| File name: | avastclear.exe |
| Full analysis: | https://app.any.run/tasks/b89e5c52-5ef2-467c-9aef-8bce98f1aa89 |
| Verdict: | Malicious activity |
| Analysis date: | June 08, 2024, 20:29:41 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | F5A3E69A5A2457C3FA2AA6FC284055A5 |
| SHA1: | 61ED7E59F296BE4D7B36E6086F2F0FA3A7D97B75 |
| SHA256: | 3CAC2FCE120E9244D4EA7B7CDBFCDC6E2A950C0702C21438319FBB699DF25C3E |
| SSDEEP: | 98304:6geSZ9Lc8zZJX73CTTYr2P/ECO82EX7c5wvosxQJXVjyTh9IawDPj6fTkms5KpSt:z6tgAYCoVR/t9qtfbxdna+ |
MALICIOUS
Drops the executable file immediately after the start
- avastclear.exe (PID: 4988)
- Instup.exe (PID: 3656)
Changes the autorun value in the registry
- Instup.exe (PID: 3656)
SUSPICIOUS
Executable content was dropped or overwritten
- avastclear.exe (PID: 4988)
- Instup.exe (PID: 3656)
The process verifies whether the antivirus software is installed
- Instup.exe (PID: 3656)
INFO
Reads CPU info
- avastclear.exe (PID: 4988)
- Instup.exe (PID: 3656)
Checks supported languages
- avastclear.exe (PID: 4988)
- Instup.exe (PID: 3656)
Reads the computer name
- avastclear.exe (PID: 4988)
- Instup.exe (PID: 3656)
Creates files in the program directory
- avastclear.exe (PID: 4988)
- Instup.exe (PID: 3656)
Reads the software policy settings
- avastclear.exe (PID: 4988)
- Instup.exe (PID: 3656)
Checks proxy server information
- avastclear.exe (PID: 4988)
- Instup.exe (PID: 3656)
Reads the machine GUID from the registry
- avastclear.exe (PID: 4988)
- Instup.exe (PID: 3656)
Reads Environment values
- Instup.exe (PID: 3656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:02:01 15:01:26+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit, Net run from swap |
| PEType: | PE32 |
| LinkerVersion: | 14.38 |
| CodeSize: | 980480 |
| InitializedDataSize: | 522752 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x3f1b0 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 24.1.8821.0 |
| ProductVersionNumber: | 24.1.8821.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | AVAST Software |
| LegalCopyright: | Copyright (c) 2024 AVAST Software |
| FileDescription: | Avast Antivirus |
| FileVersion: | 24.1.8821.0 |
| InternalName: | SfxInst |
| OriginalFileName: | SfxInst.exe |
| ProductName: | Avast Antivirus |
| ProductVersion: | 24.1.8821.0 |
| ProductId: | avast-av |
Total processes
125
Monitored processes
11
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1008 | "C:\WINDOWS\system32\bcdedit.exe" /bootsequence {current} | C:\Windows\System32\bcdedit.exe | — | Instup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3656 | "C:\WINDOWS\Temp\asw.09d88a8094f43751\instup.exe" /sfx:clear /sfxstorage:C:\WINDOWS\Temp\asw.09d88a8094f43751 /prod:ais /wait /stub_mapping_guid:6013a6b9-6469-4a51-8b32-dc11f0663ed5:14160480 | C:\Windows\Temp\asw.09d88a8094f43751\Instup.exe | avastclear.exe | ||||||||||||
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Exit code: 40963 Version: 24.1.8821.0 Modules
| |||||||||||||||
| 3692 | "C:\Users\admin\Desktop\avastclear.exe" | C:\Users\admin\Desktop\avastclear.exe | — | explorer.exe | |||||||||||
User: admin Company: AVAST Software Integrity Level: MEDIUM Description: Avast Antivirus Exit code: 3221226540 Version: 24.1.8821.0 Modules
| |||||||||||||||
| 4196 | "C:\WINDOWS\system32\bcdedit.exe" /v | C:\Windows\System32\bcdedit.exe | — | Instup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4620 | "C:\WINDOWS\system32\bcdedit.exe" /copy {{current}} /d "Avast Antivirus Clear Uninstall" | C:\Windows\System32\bcdedit.exe | — | Instup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4988 | "C:\Users\admin\Desktop\avastclear.exe" | C:\Users\admin\Desktop\avastclear.exe | explorer.exe | ||||||||||||
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Exit code: 40963 Version: 24.1.8821.0 Modules
| |||||||||||||||
| 4996 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | bcdedit.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5528 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | bcdedit.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5716 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | bcdedit.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5836 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | bcdedit.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
8 394
Read events
8 305
Write events
67
Delete events
22
Modification events
| (PID) Process: | (4988) avastclear.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4988) avastclear.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Avast Software |
| Operation: | write | Name: | SymbolicLinkValue |
Value: \Registry\MACHINE\SOFTWARE\Avast Software | |||
| (PID) Process: | (4988) avastclear.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage |
| Operation: | write | Name: | SfxInstProgress |
Value: 0 | |||
| (PID) Process: | (4988) avastclear.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage |
| Operation: | write | Name: | SfxInstProgress |
Value: 5 | |||
| (PID) Process: | (4988) avastclear.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage |
| Operation: | write | Name: | SfxInstProgress |
Value: 11 | |||
| (PID) Process: | (4988) avastclear.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage |
| Operation: | write | Name: | SfxInstProgress |
Value: 16 | |||
| (PID) Process: | (4988) avastclear.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage |
| Operation: | write | Name: | SfxInstProgress |
Value: 22 | |||
| (PID) Process: | (4988) avastclear.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage |
| Operation: | write | Name: | SfxInstProgress |
Value: 27 | |||
| (PID) Process: | (4988) avastclear.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage |
| Operation: | write | Name: | SfxInstProgress |
Value: 33 | |||
| (PID) Process: | (4988) avastclear.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AvastPersistentStorage |
| Operation: | write | Name: | SfxInstProgress |
Value: 38 | |||
Executable files
7
Suspicious files
11
Text files
12
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4988 | avastclear.exe | C:\WINDOWS\Temp\asw.09d88a8094f43751\servers.def | ini | |
MD5:328DF5A6F079158F02FA851462750ACC | SHA256:89F57671B7CC33D68B04D22791ED81EB5AF888C22F54E0F0D2E933E62B2931B0 | |||
| 4988 | avastclear.exe | C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Clear.log | text | |
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA | SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5 | |||
| 4988 | avastclear.exe | C:\WINDOWS\Temp\asw.09d88a8094f43751\part-jrog2-132c.vpx | binary | |
MD5:F757934C2D28D322FCA999FFAFDB4584 | SHA256:09C79062FED78B3BB7BB1DA546014D812FE77904A3F161B4908DC5724FF86A12 | |||
| 4988 | avastclear.exe | C:\WINDOWS\Temp\asw.09d88a8094f43751\part-setup_ais-180117d3.vpx | binary | |
MD5:72FEEE470E611C17FCB9494E9BF08B7D | SHA256:DED1EDCAD352CB5236D924F34FEEDEE238DA2B510B36701DE35F1C001D3A5697 | |||
| 4988 | avastclear.exe | C:\WINDOWS\Temp\asw.09d88a8094f43751\Instup.exe | executable | |
MD5:DE156A9DF037FF5EEB191C4328A7D0AE | SHA256:B23972A413A0C1BFA3FAA284F89F5BA811BCEE156CC6E4DA96E3E7325530798D | |||
| 4988 | avastclear.exe | C:\WINDOWS\Temp\asw.09d88a8094f43751\part-prg_ais-180117d3.vpx | binary | |
MD5:C9AB86327CC6D1B698906C6B42364040 | SHA256:918DFC9B513535FDA13A3A1F1BB3741728936BD9B355958288A395F68090B81F | |||
| 4988 | avastclear.exe | C:\WINDOWS\Temp\asw.09d88a8094f43751\config.def | ini | |
MD5:12774C43E92F60CC72545917CA226AA1 | SHA256:DDD77710A67F3B37298429B1A4A0D9B952084AF42FF96454DF364F42F9B7DA60 | |||
| 4988 | avastclear.exe | C:\WINDOWS\Temp\asw.09d88a8094f43751\uat.vpx | binary | |
MD5:C408FB4BC7CE0E9C9E7DD18BF09619E8 | SHA256:FAB3B2329B602F9F443567CB75B2BDD57E91C50123390F4B3E36752E18997903 | |||
| 4988 | avastclear.exe | C:\WINDOWS\Temp\asw.09d88a8094f43751\prod-pgm.vpx | binary | |
MD5:48CADB7D59DAF8E3B51175F48554E58D | SHA256:FA9CDCDDE4F1FB32E7F7BFF8CD5DF48EF4B3ECC29CEC6803E7DD3F7BB63A35A3 | |||
| 4988 | avastclear.exe | C:\WINDOWS\Temp\asw.09d88a8094f43751\prod-vps.vpx | binary | |
MD5:7366BD32AA01DC9CA58F78F895D87EB4 | SHA256:CD07142FB15B5537BA82395C1420089D1A844D8F62F199FEE1D4FEBFA45270DC | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
34
DNS requests
17
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2384 | RUXIMICS.exe | GET | 200 | 2.17.147.64:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5952 | svchost.exe | GET | 200 | 2.17.147.64:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 2.19.217.218:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
— | — | POST | 204 | 2.19.173.42:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | unknown |
— | — | POST | 204 | 34.117.223.223:443 | https://v7event.stats.avast.com/cgi-bin/iavsevents.cgi | unknown | — | — | unknown |
— | — | POST | 204 | 2.19.173.75:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | unknown |
— | — | GET | 200 | 2.19.173.35:443 | https://r.bing.com/rb/17/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DygxdoIBhQGIAX95fLsBvgExrgExwQE&or=w | unknown | s | 21.3 Kb | unknown |
— | — | POST | 200 | 34.160.176.28:443 | https://shepherd.ff.avast.com/ | unknown | ini | 29.0 Kb | unknown |
— | — | POST | 200 | 34.117.223.223:443 | https://analytics.avcdn.net/v4/receive/json/70 | unknown | binary | 19 b | unknown |
— | — | POST | 200 | 34.160.176.28:443 | https://shepherd.ff.avast.com/ | unknown | ini | 29.4 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
— | — | 239.255.255.250:1900 | — | — | — | unknown |
2384 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5140 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2384 | RUXIMICS.exe | 2.17.147.64:80 | crl.microsoft.com | Akamai International B.V. | CZ | unknown |
5952 | svchost.exe | 2.17.147.64:80 | crl.microsoft.com | Akamai International B.V. | CZ | unknown |
5140 | MoUsoCoreWorker.exe | 2.17.147.64:80 | crl.microsoft.com | Akamai International B.V. | CZ | unknown |
5140 | MoUsoCoreWorker.exe | 2.19.217.218:80 | www.microsoft.com | Akamai International B.V. | NL | unknown |
2384 | RUXIMICS.exe | 2.19.217.218:80 | www.microsoft.com | Akamai International B.V. | NL | unknown |
5952 | svchost.exe | 2.19.217.218:80 | www.microsoft.com | Akamai International B.V. | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
analytics.avcdn.net |
| unknown |
v7event.stats.avast.com |
| whitelisted |
shepherd.ff.avast.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
r.bing.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Generic Protocol Command Decode | SURICATA HTTP Request abnormal Content-Encoding header |
— | — | Generic Protocol Command Decode | SURICATA HTTP Request abnormal Content-Encoding header |
Process | Message |
|---|---|
avastclear.exe | [2024-06-08 20:29:56.682] [info ] [sfxinst ] [ 4988: 3916] [7361C5: 370] Running SFX 'C:\Users\admin\Desktop\avastclear.exe'
|
avastclear.exe | [2024-06-08 20:30:01.104] [info ] [sfxstats ] [ 4988: 1112] [03AC9E: 149] Statistics sent successfully.
|
avastclear.exe | [2024-06-08 20:30:12.276] [notice ] [burger_rep ] [ 4988: 4108] [64A1D8: 66] The event '70.1' was successfully sent to burger: https://analytics.avcdn.net/v4/receive/json/70.
|
avastclear.exe | [2024-06-08 20:30:13.276] [info ] [sfxinst ] [ 4988: 3916] [7361C5: 881] Starting installer/updater executable 'C:\WINDOWS\Temp\asw.09d88a8094f43751\instup.exe'
|
Instup.exe | [2024-06-08 20:30:13.588] [info ] [instup ] [ 3656: 4128] [87A008:2686] Memory: 34% load. Phys:2725436/4188620K free, Page:3686208/4194303K free, Virt:3987972/4194176K free
|
Instup.exe | [2024-06-08 20:30:13.588] [info ] [instup ] [ 3656: 4128] [87A008:2672] setup: x86
|
Instup.exe | [2024-06-08 20:30:13.588] [info ] [instup ] [ 3656: 4128] [87A008:2734] Running module version: Instup.dll - '24.1.8821.0'
|
Instup.exe | [2024-06-08 20:30:13.588] [info ] [instup ] [ 3656: 4128] [87A008:2719] Running module version: instup.exe - '24.1.8821.0'
|
Instup.exe | [2024-06-08 20:30:13.588] [debug ] [repsup ] [ 3656: 4128] [B909FF: 58] PfroMutant: \PendingRenameMutex mutant has been successfully opened.
|
Instup.exe | [2024-06-08 20:30:13.588] [info ] [instup ] [ 3656: 4128] [87A008:2658] Command: '"C:\WINDOWS\Temp\asw.09d88a8094f43751\instup.exe" /sfx:clear /sfxstorage:C:\WINDOWS\Temp\asw.09d88a8094f43751 /prod:ais /wait /stub_mapping_guid:6013a6b9-6469-4a51-8b32-dc11f0663ed5:14160480'
|