915ceba5edafdf1ffc45792ede4269ada50809960c2d0e74fe554010f25b9afc

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kav21.3.10.391en_26074.exe
Size

2.6MB
MD5

d0e47e632ba9144605d7bec32e126737
SHA1

9c02c04bed4cc77baab6ad8f22a9e780fedb61e3
SHA256

915ceba5edafdf1ffc45792ede4269ada50809960c2d0e74fe554010f25b9afc
SHA512

62b87616b11ec3299288f6015ad693e869f3dc795dfce7e3186d31e7e24e4490537ef68d739ed6aec1cd306c33057eff8827e8f1022503d0be3b42544b8e04a0
SSDEEP

49152:847Nlau3ZiJvDrOV9Gcwb/alTe/iXMNLdcE/EBSDre/2jX8oL:8eNlau3UJOV9GvZbRDe/2zl

Score

7^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1384	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab	kav21.3.10.391en_26074.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseSWRender = "1"	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\CSS_Compat	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Expand Alt Text	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Animations	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Q300829	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Settings	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Text Scaling	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\3	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Anchor Underline	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Larger Hit Test	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\International	kav21.3.10.391en_26074.exe
Key created	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Software\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\3	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Script Debugger	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\RtfConverterFlags	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\4	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Images	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Expand Alt Text	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Styles	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Print_Background	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Script Debugger	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Software\KasperskyLab\IEOverride	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\MenuExt	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Software\KasperskyLab\IEOverride	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Background_Sounds	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Viewport	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Larger Hit Test	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Cleanup HTCs	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Styles	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Viewport	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Animations	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XDomainRequest	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Settings	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Background_Sounds	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR	kav21.3.10.391en_26074.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay	kav21.3.10.391en_26074.exe
Key opened	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts	kav21.3.10.391en_26074.exe
Key queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\KasperskyLab\IEOverride	kav21.3.10.391en_26074.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kav21.3.10.391en_26074.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	kav21.3.10.391en_26074.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	kav21.3.10.391en_26074.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1384	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe
1052	kav21.3.10.391en_26074.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1052	1384	kav21.3.10.391en_26074.exe	88
PID 1384 wrote to memory of 1052	1384	kav21.3.10.391en_26074.exe	88
PID 1384 wrote to memory of 1052	1384	kav21.3.10.391en_26074.exe	88

C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
"C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe
  C:\Users\Admin\AppData\Local\Temp\kav21.3.10.391en_26074.exe -sendDump="C:\Users\Admin\AppData\Local\Temp/KAVINST.21.3.10.391_04.18_21.38_1384.SETUP.full.dmp"
  2⤵
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6B2B47CEBCDFEE1188B8E5EFEACF9D88\setup.dll

Filesize
5.1MB

MD5
7c0418acfb24086ede591a7e1d3df7ac

SHA1
9bee27188d04bf44fa2e95a8fcb575497396f2b0

SHA256
d7b6905661d364be51bdb7e8e2ef9832ed0c33f056c4f40368f9ae6c1b4e608a

SHA512
e2c45aad07d5db230c9758fde258ab5589160d81a8723a5d246fe3287fca1a192b162c33f35144a44d16dd655e4a86694acd55c9279a15b795777ede2b14f71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC74B2B7-FDCB-11EE-888B-5EFEAEFCD988\check_new_version.html

Filesize
1KB

MD5
b79ab8145423e4714f4d3623a7913eef

SHA1
0f17053bd76724cb244866c537de47ea6124331a

SHA256
59a439debcea1f039382e258a337031f9878450afbce19a2a52a37783009fafe

SHA512
239663617d89722d8c4187804901436c456444b92655ade83c1fbf04231467693869efdc689123724dcc58d63665efb5dbb2a835fe49144facbea361c8ae9151

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0142414-FDCB-11EE-888B-5EFEAEFCD988\install_error_send_logs_page.html

Filesize
2KB

MD5
cb59c7593555ec7511f0ce6049c95cfa

SHA1
09044dd6baf785ce6484b4a861b741990629db45

SHA256
9da9c7cea5cc920c9bd110fd4e2ec0b02d91e7bebcc71a95f5efd3bac3d99468

SHA512
835b945b061188d95e8cddf91ea06109da2caffb79abca742cfa5aa5b84a83e5f82b2a624f7067caf026f56cd997c0c9ab9d1ac09c016ebd5301ace36f080ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0142414-FDCB-11EE-888B-5EFEAEFCD988\jquery-1.12.4.min.js

Filesize
94KB

MD5
618538b4ab9639d444e962729a927f15

SHA1
dacc1f76630a9708add066819b1aabf8dce01056

SHA256
27d92130c0321dad5a03760fd5ac98a3d04ed4c94d88418fe6d50da1f7fc5cbe

SHA512
bcb6754ea246939a19a917cc0b810e1753c1b0f1a8b1b7e652128ef15dee4fc79111e4d88fe12f9188449a307e82240d0261af402d783428edfe5785c860372d

Download Submit
memory/1052-32-0x0000000077D20000-0x0000000077D30000-memory.dmp

Filesize
64KB

Download
memory/1052-33-0x0000000077D20000-0x0000000077D30000-memory.dmp

Filesize
64KB

Download
memory/1052-34-0x0000000077D20000-0x0000000077D30000-memory.dmp

Filesize
64KB

Download
memory/1384-1-0x0000000077D40000-0x0000000077D50000-memory.dmp

Filesize
64KB

Download
memory/1384-0-0x0000000077D40000-0x0000000077D50000-memory.dmp

Filesize
64KB

Download
memory/1384-2-0x0000000077D40000-0x0000000077D50000-memory.dmp

Filesize
64KB

Download
memory/1384-3-0x0000000077BD2000-0x0000000077BD3000-memory.dmp

Filesize
4KB

Download