996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1

General

Target

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
Size

12.3MB
MD5

294e8b28cb6d1ff9e57d4f82d696b800
SHA1

b205734e67213dc440f47786e51029dfb0ddf6bc
SHA256

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1
SHA512

7d21a1715f16ed290149c13d89e553e47e11e54a57b474091cf9b8858383649511f2f3fece8014f1322c7982b3c0b2166bcd767644b913490c525954faeeecc5
SSDEEP

393216:ymtxYM6QuPQDYhB3lijQyhAY/TxhsMf2Ky4OAvIp:fOM6pYDWDaQyhAY7Ic2KKT

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Loads dropped DLL 3 IoCs

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

pid	process
2480	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
2480	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
2480	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description ioc process

File opened for modification \??\PhysicalDrive0 996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Drops file in Windows directory 2 IoCs

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

description	ioc	process
File created	C:\Windows\setupD.log	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
File opened for modification	C:\Windows\setupD.log	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

pid	process
2480	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
2480	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
2480	996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe

C:\Users\Admin\AppData\Local\Temp\996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe
"C:\Users\Admin\AppData\Local\Temp\996e186ba608ba27f653d3aed739409ef63975305762582d64b8d5b0a1de95a1.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\794413c6.dll
Filesize
8KB

MD5
e1db733e43aa8d065fb7e8669db76524

SHA1
3f9c62ee28959959271632fdc7f5387d539a1d23

SHA256
9e65d9e8ebb895f3b03c95ce64f044c70251fff444a4bcbee83f558b599a614d

SHA512
3f6106f32932e72d197865f7b796eba072c8ab20c22b4d205f27de9b9fc6c139be8450ae25541fbdac37a06bc3ec2d1fab3f9b3216201a9231b70fcde6fb8eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRwin.dll
Filesize
3.8MB

MD5
a1398812c07ad391c76b8f54e42c9e94

SHA1
5a226485386e087104e2133b9ef8fce89fae0c7f

SHA256
1c7d596364ce5132a2277f30e92aa8af76f054101d89346f133c2f9857663608

SHA512
36c82ccff5f8216d7028c814a3d4d35bbba8b987bea29b92c1ca68ce5f4f54fb3dc1aa351bebcf505365d6e0393ef75b726367ba0af1daae45b107015dd0d42a

Download Submit
memory/2480-45-0x0000000000530000-0x0000000002269000-memory.dmp

Filesize
29.2MB

Download
memory/2480-13-0x0000000000530000-0x0000000002269000-memory.dmp

Filesize
29.2MB

Download
memory/2480-4-0x0000000076840000-0x0000000076930000-memory.dmp

Filesize
960KB

Download
memory/2480-53-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-6-0x0000000076840000-0x0000000076930000-memory.dmp

Filesize
960KB

Download
memory/2480-56-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-11-0x0000000000530000-0x0000000002269000-memory.dmp

Filesize
29.2MB

Download
memory/2480-55-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-14-0x0000000000530000-0x0000000002269000-memory.dmp

Filesize
29.2MB

Download
memory/2480-16-0x0000000006A50000-0x0000000006B3C000-memory.dmp

Filesize
944KB

Download
memory/2480-12-0x0000000000530000-0x0000000002269000-memory.dmp

Filesize
29.2MB

Download
memory/2480-18-0x0000000006DF0000-0x00000000070A3000-memory.dmp

Filesize
2.7MB

Download
memory/2480-25-0x0000000006A50000-0x0000000006B3C000-memory.dmp

Filesize
944KB

Download
memory/2480-32-0x0000000010000000-0x0000000010184000-memory.dmp

Filesize
1.5MB

Download
memory/2480-2-0x0000000076840000-0x0000000076930000-memory.dmp

Filesize
960KB

Download
memory/2480-42-0x0000000000530000-0x0000000002269000-memory.dmp

Filesize
29.2MB

Download
memory/2480-43-0x0000000000530000-0x0000000002269000-memory.dmp

Filesize
29.2MB

Download
memory/2480-44-0x0000000000530000-0x0000000002269000-memory.dmp

Filesize
29.2MB

Download
memory/2480-0-0x0000000000530000-0x0000000002269000-memory.dmp

Filesize
29.2MB

Download
memory/2480-3-0x0000000076840000-0x0000000076930000-memory.dmp

Filesize
960KB

Download
memory/2480-7-0x0000000076840000-0x0000000076930000-memory.dmp

Filesize
960KB

Download
memory/2480-1-0x0000000076860000-0x0000000076861000-memory.dmp

Filesize
4KB

Download
memory/2480-5-0x0000000076840000-0x0000000076930000-memory.dmp

Filesize
960KB

Download
memory/2480-57-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-54-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-58-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-60-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-59-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-61-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-62-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-63-0x0000000000530000-0x0000000002269000-memory.dmp

Filesize
29.2MB

Download
memory/2480-65-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-67-0x0000000076840000-0x0000000076930000-memory.dmp

Filesize
960KB

Download
memory/2480-66-0x0000000076860000-0x0000000076861000-memory.dmp

Filesize
4KB

Download
memory/2480-68-0x0000000076840000-0x0000000076930000-memory.dmp

Filesize
960KB

Download
memory/2480-71-0x0000000076840000-0x0000000076930000-memory.dmp

Filesize
960KB

Download
memory/2480-72-0x0000000076840000-0x0000000076930000-memory.dmp

Filesize
960KB

Download
memory/2480-73-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-86-0x0000000007FA0000-0x0000000008B20000-memory.dmp

Filesize
11.5MB

Download
memory/2480-83-0x0000000000530000-0x0000000002269000-memory.dmp

Filesize
29.2MB

Download
memory/2480-85-0x0000000076840000-0x0000000076930000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads