36c32f7087f36a4666ec1ad90ccda265fedc2951663eb35829ac7a50371274ac

Analysis

max time kernel
82s
max time network
77s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
29/12/2022, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_1.0.5.1360.exe
Size

2.7MB
MD5

c49799b39f9d1b23eead1de5f0cb3e68
SHA1

89f7472d739c3e7b0329ff0bff6fdb6bec6a147d
SHA256

36c32f7087f36a4666ec1ad90ccda265fedc2951663eb35829ac7a50371274ac
SHA512

b3afe66254e8d3bc34e2de0d7989231a6ae00d83e2019ebfaa32b7ee6e679ceaac791d5baecd1880f00c2674c527ea03bd79cddeae8fd1d57f3a1a41853dcccc
SSDEEP

49152:srv57iY7MK34hRDeSMylD6igxbjcNfAG5lIR52JEMl5nyNSVQ8HHde8KNYw:WB7f7MK34hRDUylD6Bxbjs33ImiqyQVN

Score

8^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
108	setup_1.0.5.1360.exe

Loads dropped DLL 2 IoCs

pid	Process
1680	setup_1.0.5.1360.exe
108	setup_1.0.5.1360.exe

Checks for any installed AV software in registry 1 TTPs 47 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\International	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\International\Scripts	setup_1.0.5.1360.exe
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Show image placeholders	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Move System Caret	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\XDomainRequest	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\International\Scripts\4	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\International\Scripts\26	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\RtfConverterFlags	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Anchor Underline	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\SmoothScroll	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\MenuExt	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Enable AutoImageResize	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\DOMStorage	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay	setup_1.0.5.1360.exe
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main	setup_1.0.5.1360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no"	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\CSS_Compat	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Expand Alt Text	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Videos	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\International\Scripts\3	setup_1.0.5.1360.exe
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Text Scaling	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Viewport	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Larger Hit Test	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\International\Scripts\23	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Images	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Q300829	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Settings	setup_1.0.5.1360.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main	setup_1.0.5.1360.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride	setup_1.0.5.1360.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\UseSWRender = "1"	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Print_Background	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Cleanup HTCs	setup_1.0.5.1360.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Play_Animations	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\UseHR	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Play_Background_Sounds	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\XMLHTTP	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\Disable Script Debugger	setup_1.0.5.1360.exe
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE	setup_1.0.5.1360.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\KasperskyLab\IEOverride\Styles	setup_1.0.5.1360.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup_1.0.5.1360.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	setup_1.0.5.1360.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	setup_1.0.5.1360.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F3D951E1-8784-11ED-9243-66C13449FA90} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	setup_1.0.5.1360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	setup_1.0.5.1360.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1500	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1500	AUDIODG.EXE
Token: 33	1500	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1500	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1872	iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
108	setup_1.0.5.1360.exe
108	setup_1.0.5.1360.exe
108	setup_1.0.5.1360.exe
108	setup_1.0.5.1360.exe
108	setup_1.0.5.1360.exe
108	setup_1.0.5.1360.exe
108	setup_1.0.5.1360.exe
1872	iexplore.exe
1872	iexplore.exe
1300	IEXPLORE.EXE
1300	IEXPLORE.EXE
1300	IEXPLORE.EXE
1300	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 108	1680	setup_1.0.5.1360.exe	27
PID 1680 wrote to memory of 108	1680	setup_1.0.5.1360.exe	27
PID 1680 wrote to memory of 108	1680	setup_1.0.5.1360.exe	27
PID 1680 wrote to memory of 108	1680	setup_1.0.5.1360.exe	27
PID 1680 wrote to memory of 108	1680	setup_1.0.5.1360.exe	27
PID 1680 wrote to memory of 108	1680	setup_1.0.5.1360.exe	27
PID 1680 wrote to memory of 108	1680	setup_1.0.5.1360.exe	27
PID 108 wrote to memory of 1872	108	setup_1.0.5.1360.exe	30
PID 108 wrote to memory of 1872	108	setup_1.0.5.1360.exe	30
PID 108 wrote to memory of 1872	108	setup_1.0.5.1360.exe	30
PID 108 wrote to memory of 1872	108	setup_1.0.5.1360.exe	30
PID 1872 wrote to memory of 1300	1872	iexplore.exe	31
PID 1872 wrote to memory of 1300	1872	iexplore.exe	31
PID 1872 wrote to memory of 1300	1872	iexplore.exe	31
PID 1872 wrote to memory of 1300	1872	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\setup_1.0.5.1360.exe
"C:\Users\Admin\AppData\Local\Temp\setup_1.0.5.1360.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\{ccca3470-8784-11ed-9243-66c13449fa90}\setup_1.0.5.1360.exe
  "C:\Users\Admin\AppData\Local\Temp\{ccca3470-8784-11ed-9243-66c13449fa90}\setup_1.0.5.1360.exe" /-nodrop /-"install=C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://click.kaspersky.com/?hl=es&version=1.0.5.12254&pid=SAFEKIDSWin&syst=Microsoft Windows 7 x64 Edition Service Pack 1 (build 7601)&link=unsupportedOsPatch
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1872 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1300

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{ccca3470-8784-11ed-9243-66c13449fa90}\setup_1.0.5.1360.exe

Filesize
2.7MB

MD5
c49799b39f9d1b23eead1de5f0cb3e68

SHA1
89f7472d739c3e7b0329ff0bff6fdb6bec6a147d

SHA256
36c32f7087f36a4666ec1ad90ccda265fedc2951663eb35829ac7a50371274ac

SHA512
b3afe66254e8d3bc34e2de0d7989231a6ae00d83e2019ebfaa32b7ee6e679ceaac791d5baecd1880f00c2674c527ea03bd79cddeae8fd1d57f3a1a41853dcccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ccca3470-8784-11ed-9243-66c13449fa90}\setup_1.0.5.1360.exe

Filesize
2.7MB

MD5
c49799b39f9d1b23eead1de5f0cb3e68

SHA1
89f7472d739c3e7b0329ff0bff6fdb6bec6a147d

SHA256
36c32f7087f36a4666ec1ad90ccda265fedc2951663eb35829ac7a50371274ac

SHA512
b3afe66254e8d3bc34e2de0d7989231a6ae00d83e2019ebfaa32b7ee6e679ceaac791d5baecd1880f00c2674c527ea03bd79cddeae8fd1d57f3a1a41853dcccc

Download Submit
\Users\Admin\AppData\Local\Temp\{ccca3470-8784-11ed-9243-66c13449fa90}\setup_1.0.5.1360.exe

Filesize
2.7MB

MD5
c49799b39f9d1b23eead1de5f0cb3e68

SHA1
89f7472d739c3e7b0329ff0bff6fdb6bec6a147d

SHA256
36c32f7087f36a4666ec1ad90ccda265fedc2951663eb35829ac7a50371274ac

SHA512
b3afe66254e8d3bc34e2de0d7989231a6ae00d83e2019ebfaa32b7ee6e679ceaac791d5baecd1880f00c2674c527ea03bd79cddeae8fd1d57f3a1a41853dcccc

Download Submit
\Users\Admin\AppData\Local\Temp\{ccf9cff0-8784-11ed-9243-66c13449fa90}\SETUP.DLL

Filesize
7.3MB

MD5
9b6a7579bb7424d33b979935f2cfd5e1

SHA1
87e01b1bacb79cac20de84d6b78b965c35989db8

SHA256
da5ace80de0fff24881b085bd9076ecb7763283bc367dd256cb64db6b0c39446

SHA512
7f45e79adff0b4471b7cc922362190b55103a3e7784ceb02d19365a0c11687854ea03e3e56d204dcc087ee985d755b40b12bba74e49b628712af5b4c39d872f1

Download Submit
memory/108-58-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download