General

  • Target

    instalación_en_línea_de_avast_free_antivirus.exe

  • Size

    243KB

  • Sample

    241109-rfgpzsymel

  • MD5

    56575c48116327ea7f39e78699b40d19

  • SHA1

    05dafb74325ef76891e0a9837f1a68bc3bd35446

  • SHA256

    53de9ceb5af370130c9d25ab15a992b527fc45f4dd97f3833db080c14b7a33d1

  • SHA512

    be2714c3428491fe15a1943ed55fa69b65e3515d7aa81dab76a53d8e0e41f2157c5dda3f91897943cbbe48d584b3a9d527fa585fbe820f5b832e91fe02097c2f

  • SSDEEP

    3072:heJbDwLibLaZ/S91gxiJPU3qtmQv2cthYSdqMREwPLr6VsOWPGWyrVFpQMeJqeu2:hkDOZargxSHmQv2+B9EwC/pQMeQtqv7

Malware Config

Targets

    • Target

      instalación_en_línea_de_avast_free_antivirus.exe

    • Size

      243KB

    • MD5

      56575c48116327ea7f39e78699b40d19

    • SHA1

      05dafb74325ef76891e0a9837f1a68bc3bd35446

    • SHA256

      53de9ceb5af370130c9d25ab15a992b527fc45f4dd97f3833db080c14b7a33d1

    • SHA512

      be2714c3428491fe15a1943ed55fa69b65e3515d7aa81dab76a53d8e0e41f2157c5dda3f91897943cbbe48d584b3a9d527fa585fbe820f5b832e91fe02097c2f

    • SSDEEP

      3072:heJbDwLibLaZ/S91gxiJPU3qtmQv2cthYSdqMREwPLr6VsOWPGWyrVFpQMeJqeu2:hkDOZargxSHmQv2+B9EwC/pQMeQtqv7

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Drops file in Drivers directory

    • Sets service image path in registry

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

    • Impair Defenses: Safe Mode Boot

    • Windows security modification

    • Adds Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks for any installed AV software in registry

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

MITRE ATT&CK Enterprise v15

Tasks