General
-
Target
instalación_en_línea_de_avast_free_antivirus.exe
-
Size
243KB
-
Sample
241123-21zfmsxndq
-
MD5
0c10c0a464c5ee6ebfc85dd2e7c75aa8
-
SHA1
ba260285bdbe3c20affbe3560e1168d85e45270c
-
SHA256
af69c54745e98ce066d27e40e029db40f348fe5b0336b13e36eea85de91a94a4
-
SHA512
5edacd8cdffb906ec5b7a48bd23a61d708529f8c04ca0f218504e975ce7f52c89643f3b959ac4edd8a5482a7811ca08ac8e0a9d3679f785027394fa0a7ef9ad6
-
SSDEEP
3072:feJbDwLibLaZ/S91gxiJPU3qtmQv2cthYSdqMREwPLr6VsOWPGWyrVFpQMeJqeua:fkDOZargxSHmQv2+B9EwC/pQMeQtq17
Malware Config
Targets
-
-
Target
instalación_en_línea_de_avast_free_antivirus.exe
-
Size
243KB
-
MD5
0c10c0a464c5ee6ebfc85dd2e7c75aa8
-
SHA1
ba260285bdbe3c20affbe3560e1168d85e45270c
-
SHA256
af69c54745e98ce066d27e40e029db40f348fe5b0336b13e36eea85de91a94a4
-
SHA512
5edacd8cdffb906ec5b7a48bd23a61d708529f8c04ca0f218504e975ce7f52c89643f3b959ac4edd8a5482a7811ca08ac8e0a9d3679f785027394fa0a7ef9ad6
-
SSDEEP
3072:feJbDwLibLaZ/S91gxiJPU3qtmQv2cthYSdqMREwPLr6VsOWPGWyrVFpQMeJqeua:fkDOZargxSHmQv2+B9EwC/pQMeQtq17
Score8/10-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Sets service image path in registry
-
Impair Defenses: Safe Mode Boot
-
Adds Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks for any installed AV software in registry
-
Downloads MZ/PE file
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Modify Registry
5Pre-OS Boot
1Bootkit
1Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1