a9b919c46156302c6d580a884c600be2f0375590c4879996c980c2c597051f95

Analysis

max time kernel
291s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToolKit.Premium.v1.11.16/ToolKit.Premium.exe
Size

14.2MB
MD5

05d03c4f7bd1585b933b0bf128663f0d
SHA1

2fae7520866d17e0ca86980ea9642e9c0d743cbd
SHA256

34422e31140575d39f8596b13d2365a48e0ca4a7dc2412e2f0ac6bcbddf0fd70
SHA512

0bfa6191f7f85e46553d5459487061e2803edefd82dff17ff3c19a4c7a56ca4e6d1f95708fe0edbda1e6f6012cd9568fc9dc1d2c061260a433bdb8ca7d309253
SSDEEP

393216:HxqM4sF1iwSwdLLX+yYW6YLEJG/+VULDi1QcMgzf9NnW0:RGskwVLX+yCYLBdLDiycMgpRx

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ToolKit.Premium.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ToolKit.Premium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ToolKit.Premium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ToolKit.Premium.exe

Loads dropped DLL 1 IoCs

pid	Process
2552	ToolKit.Premium.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ToolKit.Premium.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ToolKit.Premium.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2552	ToolKit.Premium.exe

C:\Users\Admin\AppData\Local\Temp\ToolKit.Premium.v1.11.16\ToolKit.Premium.exe
"C:\Users\Admin\AppData\Local\Temp\ToolKit.Premium.v1.11.16\ToolKit.Premium.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Cracked_BY_ZeCoder\ToolKit.Premium.exe_Url_mk2jzc3h3ddthll2vr15hj3w2e51y0hf\1.11.16.0\jo0tqavg.newcfg

Filesize
1KB

MD5
28540c4b7418d9c8357bde5ec23f0cdd

SHA1
b89399bf2fcfae1c178a8ef7a9ee885b669644c8

SHA256
106ec916c128e31ea0e5635d182033aafa403564105d5ff03e77539d6d4d5a9d

SHA512
41870a0de0edda8e542be078bdcce25d53cdd32599a322e7aeb53a120c1716903e5ea6afe459d909f75a9348a8ae06efd686ebfd7986ffc8c836f18d1f73f378

Download Submit
C:\Users\Admin\AppData\Local\Cracked_BY_ZeCoder\ToolKit.Premium.exe_Url_mk2jzc3h3ddthll2vr15hj3w2e51y0hf\1.11.16.0\nbybvhb4.newcfg

Filesize
952B

MD5
489b167e962195e93181c7a7b3129bb8

SHA1
cc96805285e42c3742760ec90812df9b75d10349

SHA256
f010c9e3df0dd102f50b8030f140d8ddff0a4e187fc677e8890cd616825c3cdd

SHA512
d8ec3998732c402bcb5ae76338080d3f50bba7843bb9adf403a866ebe06d38c59ca6e217cfa2cbdc47341c50d57723a307a6f5974d7d4d1c57b83c1af2a2764e

Download Submit
C:\Users\Admin\AppData\Local\Cracked_BY_ZeCoder\ToolKit.Premium.exe_Url_mk2jzc3h3ddthll2vr15hj3w2e51y0hf\1.11.16.0\user.config

Filesize
815B

MD5
a3652ea70e4768c5aa844d37b8020ae9

SHA1
a879b6e9fc7b7d47a16bdd7b1e9dff2e2cc0b926

SHA256
875216c8d906c6dfd94fcfed699ae23a81f27d487928608f1d8e36e74fb7c91f

SHA512
c5c2ad0076c423b5c8be8a9978d6b0bbb84ffa70cad4685ed2a8273920b864ffec6e595e9dbab1a52ef2521ea5184ec9bfc69269492ef1055e3eaa823c48d178

Download Submit
\Users\Admin\AppData\Local\Temp\Protecta45d1cb7.dll

Filesize
824KB

MD5
a45d1cb73933fbb59e22835707e30186

SHA1
14987b17fea24f3b5d8eb383ce641eda13fb4efc

SHA256
81aae523307058bec820eb48fea171f208a2602fa72e614065877a48228989ad

SHA512
9010c402b8ca7eb13a486a7ec062c00333680a59048b9c925882e7f4aada718db5843b2bd8451e361f950d89c12eb7b2ba8c26c60e762919a5ff10a5f9ba9807

Download Submit
memory/2552-6-0x0000000001010000-0x00000000030B2000-memory.dmp

Filesize
32.6MB

Download
memory/2552-7-0x0000000001010000-0x00000000030B2000-memory.dmp

Filesize
32.6MB

Download
memory/2552-12-0x000007FEFD6C0000-0x000007FEFD72C000-memory.dmp

Filesize
432KB

Download
memory/2552-13-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2552-14-0x000007FEFD6C0000-0x000007FEFD72C000-memory.dmp

Filesize
432KB

Download
memory/2552-0-0x0000000001010000-0x00000000030B2000-memory.dmp

Filesize
32.6MB

Download
memory/2552-2-0x000007FEFD6D3000-0x000007FEFD6D4000-memory.dmp

Filesize
4KB

Download
memory/2552-3-0x000007FEFD6C0000-0x000007FEFD72C000-memory.dmp

Filesize
432KB

Download
memory/2552-43-0x0000000001010000-0x00000000030B2000-memory.dmp

Filesize
32.6MB

Download
memory/2552-44-0x000007FEFD6C0000-0x000007FEFD72C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads