General
-
Target
avg_antivirus_free_setup.exe
-
Size
229KB
-
Sample
240909-y495rsyajk
-
MD5
5ed12c69e3181185aab83b93908cca56
-
SHA1
330589831a892e3c6ddcf8b0ac73c738915d632d
-
SHA256
96443962884990d60e73c19eb3317858c395da8a09887bf6c48d09d2ba52df5e
-
SHA512
4ee36b34aefa30344b7776424cfce8841fc2425bfd37d27f19083aaa33bea470849f16ac7f23cdcf2dbcdbbeafcccf0b078df6fd677dc934f45ba9bbc07458c1
-
SSDEEP
3072:x2RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCoKOhhXK0K3:x0KgGwHqwOOELha+sm2D2+UhngN9K4r
Malware Config
Targets
-
-
Target
avg_antivirus_free_setup.exe
-
Size
229KB
-
MD5
5ed12c69e3181185aab83b93908cca56
-
SHA1
330589831a892e3c6ddcf8b0ac73c738915d632d
-
SHA256
96443962884990d60e73c19eb3317858c395da8a09887bf6c48d09d2ba52df5e
-
SHA512
4ee36b34aefa30344b7776424cfce8841fc2425bfd37d27f19083aaa33bea470849f16ac7f23cdcf2dbcdbbeafcccf0b078df6fd677dc934f45ba9bbc07458c1
-
SSDEEP
3072:x2RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCoKOhhXK0K3:x0KgGwHqwOOELha+sm2D2+UhngN9K4r
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Impair Defenses: Safe Mode Boot
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Event Triggered Execution: Image File Execution Options Injection
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
YARA rule for Mozi IoT Botnet
Mozi IoT Botnet detection.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Modify Registry
4Pre-OS Boot
1Bootkit
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
7Software Discovery
1Security Software Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1