General
-
Target
avg_antivirus_free_setup.exe
-
Size
247KB
-
Sample
241023-ws2cdatbnh
-
MD5
ca7b000cb77cd3dd06e51a1a468fb707
-
SHA1
8513b00560fb0b5e5c4fbbc61e51e125436ffb08
-
SHA256
8d2d49b1772be84d62a805dc6280d5d4a5d43a4e9c20a5e7e567a2c384d70793
-
SHA512
9e201984632460817dfb77771381da06510962ac5eec96b7f0a8a449a677d239dd72b53731e4b03872a8382b86130e02fffe8dac746f2531ab317739b520c68b
-
SSDEEP
6144:utgJcB7RG80fGwvDBn9Egw7Qj3EVdQY7:utgJORaGiDB9y1dT7
Malware Config
Targets
-
-
Target
avg_antivirus_free_setup.exe
-
Size
247KB
-
MD5
ca7b000cb77cd3dd06e51a1a468fb707
-
SHA1
8513b00560fb0b5e5c4fbbc61e51e125436ffb08
-
SHA256
8d2d49b1772be84d62a805dc6280d5d4a5d43a4e9c20a5e7e567a2c384d70793
-
SHA512
9e201984632460817dfb77771381da06510962ac5eec96b7f0a8a449a677d239dd72b53731e4b03872a8382b86130e02fffe8dac746f2531ab317739b520c68b
-
SSDEEP
6144:utgJcB7RG80fGwvDBn9Egw7Qj3EVdQY7:utgJORaGiDB9y1dT7
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Impair Defenses: Safe Mode Boot
-
Adds Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks for any installed AV software in registry
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
3Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
3Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Modify Registry
6Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
6Software Discovery
1Security Software Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1