Overview

overview

10

Static

static

3

Installer_RedAV.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Installer_RedAV.exe

  • Size

    314.4MB

  • Sample

    240507-d5yg5sbc58

  • MD5

    2fe1c37140d50809f72733a5849e394a

  • SHA1

    b1699b730dfb19afb3c500ccb2c449a7559f4c1c

  • SHA256

    044156a9512adae0778149ef31a26ebcc28bcb3d352eb52daf9abd019de3194a

  • SHA512

    231d0b158ff61bc9a8595647a4d29922827634a16bcaa8d08e91a15a03db49e4d4f8cbf893ba64a775a091e93ccb16054e1a2ac248a41dd424e489d291181398

  • SSDEEP

    6291456:Odzj20Usw7QASDCMBZSgbDmp+lmHZ/Ancg3oA0SdH7FgQdvtFb8jg:OhjKsw7ymMOgfmMkHZYnc8F0Sd7FNdvz

Score
10/10
discoveryevasionexecutionpersistencetrojan

Malware Config

Targets

    • Target

      Installer_RedAV.exe

    • Size

      314.4MB

    • MD5

      2fe1c37140d50809f72733a5849e394a

    • SHA1

      b1699b730dfb19afb3c500ccb2c449a7559f4c1c

    • SHA256

      044156a9512adae0778149ef31a26ebcc28bcb3d352eb52daf9abd019de3194a

    • SHA512

      231d0b158ff61bc9a8595647a4d29922827634a16bcaa8d08e91a15a03db49e4d4f8cbf893ba64a775a091e93ccb16054e1a2ac248a41dd424e489d291181398

    • SSDEEP

      6291456:Odzj20Usw7QASDCMBZSgbDmp+lmHZ/Ancg3oA0SdH7FgQdvtFb8jg:OhjKsw7ymMOgfmMkHZYnc8F0Sd7FNdvz

    Score
    10/10
    discoveryevasionexecutionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks