3845ebbb8a0af759606ccf0533166fccdab3b842274cabcb292719da9cb5694a

Analysis

max time kernel
122s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 00:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

startup.exe
Size

2.6MB
MD5

ecafde6855179b29d166bc3396f4fc12
SHA1

5a882dde362d7690fb6a3533cefa03663abd09f2
SHA256

3845ebbb8a0af759606ccf0533166fccdab3b842274cabcb292719da9cb5694a
SHA512

8110e43384d7c09a59499cd153eb4311ee96d941f793d7c7f853a94b50d5efba5fe87c94150c1d68f8d80d25657e1d33e47a6644d932de8b3da661024809e7e0
SSDEEP

49152:S47Nlau3ZvJvDr4sGszFPpxoJswX8aVGx0Cng4BKNJ8Srga6pxX:SeNlau39JNGyzxEsk5ozJSrn63

Score

7^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	startup.exe

Loads dropped DLL 3 IoCs

pid	Process
2128	startup.exe
2128	startup.exe
2220	startup.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Images	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Styles	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\MenuExt	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Play_Animations	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\XMLHTTP	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\International\Scripts\3	startup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\SmoothScroll	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Move System Caret	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\DOMStorage	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\SmoothScroll	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Viewport	startup.exe
Key queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Images	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Text Scaling	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\RtfConverterFlags	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\CSS_Compat	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Enable AutoImageResize	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Larger Hit Test	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Expand Alt Text	startup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main	startup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no"	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Q300829	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\XDomainRequest	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Settings	startup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Move System Caret	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\International\Scripts\4	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Anchor Underline	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Disable Script Debugger	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\International\Scripts\4	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\RtfConverterFlags	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\XDomainRequest	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Cleanup HTCs	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Settings	startup.exe
Key queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab	startup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride	startup.exe
Key queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Display Inline Videos	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\CSS_Compat	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Play_Background_Sounds	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Play_Background_Sounds	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Print_Background	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Show image placeholders	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\International	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\International\Scripts	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\MenuExt	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\DOMStorage	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\UseHR	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Cleanup HTCs	startup.exe
Key queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main	startup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no"	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\Show image placeholders	startup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Main\UseHR	startup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\KasperskyLab\IEOverride\Styles	startup.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	startup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	startup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	startup.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	startup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	startup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	startup.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	startup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	startup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	startup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	startup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	startup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	startup.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	startup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	startup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	startup.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2128	startup.exe
2128	startup.exe
2128	startup.exe
2220	startup.exe
2220	startup.exe
2220	startup.exe
2220	startup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2128	startup.exe
2220	startup.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2128	startup.exe
2128	startup.exe
2128	startup.exe
2128	startup.exe
2128	startup.exe
2128	startup.exe
2128	startup.exe
2128	startup.exe
2128	startup.exe
2220	startup.exe
2220	startup.exe
2220	startup.exe
2220	startup.exe
2220	startup.exe
2220	startup.exe
2220	startup.exe
2220	startup.exe
2220	startup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2220	2128	startup.exe	32
PID 2128 wrote to memory of 2220	2128	startup.exe	32
PID 2128 wrote to memory of 2220	2128	startup.exe	32
PID 2128 wrote to memory of 2220	2128	startup.exe	32
PID 2128 wrote to memory of 2220	2128	startup.exe	32
PID 2128 wrote to memory of 2220	2128	startup.exe	32
PID 2128 wrote to memory of 2220	2128	startup.exe	32
PID 2128 wrote to memory of 1316	2128	startup.exe	33
PID 2128 wrote to memory of 1316	2128	startup.exe	33
PID 2128 wrote to memory of 1316	2128	startup.exe	33
PID 2128 wrote to memory of 1316	2128	startup.exe	33
PID 2128 wrote to memory of 1316	2128	startup.exe	33
PID 2128 wrote to memory of 1316	2128	startup.exe	33
PID 2128 wrote to memory of 1316	2128	startup.exe	33

C:\Users\Admin\AppData\Local\Temp\startup.exe
"C:\Users\Admin\AppData\Local\Temp\startup.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\ProgramData\Kaspersky Lab Setup Files\PURE21.3.10.391.0.2477.0\au_setup_F05D02D0-72F8-11EF-8C6C-D686196AC2C0\startup.exe
  "C:\ProgramData\Kaspersky Lab Setup Files\PURE21.3.10.391.0.2477.0\au_setup_F05D02D0-72F8-11EF-8C6C-D686196AC2C0\startup.exe" -auto_update_mode="C:\Users\Admin\AppData\Local\Temp\startup.exe" /-self_remove -l=en-GB -xpos=346 -ypos=71 -prevsetupver=21.3.10.391.0.106.0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\startup.exe
  "C:\Users\Admin\AppData\Local\Temp\startup.exe" -cleanup="C:\Users\Admin\AppData\Local\Temp\0667B59E8F27FE11C8C66D6891A62C0C;2128"
  2⤵
  PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Kaspersky Lab Setup Files\PURE21.3.10.391.0.2477.0\au_setup_F05D02D0-72F8-11EF-8C6C-D686196AC2C0\dynamic.ini

Filesize
698B

MD5
e2e54e1c3cf07ae42c73c6af94c31e7b

SHA1
465b4186aec0b6aa82582fa885af4025faf8f081

SHA256
959192e30fa00f278126073789fa129e0b82b57dd9add370b8908cdc352bdcdb

SHA512
4edfe3c24b232f7659be4724435ed14447c06883edda3a63f3850522bbfda4b999837082d82581ade6b2f309f06e7bf69645475d322dafef043577f4d8e78870

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\PURE21.3.10.391.0.2477.0\au_setup_F05D02D0-72F8-11EF-8C6C-D686196AC2C0\startup.exe

Filesize
2.6MB

MD5
119c2b402e40421153f8be1c3f5e1a14

SHA1
9c80aaf7c4bac7a3aa7b56d8f3177062ee2d158d

SHA256
b9bbee11cba3b710a7aa654dabc173d884cd06d604e64e99ff883e9eb2a48fd9

SHA512
bcf8867c4a45a0fa4cba7cf4e2f9dd2c4a2581f229e90f413631049721cb619ba8068b87b4acf20872720d886291f80cc79e0a6e7a608d11bd0fd728997195d9

Download Submit
C:\ProgramData\Kaspersky Lab Setup Files\PURE21.3.10.391.0.2477.0\kdscrl.rdb.z

Filesize
4KB

MD5
2b5c1681b4483043e315c98c05d21a49

SHA1
29c635e017e0f1b7ad64360a0543a95da2e40b08

SHA256
511b7e2f022f5320e8063437a9d986fef0e161419698cc0c16e64bca5399eff5

SHA512
6fc1259dd495112fd60e1d824ff5200666960c6cd08396e1ac66ec45c05ff6df00a5e99bce2278725da512a1fbb42369f6d4e929d8472fe86b4bfeb17c364ed2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
73cced6609da1921afd5e8b1e39481cb

SHA1
503bf4669c2559102190514973768287478c71b0

SHA256
6fb525ce7e64ddafb2daa8b7f7b5efecd7b5c42f7a462a2be673fca91dba4d1c

SHA512
0bd58e160276d24fe05f8f37670749c5850970af6c11532822465b8a14e2084eaf84b6f583985587fa8c878125fe5ff920178a646c3d35dcb93554ed78d3e6f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b0125cd7621caccd223eaeaed25ffb5

SHA1
97b957f0d41274ff0a128da49a01ef295e4c0ab5

SHA256
063d1b5b85c7e8308bf7bd0e7ebd703ed46d5e06c409593d49deb998be5ced74

SHA512
908f45344f0926b662dab2f138cce48382d88c7023d658c2b7992599297a6f9eca3f83ef7a47007d6174e1ae104ec93446d4e0114a9c384a9c1a7faf50069474

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
2e80d18d9750958ee5bc8726671a2a9c

SHA1
cd5b1fd2240f008a5283889bdf25729939b14736

SHA256
25cd1334b0e7886416989476aac22658a4b194780543f67e43a8cab01b830413

SHA512
85c5498ca11cc3daeaf0efa7d8df4f852bf9755cdbc1e9328b6c0574fdafd6c9825ba3889e199f6c983ccdfefe4c8685986374b77a3a67b8864d22819254cf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA4F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E95B7661-72F8-11EF-8C6C-D686196AC2C0\check_new_version.html

Filesize
1KB

MD5
51dc1945e2d325f9451a1b6898282bc2

SHA1
bac3c11dc11dff02035080e6f67eb2298db989dc

SHA256
1ad0e2ac0603724a2335dd6c2044465ebfdc5b5b350d370eb4e5e0a02959a0f5

SHA512
2f48b53d10151414104fe68bae3647fc2d021dcb5562b212e185f93cc2cd0430f56d68fb2e9ac8a2356551c4f703f8da3228573d32b2ef80c698eac3b5fc9262

Download Submit
C:\Users\Admin\AppData\Local\Temp\E95B7661-72F8-11EF-8C6C-D686196AC2C0\kis-loading.gif

Filesize
10KB

MD5
69d4b9b309bfa6a87f7620647bafd2d0

SHA1
c9f6bb4d6494bbd7a47d52874da43501afb97c6d

SHA256
f056164cf99799234c90e2318e90ab5d83d0fd855118224286ff0680ee455734

SHA512
2aa95fa187d24b4310af4e72a49c8fe665b84aa15ed33ca5b78a88da861554948d5fdb2f0b59ba8560b8c9dc1d4ff8cf5b37bdc1cbdb4fdf7a6e6fbe7e4f4b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E95B7661-72F8-11EF-8C6C-D686196AC2C0\kis-logo.png

Filesize
4KB

MD5
18f81892daa926fec1d30324b4cd9367

SHA1
0f0753271f09aecd6731c9dd998d15df5f967b7e

SHA256
681a96b96b5e0425fc74be929d29164528bf0bc0a84ac97952c011e407e23d9b

SHA512
5e07a3f44f6135291909680abb62e21d0c6bca899905aafa66cc3b436e77430a3ea96a95b54f2705e1f9dd49b60a855d986c4d76ea65dc9a9a5edf3d2748550d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5D70CB1-72F8-11EF-8C6C-D686196AC2C0\jquery-1.12.4.min.js

Filesize
94KB

MD5
4f252523d4af0b478c810c2547a63e19

SHA1
5a9dcfbef655a2668e78baebeaa8dc6f41d8dabb

SHA256
668b046d12db350ccba6728890476b3efee53b2f42dbb84743e5e9f1ae0cc404

SHA512
8c6b0c1fcde829ef5ab02a643959019d4ac30d3a7cc25f9a7640760fefff26d9713b84ab2e825d85b3b2b08150265a10143f82e05975accb10645efa26357479

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5D70CB1-72F8-11EF-8C6C-D686196AC2C0\jquery.custom_select.min.js

Filesize
5KB

MD5
d2c620c462b75696eea1fb22fb23602a

SHA1
900f78eb8e1103be1535af5e76d1bed686cdcce3

SHA256
dd678d32073078552e0e2c35eed78f16cc8d6e8662d4734518561a1b183f775c

SHA512
40e1180b63b328c22cfacc40529cbda2409a54fbbbd5813fcc5f8dcdf95ad7fcd74ea96382e3a2d0bcfed9e68c208f7733b7c630edee7e2013c9a5459091c02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5D70CB1-72F8-11EF-8C6C-D686196AC2C0\kis-print.css

Filesize
306B

MD5
1304724dd5001b2600fc5bd80c098f1e

SHA1
87ec458c25a35e3a45c2a6ede9ec16ec4d4c7093

SHA256
2481b34b48fd96b194405da621e8e5f19142dcb55744f9c9a93591705cb697fd

SHA512
4371fbd6ba7e84ae827ec73bec4c903275e4373c16063b6fe63ca157a4db346df5617a9db5c9e1fdcb661f220f6dcbc1f7e4003805dba9fa7a279fc882aebeeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5D70CB1-72F8-11EF-8C6C-D686196AC2C0\kis-script-lte-ie8.js

Filesize
1KB

MD5
5134186180074c51639d7a514919ed23

SHA1
23bddb16b3b6c3a687dfcfed5c1a6c23c0ed1f0a

SHA256
33e84b33ff911257e3a6a303c08a2cc178827dadb7dfd7c951e096866e02ad5e

SHA512
8ad216cee9192533801b0f10f3bc149506f75dfd2cd554e801e1732b474629435ada4549473176b5440c57c112986dd198dcf508fb0e55ed3a050a75b0fa3d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5D70CB1-72F8-11EF-8C6C-D686196AC2C0\kis-script.js

Filesize
306B

MD5
026425ccbf4417eefa444285707132ef

SHA1
a953b9f6781d4b6daa2eedc0c45d358f2a472370

SHA256
97e5f342227ea23c27c1b660f111847fcdd9d7b23c1d248c733a36f983fd7f04

SHA512
a266e2f9f10620347f0d05d081362086e81c67fb7c5f4a74c26cca54686f6afb2f2933b1f7afb6d9c96382ff4e4e3cf2f0f38cdd162175cdefccb5909b1aa6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5D70CB1-72F8-11EF-8C6C-D686196AC2C0\kis-style.css

Filesize
29KB

MD5
2b4bd0afd0e9dd5c90fb8c3bb4a5d619

SHA1
a4a1a61d43e8f897d36fef9e1927848de2d312cc

SHA256
f9963b403e053f6bfa7c87cad3c10dd55cf1f94fefe00c6380921440e28b48d2

SHA512
c0b284552502304f05dd10606e01b0d35210a27f982bba8a605f2939a2ac43890636175431eab99edc45cfc2825fe1b1cffabd8067d9eaa7ad59af466a052974

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5D70CB1-72F8-11EF-8C6C-D686196AC2C0\welcome_page_kavkis.html

Filesize
1KB

MD5
5cf2b3e188d345af82b3bec75272955d

SHA1
54292fea9194e740d317109bf7a23b1cf958c43e

SHA256
c240efa2336e2899a710825b9f0b96c174fa73a545c5dc63eebebee75021730a

SHA512
a448d285e232f70bec1b4cee1ca146a31013f97122ccc8e66b0386cd8652e979a38c0304512c054e4128b04a9aedf3f1e73569953514074f8effe1d6b2067978

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA62.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3P4PF75P.txt

Filesize
104B

MD5
8647d75fbd7fc042ff31d0c0d693c9eb

SHA1
283415970b9144c6c2ead2cbeb4c822e9714cd7e

SHA256
65c3f03d0bcce9cfd9c984f8a80be5ee5a2f85e038ed19ee1e52737142f1655e

SHA512
dc8e295d907b2b99377e5e47d3447979a627ff5e576a4b9082d8f7ec22bfb39a88bf59d0cd6eecd592ef56fb1eb20496c1f2571b29f1520300d76ea693b852b1

Download Submit
\Users\Admin\AppData\Local\Temp\0667B59E8F27FE11C8C66D6891A62C0C\setup.dll

Filesize
5.1MB

MD5
6b439a6b87e6f6e30241cb64466087ef

SHA1
63799d31bde76653677d5dd647d98488136177c6

SHA256
0a4406ae8ca4c397e63a686b5be680b7dec0d7006b9ab65dce22372955ed9644

SHA512
70c1e61c30881ed22529ef25e61b3958185982a0b569f070a58b2614bb1ec2958cab5e47a46afaa86ef9d8140791dda59507fa5a5a34b0092b03726e77b88187

Download Submit
\Users\Admin\AppData\Local\Temp\0BC07D5F8F27FE11C8C66D6891A62C0C\setup.dll

Filesize
5.1MB

MD5
248ffb3729931025172e6c70b0ab3ff1

SHA1
27d2308d8a46377e45ae4d474b77b83f76dfdb7d

SHA256
b4b494d9f1b247ea3e07f42c6ee79fe3d02e61ddbf560a41ad349467e955efc3

SHA512
93da7f092238ce624803a2cd7d6a4ebdb5cb4e1e8f83caa432c060a1543df490b84ce5e81a073be281e5dad40a4bdebb2195efa3a351128e14de4042cad0cc48

Download Submit
memory/1316-325-0x00000000771E0000-0x00000000771F0000-memory.dmp

Filesize
64KB

Download
memory/1316-324-0x00000000771E0000-0x00000000771F0000-memory.dmp

Filesize
64KB

Download
memory/1316-323-0x00000000771E0000-0x00000000771F0000-memory.dmp

Filesize
64KB

Download
memory/2128-0-0x0000000077200000-0x0000000077210000-memory.dmp

Filesize
64KB

Download
memory/2128-1-0x0000000077200000-0x0000000077210000-memory.dmp

Filesize
64KB

Download
memory/2128-2-0x0000000077200000-0x0000000077210000-memory.dmp

Filesize
64KB

Download
memory/2220-157-0x00000000771F0000-0x0000000077200000-memory.dmp

Filesize
64KB

Download
memory/2220-158-0x00000000771F0000-0x0000000077200000-memory.dmp

Filesize
64KB

Download
memory/2220-159-0x00000000771F0000-0x0000000077200000-memory.dmp

Filesize
64KB

Download