TDL4 Rootkit | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2016-12-06 10:36 (UTC+1)
VM Analysis Duration Time 00:02:13
Execution Successful True
Sample Filename cb91b8695d3990b5b5eae8a714bd357e
Command Line Parameters False
Prescript False
Number of Processes 36
Termination Reason Timeout
Download Function Logfile Generic Logfile PCAP STIX/CybOX
Remarks Boot sector was modified
VM rebooted
Code overwrite detected
Kernel code was executed
Truncate overall sleep time from 2 weeks, 3 days, 6 hours, 26 minutes to 2 minutes, 10 seconds
VTI Information
VTI Score
100 / 100
VTI Database Version 2.4
VTI Rule Match Count 31
VTI Rule Type Default (PE, ...)
Tags
The tags feature is only available in the fully licensed version of VMRay Analyzer.
Screenshots
Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot Screenshot
Monitored Processes
Process Graph


ID PID Monitor Reason Image Name Command Line Origin ID
#1 0x7d4 Analysis Target cb91b8695d3990b5b5eae8a714bd357e.exe "C:\Users\hJrD1KOKY DS8lUjv\Desktop\cb91b8695d3990b5b5eae8a714bd357e.exe"
#2 0x4 Kernel Analysis System
#3 0xfc Child Process smss.exe \SystemRoot\System32\smss.exe #2
#4 0x10c Child Process autochk.exe \??\C:\Windows\system32\autochk.exe * #3
#5 0x13c Child Process smss.exe \SystemRoot\System32\smss.exe 00000000 0000003c #3
#6 0x144 Child Process csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 #5
#7 0x16c Child Process smss.exe \SystemRoot\System32\smss.exe 00000001 0000003c #3
#8 0x174 Child Process wininit.exe wininit.exe #5
#9 0x180 Child Process csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 #7
#10 0x19c Child Process winlogon.exe winlogon.exe #7
#11 0x1d4 Child Process services.exe C:\Windows\system32\services.exe #8
#12 0x1e4 Child Process lsass.exe C:\Windows\system32\lsass.exe #8
#13 0x1ec Child Process lsm.exe C:\Windows\system32\lsm.exe #8
#14 0x250 Child Process svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch #11
#15 0x294 Child Process svchost.exe C:\Windows\system32\svchost.exe -k RPCSS #11
#16 0x2c4 Child Process svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted #11
#17 0x308 Child Process logonui.exe "LogonUI.exe" /flags:0x0 #10
#18 0x33c Child Process svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted #11
#19 0x374 Child Process svchost.exe C:\Windows\system32\svchost.exe -k netsvcs #11
#20 0x3c4 Child Process audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x2b0 #16
#21 0x128 Child Process svchost.exe C:\Windows\system32\svchost.exe -k LocalService #11
#22 0x21c Child Process dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} #14
#23 0x3bc Child Process userinit.exe C:\Windows\system32\userinit.exe #10
#24 0x140 Child Process explorer.exe C:\Windows\Explorer.EXE #23
#25 0x424 Child Process dwm.exe "C:\Windows\system32\Dwm.exe" #18
#26 0x458 Child Process svchost.exe C:\Windows\system32\svchost.exe -k NetworkService #11
#27 0x4d0 Child Process runonce.exe C:\Windows\SysWOW64\runonce.exe /Run6432 #24
#28 0x50c Child Process ping.exe C:\Windows\SysWOW64\ping.exe 127.0.0.1 -t #19
#29 0x514 Child Process spoolsv.exe C:\Windows\System32\spoolsv.exe #11
#30 0x524 Child Process conhost.exe \??\C:\Windows\system32\conhost.exe #6
#31 0x534 Child Process dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} #14
#32 0x578 Child Process taskhost.exe "taskhost.exe" #11
#33 0x5b0 Child Process svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork #11
#34 0x5f8 Child Process jusched.exe "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" #27
#35 0x788 Child Process taskhost.exe taskhost.exe SYSTEM #11
#36 0x348 Child Process dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} #14
Sample Information
ID #268671
MD5 Hash Value cb91b8695d3990b5b5eae8a714bd357e
SHA1 Hash Value 3cd6ef10dd6cbe6f158a360cf5b112cef2e18304
SHA256 Hash Value eec6bfe112155ab94029f0f8f27a484edf35b5d743503e0199637084d9520ebc
Filename cb91b8695d3990b5b5eae8a714bd357e
File Size 225.50 KB (230912 bytes)
File Type Windows Exe (x86-32)
Analyzer and Virtual Machine Information
Analyzer Version 1.11.0
Analyzer Build Date 2016-11-28 11:21 (UTC+2)
VM Name win7_64_sp1
VM Description Windows 7 (SP1, 64-bit)
VM Architecture x86 64-bit
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 



    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image