Extracted

• • Target

    Kaspersky.exe

  • Size

    93KB

  • MD5

    327274bc008bf3d8e260af2a4b70d059

  • SHA1

    d4058bac2970b6d2da5b77c3fb5dffeec236262c

  • SHA256

    a13ed5c6556e32a91cb9379fac3ccf5db98c42b157dfb89288f5a75ca326bc75

  • SHA512

    bae8fc052a696de14760336a896290f304182024cfdd5176f112d93f0d7e14b6a632b0e7e01f3744df1dc5f7b9e003d61088a900a7ed7b2ad2797250d725757b

  • SSDEEP

    1536:7V4FQWqkqqoLc2m+isjEwzGi1dDsDMgS:7V4mkqqoA2xiti1dal

  Score

  10^/10

  bootkitdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Modifies Windows Defender DisableAntiSpyware settings

    evasiontrojan

  • UAC bypass

    defense_evasiontrojan

  • Windows security bypass

    defense_evasiontrojan

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Disables Task Manager via registry modification

    defense_evasion

  • Event Triggered Execution: Image File Execution Options Injection

    persistence

  • Modifies Windows Firewall

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Windows security modification

    defense_evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral1