Analysis

  • max time kernel
    91s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 20:57

General

  • Target

    avast_premier_antivirus_setup_offline.exe

  • Size

    628.0MB

  • MD5

    eed5aae4ad69cb60304d8cfacd0ef2e3

  • SHA1

    a996f80593df5336b652565e07a07917a9707f99

  • SHA256

    c2647f7dbad73035b124cf61a997c1788511982891e0a431c47e4ebf9e5d5cef

  • SHA512

    8eb915e738621fb5c9ef3859b3eb6694df175c944c79a0752bf20ffae21e887a1b96142ee10fa98c9bce78557cc3398e059f09d13c686e7fea2464d371a768e8

  • SSDEEP

    12582912:WXtkVB4UWDbWfG7dUu5YX+M7UjF9E3ZUFslRfJr/5hd262vijEIuZy:WXtkVB4yfG7dULX+dFslxJr/5hdnjEK

Malware Config

Signatures

  • Checks for any installed AV software in registry 1 TTPs 29 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe
    "C:\Users\Admin\AppData\Local\Temp\avast_premier_antivirus_setup_offline.exe"
    1⤵
    • Checks for any installed AV software in registry
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe
      "C:\Windows\Temp\asw.8496c63a5483c22e\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.8496c63a5483c22e /edition:12 /prod:ais /stub_context:41b42433-8016-40de-ab37-86ed93347eec:658550208 /guid:a648f11e-ad98-460d-b91f-bb8dcf68b351 /ga_clientid:f2071e81-4ad1-47f7-bc24-4b5ec7286943
      2⤵
      • Checks for any installed AV software in registry
      • Writes to the Master Boot Record (MBR)
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
        "C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe" -checkGToolbar -elevated
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4216
      • C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
        "C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe" -checkChrome -elevated
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1452
      • C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe
        "C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4396
        • C:\Users\Public\Documents\aswOfferTool.exe
          "C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

    Filesize

    1KB

    MD5

    fd16e8864b71685719d3b0be875a8d6c

    SHA1

    a9cd7719c7d121aa6a208affde927e40a7ac0c03

    SHA256

    b2ddb7e775790c492ec17087a3d3a0961227f534918b81d3ed63ba0650cce4e0

    SHA512

    25aea20e1c68da9683e42bae4ce906c2de3fb527f9c81085c85e9d3f59d85e531c5279e60593f01d2c14b8ee1215b07930a1b0acc7620080ad556d79899aef24

  • C:\Windows\Temp\asw.8496c63a5483c22e\HTMLayout.dll

    Filesize

    3.4MB

    MD5

    515486f8eb028440f5c6679af15febfa

    SHA1

    42b9d9032c351e54eed42f5a60e06a676db0bee8

    SHA256

    7529f2294df32f70a933b044bc241966bf1b31f4a312b1b2d58d3515152d0e41

    SHA512

    12fbffac26d39e30a329a28230286ad098177b96361341c2fa2bd54c7c1abf515361dae0571c8b62308c98870b529925c8bebff616ede7ed351a823d8cfb4456

  • C:\Windows\Temp\asw.8496c63a5483c22e\Instup.dll

    Filesize

    16.3MB

    MD5

    6b86a7da767c529dddde5cf7955f2ea2

    SHA1

    ff2bd33133ca01b68e117834b1b9bf92a3fd2e5d

    SHA256

    b91e05f5a85cc570dae52b49dce29de1db778b322e7bdec1065f0ec6e163e71a

    SHA512

    b3e384bab230237e97d2c26ad9b1246343402936ea830772558c5fc143a2fd2b0edf471a257acbd698da9ad46b1fba005bc27ef76e446fe9114be200c0776ec5

  • C:\Windows\Temp\asw.8496c63a5483c22e\Instup.exe

    Filesize

    3.4MB

    MD5

    bcba54c439a6cd7067c7f4be8222af42

    SHA1

    ac9e41e57a6f4deb45e545946cec41dd2b6b0bf5

    SHA256

    25ace49b61a7a546d4ffda52748d419e7cad5f4df5424498349eb9bd23d62f90

    SHA512

    617836bf66faba386aae0619d5e36d881c4eadb13399ec117d02b0c3169a2e6365cde9be06f152e514667679659816bbe90c2127e4c25d02536e22fdf3bf7906

  • C:\Windows\Temp\asw.8496c63a5483c22e\aswOfferTool.exe

    Filesize

    2.3MB

    MD5

    44645c9f6d213d0f87608f4461046731

    SHA1

    c5b6af10b2abb6e1422f27102f1ea1fac59099b6

    SHA256

    42ec9cd1f6ea316265a93119c865692108ecfd2ab6f007e6d4a2725214e56079

    SHA512

    27d7d698099ff3fe1c0200093174765f1f8e56c5b011cf2bb5ebdb60b3b2fcb3fe32bdac5cf79f349eb698cad269a3d75f6410c82b1e05e3a9ace1b9a5e1f4cd

  • C:\Windows\Temp\asw.8496c63a5483c22e\config.def

    Filesize

    28KB

    MD5

    5a7719d8f91210806e0de046a2897b56

    SHA1

    7bd04389df2595ac430a2441418f60ce7c2d7846

    SHA256

    730cbc4d6a59b1bd3e47a34c20dd21c8b41bda0f1d8f870cbcaa9abcea088fea

    SHA512

    17eed350706beb5c88878a43d40cb5a453f00ab31fa5884e1fa2a3f76fbb028549705d31c584af89379db1a2a3477d72226271a5acf7b7244aad541a67fa33e6

  • C:\Windows\Temp\asw.8496c63a5483c22e\config.def

    Filesize

    40KB

    MD5

    09a26afb5b25f95b15e214f83f342100

    SHA1

    8af7434cbee2933be035be3e65398f94f86aaa3c

    SHA256

    c134e766093b1beb0e7a5ec7856e28937df3596314e4b553c78359cc72c19ec3

    SHA512

    8a13336514644e401091bee35203fd9b837f55d49c07741d24e3b7dce77997f85739eb17246660716e98fdd646539c9de053c2202cdf6403ab19b3f2ef6de699

  • C:\Windows\Temp\asw.8496c63a5483c22e\config.ini

    Filesize

    1KB

    MD5

    562e382e0d54322c62df5f6a1c79a90c

    SHA1

    a3373dfdce86ee877af1b6c00c93b845b44f69e9

    SHA256

    c755cf65a286ea14f702f7d87a60ab006513cc9863cc319aa142e2e74625edb6

    SHA512

    16051272cb04c8f3be5858851476533456ddeb5c377b9fdbdf3be47aafae59f5e202d972808fa1ae02c53d7331e912308c51e0241b71cf3d4cb1972b34ae70ce

  • C:\Windows\Temp\asw.8496c63a5483c22e\gcapi.dll

    Filesize

    867KB

    MD5

    3ead47f44293e18d66fb32259904197a

    SHA1

    e61e88bd81c05d4678aeb2d62c75dee35a25d16b

    SHA256

    e0d08b9da7e502ad8c75f8be52e9a08a6bcd0c5f98d360704173be33777e4905

    SHA512

    927a134bdaec1c7c13d11e4044b30f7c45bbb23d5caf1756c2beada6507a69df0a2e6252ec28a913861e4924d1c766704f1036d7fc39c6ddb22e5eb81f3007f0

  • C:\Windows\Temp\asw.8496c63a5483c22e\part-jrog2-141e.vpx

    Filesize

    702B

    MD5

    95e405699f512968a80e0c01bf99205a

    SHA1

    ab36f0c1f6d261262ca1d5267836e97cc42526ee

    SHA256

    bbff6e8371bed4c238b53c1c9dfd8ed36994f6fd68db224250fd3c0556b06898

    SHA512

    97eba5d7210819f8be1268aeb5f254a6d1bebf881dab24f990a4e2fb81eaeaf128bb125189fc92700625521d604dc957a886e6cf760154f2cb9a8c4efa747836

  • C:\Windows\Temp\asw.8496c63a5483c22e\part-prg_ais-180417e0.vpx

    Filesize

    74KB

    MD5

    010b32b4b577447101045f32f076e441

    SHA1

    9ddf3608765048d234cfc01fcce04f65ada018a0

    SHA256

    d3b2ea21a681047518df0ec68da6f2121ff26d4e10412665197361986ec9c2c3

    SHA512

    19ad1b0650321df771f61cad16838a607108f53707da471fd10de00a63756ac6ca4722ddc0e7e08a1cc26e2b4b4fdb32c45420f78f22d798adf868fe928cfba1

  • C:\Windows\Temp\asw.8496c63a5483c22e\part-setup_ais-180417e0.vpx

    Filesize

    4KB

    MD5

    7d99b56ebdc9d7b916fc2f42f54c1171

    SHA1

    47c4ec171248c1e31de40062aec51ffd63d40cad

    SHA256

    2a47e8af3f7be4f14fbc1fb141ee1d2db8d53aae946d632dac45446f968e4619

    SHA512

    e4b45dcd90e14fb61ea861b3b56ea718bd51c97a436532855ff29dd856ccb1a8f9b9f6d58ae32887a956b29ae9d209fb387c9b90809bfc884541d2f53bed4dfa

  • C:\Windows\Temp\asw.8496c63a5483c22e\part-vps_windows-24042902.vpx

    Filesize

    11KB

    MD5

    0ca004aaef835d6b30cc4d5754ed6639

    SHA1

    e771217a831a8c2afbbeab39f8fffd46d3b92ee5

    SHA256

    02e00417efd1cf171bcddb5f9453f5d6b278d72219a27fb0b5b6a602308aa342

    SHA512

    d24ad9439ba26a5fe840bcb835de2d1a2b47821e0ec20315871c75a971184fe8d94e66404a65c7094629c1f38c98eb0283726a70fe395132c9998d3ddb468077

  • C:\Windows\Temp\asw.8496c63a5483c22e\prod-pgm.vpx

    Filesize

    572B

    MD5

    f767ec2c67fcb174088857a0e5a7dfe9

    SHA1

    1f82e0ebabc7a81b8440f2cc658bc36ef80aa058

    SHA256

    026792f688139128de68a232bec5b0d59c002460d9aa1ab2cba6046be17b300c

    SHA512

    ca2bfe5360f28d21336338f4fc5d993cb6b2c1b3109522c607f9c784f05edc159f4fe44156171dd93e9f86a166469ccc4120291ddf1d14af4c77f096bd998d12

  • C:\Windows\Temp\asw.8496c63a5483c22e\prod-vps.vpx

    Filesize

    344B

    MD5

    3d6229735be0de243d57ed765e21f391

    SHA1

    967b83c77716e2e500f10f44008b2c196064652e

    SHA256

    182a84959f3ff27c94083e233e319ad6328453eddb367dd369226a843324090b

    SHA512

    8774e32b9f2967a03640554106a19ad7547b028ed3554cd23dac49bb1aa4788185225b1dfb6b73482e92f73647912222d1065f3c237ec6b7f1c673945468d11d

  • C:\Windows\Temp\asw.8496c63a5483c22e\servers.def

    Filesize

    29KB

    MD5

    8625cc598545b4313acb4c34cec05821

    SHA1

    5ff65be78f84c547f43e7109604fb579c98c0f2a

    SHA256

    4659553d6de4bb8fd5cb08f436274215b605dfc788824073721812bf40c7308d

    SHA512

    04a2c0b88a2e9248dc6b3292b52818d7cedded27b7dd76aa2c36755a8c35dc4b551f799076d4bcb2c4bebaf551ab7dc9ed1ca984c51c9824ffe0e7935427c9b5

  • C:\Windows\Temp\asw.8496c63a5483c22e\uat.dll

    Filesize

    26KB

    MD5

    18b6face0e9bde889dc1268e9912d5e8

    SHA1

    a4d6ed39c41feb742d7ca839461afb05b4ebbba7

    SHA256

    c80f8a0daf4b1fee5f44caf6b4574f3224008ea03f75a2717410261e0d38a709

    SHA512

    716735c9f7728a026f28461ba0081b6acb180ef5469ec7065a392e2cdb42cbdad7c65a9e93a15e010f25b2d2d0ff404031db0827cac0c8c87eb1735b62dca687

  • C:\Windows\Temp\asw.8496c63a5483c22e\uat.vpx

    Filesize

    15KB

    MD5

    16d1b7886ec2231630f1cc9e823843a2

    SHA1

    25708f9ba0f774b252a019fed30b395ce994f47a

    SHA256

    3c570c42f6e66510e6a9666e3f9e3c3243cfff852b62c78a006c0261241e348f

    SHA512

    bb234c1b43ab7a8c92d94e8b35728659ccb550fa0f026d5859a10c637f5dd35a8d65c222d6ea6b089a27d0c2e717daa69a1442752d0fd5b417a0ecc5a0381fc6