Malware Analysis Report

2025-06-15 21:58

Sample ID 221115-ewtm9seh55
Target 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736
SHA256 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736
Tags
systembc bootkit evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736

Threat Level: Known bad

The file 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736 was found to be: Known bad.

Malicious Activity Summary

systembc bootkit evasion persistence trojan

SystemBC

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Checks BIOS information in registry

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Runs ping.exe

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-15 04:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-15 04:17

Reported

2022-11-15 04:23

Platform

win7-20220812-en

Max time kernel

180s

Max time network

310s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"

Signatures

SystemBC

trojan systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\schtasks.exe
PID 1972 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
PID 1972 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
PID 1972 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
PID 1972 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
PID 1972 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 852 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 852 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 852 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 852 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 852 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 852 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 852 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 268 wrote to memory of 1968 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 268 wrote to memory of 1968 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 268 wrote to memory of 1968 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 268 wrote to memory of 1968 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 268 wrote to memory of 1968 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 268 wrote to memory of 1968 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 268 wrote to memory of 1968 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 268 wrote to memory of 1968 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 268 wrote to memory of 1968 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe

"C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"

C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe

"C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 bing.aksaradata.web.id udp
N/A 89.22.225.242:4193 tcp

Files

memory/1972-54-0x0000000075981000-0x0000000075983000-memory.dmp

memory/1972-55-0x0000000001160000-0x0000000001990000-memory.dmp

memory/1972-56-0x0000000077170000-0x00000000772F0000-memory.dmp

memory/1972-57-0x0000000001160000-0x0000000001990000-memory.dmp

memory/1972-58-0x0000000002D90000-0x0000000003260000-memory.dmp

memory/1972-59-0x0000000002D90000-0x0000000003260000-memory.dmp

memory/1972-60-0x0000000000B70000-0x0000000000C60000-memory.dmp

memory/1972-61-0x0000000000B70000-0x0000000000C60000-memory.dmp

memory/1972-62-0x0000000001160000-0x0000000001990000-memory.dmp

memory/1972-63-0x0000000077170000-0x00000000772F0000-memory.dmp

memory/1972-64-0x0000000002D90000-0x0000000003260000-memory.dmp

memory/1972-65-0x0000000000B70000-0x0000000000C60000-memory.dmp

memory/1408-66-0x0000000000000000-mapping.dmp

\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe

MD5 6752f9e74ce8c10ea46352228228d788
SHA1 e236cdbf55c547e5df9461f1724d5fa586ae1333
SHA256 df8079b096dcc5fda083029446356ca46ee8fd5ccc44e9128bbec26ec417f03e
SHA512 222e76486e9ed8f8a616b7511b4a69f6ec9fd38f0056a11a473dec0c0aeb042f416c3c093a97986633dbe15b3d441195e46b90e3b29cbbe68aa92f9c1b9a67f9

memory/268-69-0x0000000000000000-mapping.dmp

\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe

MD5 6752f9e74ce8c10ea46352228228d788
SHA1 e236cdbf55c547e5df9461f1724d5fa586ae1333
SHA256 df8079b096dcc5fda083029446356ca46ee8fd5ccc44e9128bbec26ec417f03e
SHA512 222e76486e9ed8f8a616b7511b4a69f6ec9fd38f0056a11a473dec0c0aeb042f416c3c093a97986633dbe15b3d441195e46b90e3b29cbbe68aa92f9c1b9a67f9

C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe

MD5 6752f9e74ce8c10ea46352228228d788
SHA1 e236cdbf55c547e5df9461f1724d5fa586ae1333
SHA256 df8079b096dcc5fda083029446356ca46ee8fd5ccc44e9128bbec26ec417f03e
SHA512 222e76486e9ed8f8a616b7511b4a69f6ec9fd38f0056a11a473dec0c0aeb042f416c3c093a97986633dbe15b3d441195e46b90e3b29cbbe68aa92f9c1b9a67f9

memory/1972-71-0x00000000100D0000-0x0000000010900000-memory.dmp

memory/1972-72-0x00000000100D0000-0x0000000010900000-memory.dmp

memory/268-73-0x0000000000AD0000-0x0000000001300000-memory.dmp

memory/852-74-0x0000000000000000-mapping.dmp

memory/1972-76-0x0000000001160000-0x0000000001990000-memory.dmp

memory/1296-77-0x0000000000000000-mapping.dmp

memory/1224-78-0x0000000000000000-mapping.dmp

memory/1972-79-0x0000000077170000-0x00000000772F0000-memory.dmp

memory/1972-80-0x0000000000B70000-0x0000000000C60000-memory.dmp

memory/268-81-0x0000000077170000-0x00000000772F0000-memory.dmp

memory/268-82-0x0000000000AD0000-0x0000000001300000-memory.dmp

C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe

MD5 e87eb1d4291c6b6b65298d92a9427cd6
SHA1 aa2a61ec619b8f7212324785397d22b9094fcd8b
SHA256 b43a9fcd2cfa60b0141837cbe09249050df7c899e76f476beea993ee842abf04
SHA512 bd7b0c566cb35472511361dfb48db7bf9e6282e93bfd2f3c5715a844ba2833cdb408b652dde985457020c8a75e915fea0b739bd64ee0930b5c2449a651cd2412

C:\ProgramData\mntemp

MD5 74b67ffc2d06bbc77a8ab989ed932c04
SHA1 60230f37be50ed8c592aedb0cdd7e344ceca2689
SHA256 76e755d18897a0991b938706181ac99cf4e7b16d7364214072de155189a38215
SHA512 a66f7ae45c15cc3a54d1212ec331f575d8589895f6e4a8626a8dfeffe8be66d62b3c26ab781bc6d3e61f738b1aa64259d60651456c4d3bf3afeed8bf17fd9e56

memory/268-85-0x0000000000AD0000-0x0000000001300000-memory.dmp

memory/268-86-0x0000000002F20000-0x00000000033F0000-memory.dmp

memory/268-87-0x0000000002F20000-0x00000000033F0000-memory.dmp

memory/268-88-0x0000000000150000-0x0000000000240000-memory.dmp

memory/268-89-0x0000000000150000-0x0000000000240000-memory.dmp

memory/268-90-0x0000000077170000-0x00000000772F0000-memory.dmp

memory/268-91-0x0000000000150000-0x0000000000240000-memory.dmp

memory/268-92-0x0000000000A20000-0x0000000000A82000-memory.dmp

memory/1968-93-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1968-95-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1968-98-0x0000000000400000-0x0000000000407000-memory.dmp

memory/268-99-0x0000000000AD0000-0x0000000001300000-memory.dmp

memory/268-100-0x0000000077170000-0x00000000772F0000-memory.dmp

memory/268-101-0x0000000000150000-0x0000000000240000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-15 04:17

Reported

2022-11-15 04:23

Platform

win10v2004-20220812-en

Max time kernel

228s

Max time network

291s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"

Signatures

SystemBC

trojan systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A
N/A N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\schtasks.exe
PID 4344 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
PID 4344 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
PID 4344 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe
PID 4344 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\cmd.exe
PID 4344 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2520 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2520 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2520 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2520 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2520 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3504 wrote to memory of 4856 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3504 wrote to memory of 4856 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3504 wrote to memory of 4856 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3504 wrote to memory of 4856 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3504 wrote to memory of 4856 N/A C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe

"C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"

C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe

"C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736.exe"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
N/A 104.110.191.133:80 tcp
N/A 104.110.191.133:80 tcp
N/A 8.8.8.8:53 bing.aksaradata.web.id udp
N/A 89.22.225.242:4193 tcp

Files

memory/4344-132-0x00000000008A0000-0x00000000010D0000-memory.dmp

memory/4344-133-0x0000000076EF0000-0x0000000077093000-memory.dmp

memory/4344-134-0x00000000008A0000-0x00000000010D0000-memory.dmp

memory/4344-135-0x0000000003020000-0x00000000034F0000-memory.dmp

memory/4344-136-0x00000000008A0000-0x00000000010D0000-memory.dmp

memory/4344-137-0x0000000003506000-0x00000000035F6000-memory.dmp

memory/4344-138-0x0000000076EF0000-0x0000000077093000-memory.dmp

memory/4344-139-0x0000000003020000-0x00000000034F0000-memory.dmp

memory/4344-140-0x0000000003506000-0x00000000035F6000-memory.dmp

memory/5072-141-0x0000000000000000-mapping.dmp

memory/3504-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe

MD5 f6496055561efaea4cd6e57b7035a207
SHA1 8810a73467c8ea7c022be01c39161d73dc124629
SHA256 da069bc72528472bd28ad1b2c7dee95af3ff651267888a46e275642b6f02ae9d
SHA512 9c297ab117db052af08378b0da99007535b207dbc6263410494dd25ae2471137a0a0875509d679b2e31d58454c93392042106699d5c744124755360b3fe00280

C:\Users\Admin\hohowoha felite pabor yawexe winebi quejita poveh vakor vavajofe gaso kit\hiwolos febocisi moq kadi.exe

MD5 f6496055561efaea4cd6e57b7035a207
SHA1 8810a73467c8ea7c022be01c39161d73dc124629
SHA256 da069bc72528472bd28ad1b2c7dee95af3ff651267888a46e275642b6f02ae9d
SHA512 9c297ab117db052af08378b0da99007535b207dbc6263410494dd25ae2471137a0a0875509d679b2e31d58454c93392042106699d5c744124755360b3fe00280

memory/2520-145-0x0000000000000000-mapping.dmp

memory/4344-146-0x00000000008A0000-0x00000000010D0000-memory.dmp

memory/4344-147-0x0000000076EF0000-0x0000000077093000-memory.dmp

memory/4344-148-0x0000000003506000-0x00000000035F6000-memory.dmp

memory/4428-149-0x0000000000000000-mapping.dmp

memory/3504-150-0x0000000000C10000-0x0000000001440000-memory.dmp

memory/2844-151-0x0000000000000000-mapping.dmp

memory/3504-152-0x0000000000C10000-0x0000000001440000-memory.dmp

memory/3504-153-0x0000000076EF0000-0x0000000077093000-memory.dmp

C:\ProgramData\mntemp

MD5 74b67ffc2d06bbc77a8ab989ed932c04
SHA1 60230f37be50ed8c592aedb0cdd7e344ceca2689
SHA256 76e755d18897a0991b938706181ac99cf4e7b16d7364214072de155189a38215
SHA512 a66f7ae45c15cc3a54d1212ec331f575d8589895f6e4a8626a8dfeffe8be66d62b3c26ab781bc6d3e61f738b1aa64259d60651456c4d3bf3afeed8bf17fd9e56

memory/3504-155-0x0000000000C10000-0x0000000001440000-memory.dmp

memory/3504-156-0x0000000003971000-0x0000000003E41000-memory.dmp

memory/3504-157-0x0000000003E58000-0x0000000003F48000-memory.dmp

memory/3504-158-0x0000000003971000-0x0000000003E41000-memory.dmp

memory/3504-159-0x0000000003E58000-0x0000000003F48000-memory.dmp

memory/3504-160-0x0000000011870000-0x00000000118D2000-memory.dmp

memory/3504-161-0x0000000011870000-0x00000000118D2000-memory.dmp

memory/4856-162-0x0000000000000000-mapping.dmp

memory/4856-163-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4856-165-0x0000000000400000-0x0000000000407000-memory.dmp

memory/4856-167-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3504-168-0x0000000000C10000-0x0000000001440000-memory.dmp

memory/3504-170-0x0000000003E58000-0x0000000003F48000-memory.dmp

memory/3504-169-0x0000000076EF0000-0x0000000077093000-memory.dmp