b47cba80a43f6f817aac64184597d953e86f8000460b2185ae0751509ab335eb

General

Target

Boleto-10-2011.exe
Size

353KB
MD5

681abf81004f57b2930a7fade361c160
SHA1

43707fceb0fda0045e2ad1522375f66a25a9a5ad
SHA256

7e07c36e47c45f16faf8f41e4805396dc99445a3c563258d9a6ed65b638e073a
SHA512

15ad726644ffb33279afe2beef362de6f077247e6487b589bcffebb45ab00608286448d0d02c16ef4c3c486dee374e9fc95988641f3c4702be7e442494178585
SSDEEP

6144:uAkg2vhVMaJTXPiap/ZMUxgdUCxlZn+aC1meyUGimMxSkOZbX:u02ZVvx6aTMLX/5W1meyUGp8POt

Score

10^/10

bootkit evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RDSound = "C:\\Users\\Admin\\AppData\\Roaming\\Huawei3g.exe"	reg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Boleto-10-2011.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6AC1351-3DA2-11EF-9112-4E15D54E5731} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Boleto-10-2011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Boleto-10-2011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Boleto-10-2011.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2664	reg.exe
1692	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Boleto-10-2011.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Boleto-10-2011.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2468	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2468	iexplore.exe
2468	iexplore.exe
380	IEXPLORE.EXE
380	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2940	2696	Boleto-10-2011.exe	30
PID 2696 wrote to memory of 2940	2696	Boleto-10-2011.exe	30
PID 2696 wrote to memory of 2940	2696	Boleto-10-2011.exe	30
PID 2696 wrote to memory of 2940	2696	Boleto-10-2011.exe	30
PID 2696 wrote to memory of 2644	2696	Boleto-10-2011.exe	32
PID 2696 wrote to memory of 2644	2696	Boleto-10-2011.exe	32
PID 2696 wrote to memory of 2644	2696	Boleto-10-2011.exe	32
PID 2696 wrote to memory of 2644	2696	Boleto-10-2011.exe	32
PID 2644 wrote to memory of 2652	2644	cmd.exe	34
PID 2644 wrote to memory of 2652	2644	cmd.exe	34
PID 2644 wrote to memory of 2652	2644	cmd.exe	34
PID 2644 wrote to memory of 2652	2644	cmd.exe	34
PID 2940 wrote to memory of 2664	2940	cmd.exe	35
PID 2940 wrote to memory of 2664	2940	cmd.exe	35
PID 2940 wrote to memory of 2664	2940	cmd.exe	35
PID 2940 wrote to memory of 2664	2940	cmd.exe	35
PID 2652 wrote to memory of 1692	2652	cmd.exe	36
PID 2652 wrote to memory of 1692	2652	cmd.exe	36
PID 2652 wrote to memory of 1692	2652	cmd.exe	36
PID 2652 wrote to memory of 1692	2652	cmd.exe	36
PID 2468 wrote to memory of 380	2468	iexplore.exe	40
PID 2468 wrote to memory of 380	2468	iexplore.exe	40
PID 2468 wrote to memory of 380	2468	iexplore.exe	40
PID 2468 wrote to memory of 380	2468	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\Boleto-10-2011.exe
"C:\Users\Admin\AppData\Local\Temp\Boleto-10-2011.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Nreg.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RDSound /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Huawei3g.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\NUac.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:1692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Pre-OS Boot

T1542

Bootkit

1

T1542.003

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NUac.bat

Filesize
164B

MD5
c80c14c9b9ffd63a2ed8037940d75103

SHA1
3f24e10b213bd483067709c8c4f7b75c29464eff

SHA256
236f2acb03d56106f0e6b693108f25ed2eb9b7d0503a84e6948e797f8c15dd6b

SHA512
f51619a769fc86bc091bd1a534c6cac5d8c426ddd9784fd98bb23b7f0c699fcc473722dffa1196391c3e92f4647ce96de4b3326c25f49014552b0346a6f4e2c9

Download Submit
C:\Users\Admin\AppData\Roaming\Nreg.bat

Filesize
118B

MD5
c515911f3c9c95c71397ec270d03dc09

SHA1
5ed1e95629a721abeb30666d699798fe8d3399a3

SHA256
07589b5e7fa05ac15a19128dab9bbedcd485492f7e41b3bbcc97a6430610265c

SHA512
055617212f73e2b32ba13ea6d5c114c38c9a9d633d797f16fa7aacf121b68b44e93700a632f21f37ad805df4157b93aab9dc4dbe9662863444aece3449c0d367

Download Submit
C:\Users\Admin\AppData\Roaming\sunjunSan.dll

Filesize
129KB

MD5
073bea567f124dc7454897430b79a865

SHA1
88b02e94559e907c824ef8c208095652220aef01

SHA256
871edddb9774bb7a7f247418e75f3692f9297207df6d94bc749a0b2b745f2402

SHA512
5f038bae6bcb5c8e504d1d26ada43920ca83d0a9fd1fa1d1c428fceb09783946c48f07d0b11c00cfc9d2764e26a0cc9b91738a1f3de586a861a403ce171acd1a

Download Submit
memory/2696-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2696-13-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2696-9-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2696-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2696-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2696-0-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-5-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2696-4-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2696-3-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2696-2-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2696-1-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/2696-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2696-21-0x0000000003940000-0x0000000003950000-memory.dmp

Filesize
64KB

Download
memory/2696-12-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2696-10-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2696-34-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-72-0x0000000003940000-0x0000000003950000-memory.dmp

Filesize
64KB

Download
memory/2696-62-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-55-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-73-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-74-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-75-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-76-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-77-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-78-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-79-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-80-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-81-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-82-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-83-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/2696-84-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads