf20ffae21e887a1b96142ee10fa98c9bce78557cc3398e059f09d13c686e7fea2464d371a768e8

  • SSDEEP

    12582912:WXtkVB4UWDbWfG7dUu5YX+M7UjF9E3ZUFslRfJr/5hd262vijEIuZy:WXtkVB4yfG7dULX+dFslxJr/5hdnjEK

Malware Config

Signatures

  • Checks for any installed AV software in registry 1 TTPs 29 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 11 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe
    "C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe"
    1⤵
    • Checks for any installed AV software in registry
    • Writes to the Master Boot Record (MBR)
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Windows\Temp\asw.745370d7c5671c69\instup.exe
      "C:\Windows\Temp\asw.745370d7c5671c69\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.745370d7c5671c69 /edition:12 /prod:ais /stub_context:0704781a-dbfc-4ad2-b206-9fa972f1c170:658550208 /guid:79faf98f-cc6e-4fc7-8e51-95d04cba3acb /ga_clientid:b7960701-b34b-4a69-9c89-10d2e5632420
      2⤵
      • Checks for any installed AV software in registry
      • Writes to the Master Boot Record (MBR)
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

    Filesize

    1KB

    MD5

    377c70caf74c0ac60128386d6fd34e49

    SHA1

    9470517f764866555abb5ba807fff81b982131af

    SHA256

    0dc2ec331b09f6933837043a836aae10946265704d11071b4d0d45759ac96b81

    SHA512

    321a0e79bf1539d0bf9726a2ee3999f1b67f87b5d2cf4b64522807f76ff4504417c379ff8b796aba627638fa99ea80b73017ac0e0ccd47f084cf896ec7b4c50e

  • C:\Windows\Temp\asw.745370d7c5671c69\HTMLayout.dll

    Filesize

    3.4MB

    MD5

    515486f8eb028440f5c6679af15febfa

    SHA1

    42b9d9032c351e54eed42f5a60e06a676db0bee8

    SHA256

    7529f2294df32f70a933b044bc241966bf1b31f4a312b1b2d58d3515152d0e41

    SHA512

    12fbffac26d39e30a329a28230286ad098177b96361341c2fa2bd54c7c1abf515361dae0571c8b62308c98870b529925c8bebff616ede7ed351a823d8cfb4456

  • C:\Windows\Temp\asw.745370d7c5671c69\Instup.dll

    Filesize

    16.3MB

    MD5

    6b86a7da767c529dddde5cf7955f2ea2

    SHA1

    ff2bd33133ca01b68e117834b1b9bf92a3fd2e5d

    SHA256

    b91e05f5a85cc570dae52b49dce29de1db778b322e7bdec1065f0ec6e163e71a

    SHA512

    b3e384bab230237e97d2c26ad9b1246343402936ea830772558c5fc143a2fd2b0edf471a257acbd698da9ad46b1fba005bc27ef76e446fe9114be200c0776ec5

  • C:\Windows\Temp\asw.745370d7c5671c69\aswd0165568058cae00.ini

    Filesize

    1KB

    MD5

    7744b4d8ea976bfed7a6cdc2912c4844

    SHA1

    05a5dc75bef9fb5a1b812da7f4bb2ca7f5024be5

    SHA256

    114b07124cdda264e0a8e9de0c62f08392bad4dd2b25e0ec35e378bf2c30bb26

    SHA512

    d3e6ba2e6a6aed520f04d1ef6439a198c1a80f54b6399fa16272b5cf771983eb111ffaaae8a81be2d59db3316847de521ee40f8ce0c1ad290fbbe355f4b47901

  • C:\Windows\Temp\asw.745370d7c5671c69\config.def

    Filesize

    28KB

    MD5

    5a7719d8f91210806e0de046a2897b56

    SHA1

    7bd04389df2595ac430a2441418f60ce7c2d7846

    SHA256

    730cbc4d6a59b1bd3e47a34c20dd21c8b41bda0f1d8f870cbcaa9abcea088fea

    SHA512

    17eed350706beb5c88878a43d40cb5a453f00ab31fa5884e1fa2a3f76fbb028549705d31c584af89379db1a2a3477d72226271a5acf7b7244aad541a67fa33e6

  • C:\Windows\Temp\asw.745370d7c5671c69\config.def

    Filesize

    38KB

    MD5

    4c551f6ac99d64428734af64520e4802

    SHA1

    ac1533ffd21bd560eb0aafc544f852d68ca90bcb

    SHA256

    953e7033e903a8ee87d4c88661b3e221ecdbce00a0ed2d7ab01671dd1b6833ec

    SHA512

    d1b5fc7c0d84482514cd2b27c5382b3bbba7213b8ffe053e3e670d252574803cf0369af1185cfcf362fe57168ed9cb40c93e7a0ae87e3be70fdabd0b734b868e

  • C:\Windows\Temp\asw.745370d7c5671c69\config.ini

    Filesize

    1KB

    MD5

    908974ca283158d892def1ee5ffad882

    SHA1

    c5785d2c326df9f03bc473e2ad3ea60457397e9a

    SHA256

    0a026b8109fb265ce84033aaa2b4cee91adb397aff4ab6cdd6f5e55c8db1aebc

    SHA512

    0ad70353915c2de92ac7b6a75b7e2d030caef8539bc0fdc0565726b10aebd3be7ee3fb2a70b6f297fef99d31f4be58b0f942a61eeb9c0e5624c2f07c3ce66a6a

  • C:\Windows\Temp\asw.745370d7c5671c69\prod-pgm.vpx

    Filesize

    572B

    MD5

    f767ec2c67fcb174088857a0e5a7dfe9

    SHA1

    1f82e0ebabc7a81b8440f2cc658bc36ef80aa058

    SHA256

    026792f688139128de68a232bec5b0d59c002460d9aa1ab2cba6046be17b300c

    SHA512

    ca2bfe5360f28d21336338f4fc5d993cb6b2c1b3109522c607f9c784f05edc159f4fe44156171dd93e9f86a166469ccc4120291ddf1d14af4c77f096bd998d12

  • C:\Windows\Temp\asw.745370d7c5671c69\servers.def

    Filesize

    29KB

    MD5

    8625cc598545b4313acb4c34cec05821

    SHA1

    5ff65be78f84c547f43e7109604fb579c98c0f2a

    SHA256

    4659553d6de4bb8fd5cb08f436274215b605dfc788824073721812bf40c7308d

    SHA512

    04a2c0b88a2e9248dc6b3292b52818d7cedded27b7dd76aa2c36755a8c35dc4b551f799076d4bcb2c4bebaf551ab7dc9ed1ca984c51c9824ffe0e7935427c9b5

  • C:\Windows\Temp\asw.745370d7c5671c69\uat.vpx

    Filesize

    15KB

    MD5

    16d1b7886ec2231630f1cc9e823843a2

    SHA1

    25708f9ba0f774b252a019fed30b395ce994f47a

    SHA256

    3c570c42f6e66510e6a9666e3f9e3c3243cfff852b62c78a006c0261241e348f

    SHA512

    bb234c1b43ab7a8c92d94e8b35728659ccb550fa0f026d5859a10c637f5dd35a8d65c222d6ea6b089a27d0c2e717daa69a1442752d0fd5b417a0ecc5a0381fc6

  • \Windows\Temp\asw.745370d7c5671c69\Instup.exe

    Filesize

    3.4MB

    MD5

    bcba54c439a6cd7067c7f4be8222af42

    SHA1

    ac9e41e57a6f4deb45e545946cec41dd2b6b0bf5

    SHA256

    25ace49b61a7a546d4ffda52748d419e7cad5f4df5424498349eb9bd23d62f90

    SHA512

    617836bf66faba386aae0619d5e36d881c4eadb13399ec117d02b0c3169a2e6365cde9be06f152e514667679659816bbe90c2127e4c25d02536e22fdf3bf7906

  • \Windows\Temp\asw.745370d7c5671c69\uat.dll

    Filesize

    26KB

    MD5

    18b6face0e9bde889dc1268e9912d5e8

    SHA1

    a4d6ed39c41feb742d7ca839461afb05b4ebbba7

    SHA256

    c80f8a0daf4b1fee5f44caf6b4574f3224008ea03f75a2717410261e0d38a709

    SHA512

    716735c9f7728a026f28461ba0081b6acb180ef5469ec7065a392e2cdb42cbdad7c65a9e93a15e010f25b2d2d0ff404031db0827cac0c8c87eb1735b62dca687