Basic Information:
------------------------------------------
Target OS: Windows
Target Arch: Intel 32bit
File Type: PE32 Executable
Lang: C
Size: 7.7M
MD5SUM: 93079febb3eed5e2ba3dbbcd27c12112
Test Environment:
- Any Run
 \
  |--> Windows 7 pro 32-bit

- Hybrid Analysis
 \
  |--> CrowdStrike Falcon
  |--> MetaDefender
  |--> VirusTotal
------------------------------------------
 
Functions:
------------------------------------
- Registry
 \
  |--> RegQueryInfoKeyW
  |--> RtlGetVersion
  |--> RtlUnwind
  |--> RegQueryValueExW
  |--> RegCloseKey
  |--> RegCreateKeyExW
  |--> RegSetValueExW
  |--> RegDeleteValueW

- File
 \
  |--> CreateFileW
  |--> ReadFile
  |--> WriteFile
  |--> DeleteFileW
  |--> FindResourceW
  |--> FindFirstFileExW
  |--> NtQueryDirectoryFile
  |--> MapViewOfFile
  |--> SetFileTime
  |--> SetFilePointer
  |--> SetFilePointerEx
  |--> GetSystemTimeAsFileTime
  |--> GetFileType
  |--> GetModuleFileNameW
  |--> SystemTimeToFileTime
  |--> FileTimeToSystemTime
  |--> MoveFileExW
  |--> FlushFileBuffers
  |--> SetEndOfFile
  |--> GetFileInformationByHandle
  |--> SetFileAttributesW
  |--> GetFileAttributesW
  |--> GetFileSize
  |--> GetFileSizeEx
  |--> FindFirstFileW

- Process
 \
  |--> VirtualAlloc
  |--> GlobalAlloc
  |--> HeapAlloc
  |--> VirtualProtect
  |--> WriteProcessMemory
  |--> AdjustTokenPrivileges
  |--> IsWow64Process
  |--> GetProcAddress
  |--> ExitProcess
  |--> GetExitCodeProcess
  |--> TerminateProcess
  |--> GetProcessHeap
  |--> OpenProcessToken
  |--> CreateProcessW

- Handling modules/resources
 \
  |--> LoadLibraryExA
  |--> LoadResource
  |--> LoadLibraryW
  |--> LoadLibraryExW
  |--> SetDllDirectoryW

- Evasion/Bypassing
 \
  |--> IsDebuggerPresent
  |--> GetTickCount
  |--> NtQueryInformationProcess
  |--> OutputDebugStringA

- System persistence
 \
  |--> ControlService

- Cryptography
 \
  |--> CryptReleaseContext
------------------------------------

Abilities:
--------------------------------------------
- Drops probably malicious files
 \
  |--> instup.exe
  |--> HTMLayout.dll
  |--> Instup.dll
  |--> uat_772.dll

- It opens, writes, copies and drops files
- It creates processes, mutexes
 \
  |--> C:\Windows\Temp\asw.f4bab7c92f2d794d\instup.exe /sfx:lite /sfxstorage:C:\Windows\Temp\asw.f4bab7c92f2d794d /edition:1 /prod:ais /guid:3815c448-86e3-4a36-b8b4-d619568d1d61 /ga_clientid:b1dad50c-e748-4af5-b126-b822bf7dcc36
  |--> Global\Asw_691b03d0f47d62b1a66bf385ae14be7a <- Mutex

- It opens and sets Windows Registry keys
- It opens services
 \
  |--> aswSP
  |--> aswFsBlk
  |--> avast! Antivirus

- It loads its own certificates
--------------------------------------------
 
Connections:
------------------------------------
- URL:
 \
  |--> http://www.google-analytics.com/collect?an=Free&av=20.2.5130&cd=stub-extended&cd3=Online&cid=3815c448-86e3-4a36-b8b4-d619568d1d61&dt=Installation&t=screenview&tid=UA-58120669-3&v=1
  |--> http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
  |--> http://b1477563.iavs9x.u.avast.com/iavs9x/servers.def.vpx
  |--> http://d4479313.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx

- Domains:
 \
  |--> iavs9x4.u.avcdn.net.edgesuite.net
  |--> l2350042.iavs9x.u.avast.com
  |--> 142.22.217.172.in-addr.arpa
  |--> shepherd.ff.avast.com
  |--> 244.209.58.216.in-addr.arpa
  |--> a117.d.akamai.net
  |--> s-iavs9x.avcdn.net
  |--> d4479313.iavs9x.u.avast.com
  |--> k8528219.iavs9x.u.avast.com
  |--> fallbackupdates.avcdn.net.edgekey.net
  |--> analytics.ns1.ff.avast.com
  |--> p3357684.iavs9x.u.avast.com
  |--> shepherd.ns1.ff.avast.com
  |--> e9229.dscd.akamaiedge.net
  |--> b1477563.iavs9x.u.avast.com
  |--> 96.34.21.2.in-addr.arpa
  |--> 8.8.8.8.in-addr.arpa
  |--> www-google-analytics.l.google.com
  |--> v7event.stats.avast.com
  |--> analytics.ff.avast.com
  |--> 168.34.21.2.in-addr.arpa
  |--> www.google-analytics.com

Ip Addresses:
- 69.94.77.201
 \
  |--> Whitelisted
  |--> Alive host
  |--> Location => Czechia, Prague
  |--> Connects with 80(http)
  |--> ASN => AVAST-AS-DC

- 172.217.22.142
 \
  |--> Whitelisted
  |--> Alive host
  |--> Location => France, Paris
  |--> Connects with 80(http)
  |--> ASN => GOOGLE

- 5.62.53.160
 \
  |--> Whitelisted
  |--> Alive host
  |--> Location => Czechia, Prague
  |--> Connects with 443(https)
  |--> ASN => AVAST-AS-DC

- 2.21.34.168
 \
  |--> Probably whitelisted
  |--> Alive host
  |--> Location => France, Castres
  |--> Connects with 80(http)
  |--> ASN => AKAMAI-ASN1

- 2.21.34.96
 \
  |--> Probably whitelisted
  |--> Alive host
  |--> Location => France, Castres
  |--> Connects with 80(http)
  |--> ASN => AKAMAI-ASN1

- 69.94.77.201
 \
  |--> Whitelisted
  |--> Alive host
  |--> Location => Czechia, Prague
  |--> Connects with 137(UDP)
  |--> ASN => AVAST-AS-DC

- 5.62.53.160
 \
  |--> Whitelisted
  |--> Alive host
  |--> Location => Czechia, Prague
  |--> Connects with 137(UDP)
  |--> ASN => AVAST-AS-DC

- 8.8.8.8
 \
  |--> Whitelisted
  |--> Alive host
  |--> Location => US, New Jersey
  |--> Connects with 53(UDP)
  |--> ASN => GOOGLE
------------------------------------
 
Detected by:
------------------------------------
- VirusTotal
 \
  |--> 3/71

- Hybrid Analysis
 \
  |--> CrowdStrike Falcon
   \-> Not Detected
   /
  |--> MetaDefender
   \-> %4
   /
  |--> VirusTotal
   \-> %4

- Scan reports
 \
  |--> Any Run
   \-> https://app.any.run/tasks/3a2286be-ae7f-4581-a447-20dd83a512d1
   /
  |--> Hybrid Analysis
   \-> https://www.hybrid-analysis.com/sample/38d34ea4d47df5c2ff52c103488dc5a15384a1f5cf26c5d786ebe7c312b63117
   /
  |--> VirusTotal
   \-> https://www.virustotal.com/gui/file/38d34ea4d47df5c2ff52c103488dc5a15384a1f5cf26c5d786ebe7c312b63117/detection
------------------------------------
 
Linked DLL Files:
------------------------------------
- WINHTTP.dll
- VERSION.dll
- USER32.dll
- GDI32.dll
- ADVAPI32.dll
- SHELL32.dll
- ole32.dll
- gdiplus.dll
- SHLWAPI.dll
- kernel32.dll & KERNEL32.dll
- ntdll.dll
- RPCRT4.dll
------------------------------------
 
Used Tools During Tests:
----------------------------------------------
- Qu1cksc0pe
 \
  |--> https://github.com/CYB3RMX/Qu1cksc0pe

- Sandbox Environments
 \
  |--> https://www.virustotal.com
  |--> https://www.hybrid-analysis.com
  |--> https://app.any.run

- Strings
- Rabin2
----------------------------------------------
