996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1

General

Target

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
Size

12.3MB
MD5

294e8b28cb6d1ff9e57d4f82d696b800
SHA1

b205734e67213dc440f47786e51029dfb0ddf6bc
SHA256

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1
SHA512

7d21a1715f16ed290149c13d89e553e47e11e54a57b474091cf9b8858383649511f2f3fece8014f1322c7982b3c0b2166bcd767644b913490c525954faeeecc5
SSDEEP

393216:ymtxYM6QuPQDYhB3lijQyhAY/TxhsMf2Ky4OAvIp:fOM6pYDWDaQyhAY7Ic2KKT

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Loads dropped DLL 2 IoCs

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

pid	process
2236	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
2236	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description ioc process

File opened for modification \??\PhysicalDrive0 996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Drops file in Windows directory 2 IoCs

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description	ioc	process
File created	C:\Windows\setupD.log	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
File opened for modification	C:\Windows\setupD.log	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

pid	process
2236	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
2236	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
2236	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

C:\Users\Admin\AppData\Local\Temp\996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
"C:\Users\Admin\AppData\Local\Temp\996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC910.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\794413c6.dll
Filesize
8KB

MD5
e1db733e43aa8d065fb7e8669db76524

SHA1
3f9c62ee28959959271632fdc7f5387d539a1d23

SHA256
9e65d9e8ebb895f3b03c95ce64f044c70251fff444a4bcbee83f558b599a614d

SHA512
3f6106f32932e72d197865f7b796eba072c8ab20c22b4d205f27de9b9fc6c139be8450ae25541fbdac37a06bc3ec2d1fab3f9b3216201a9231b70fcde6fb8eb3

Download Submit
\Users\Admin\AppData\Local\Temp\KRwin.dll
Filesize
3.8MB

MD5
a1398812c07ad391c76b8f54e42c9e94

SHA1
5a226485386e087104e2133b9ef8fce89fae0c7f

SHA256
1c7d596364ce5132a2277f30e92aa8af76f054101d89346f133c2f9857663608

SHA512
36c82ccff5f8216d7028c814a3d4d35bbba8b987bea29b92c1ca68ce5f4f54fb3dc1aa351bebcf505365d6e0393ef75b726367ba0af1daae45b107015dd0d42a

Download Submit
memory/2236-14-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-133-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-13-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-46-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-12-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-9-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-11-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-17-0x0000000010000000-0x0000000010184000-memory.dmp

Filesize
1.5MB

Download
memory/2236-0-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-19-0x0000000004F10000-0x00000000051C3000-memory.dmp

Filesize
2.7MB

Download
memory/2236-15-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-16-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-20-0x0000000004F10000-0x00000000051C3000-memory.dmp

Filesize
2.7MB

Download
memory/2236-27-0x0000000004B70000-0x0000000004C5C000-memory.dmp

Filesize
944KB

Download
memory/2236-7-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-34-0x0000000010000000-0x0000000010184000-memory.dmp

Filesize
1.5MB

Download
memory/2236-43-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-54-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-47-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-45-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-3-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-50-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-10-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-8-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-44-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-56-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-55-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-58-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-60-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-59-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-61-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-57-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-62-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-63-0x0000000075E84000-0x0000000075E85000-memory.dmp

Filesize
4KB

Download
memory/2236-64-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-65-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-68-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-70-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-72-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-2-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-1-0x0000000075E84000-0x0000000075E85000-memory.dmp

Filesize
4KB

Download
memory/2236-132-0x0000000075E70000-0x0000000075F80000-memory.dmp

Filesize
1.1MB

Download
memory/2236-127-0x00000000008D0000-0x0000000002609000-memory.dmp

Filesize
29.2MB

Download
memory/2236-53-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download
memory/2236-131-0x0000000005C10000-0x0000000006790000-memory.dmp

Filesize
11.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads