TDL4 Rootkit | VTI by Score
Try VMRay Analyzer
VTI Score 100 / 100 | |
| VTI Database Version | 2.4 |
| VTI Rule Match Count | 31 |
| VTI Rule Type | Default (PE, ...) |
 | Device | Write master boot record (MBR) | |
Write 512 bytes to master boot record (MBR). | |||
| Browser | Change security related browser settings | |
Change settings for the Security Zone "internet". | |||
| Kernel | Execute code with kernel privileges | |
Execute code with kernel privileges. | |||
| Device | Access physical drive | |
Access physical drive "\device\harddisk0\dr0". | |||
| Process | Overwrite code | |
Overwrite 4 byte(s) at mswsock.dll (0x757441a7) | |||
Overwrite 1 byte(s) at mswsock.dll (0x757441ab) | |||
Overwrite 4 byte(s) at mswsock.dll (0x75742bf9) | |||
Overwrite 1 byte(s) at mswsock.dll (0x75742bfd) | |||
Overwrite 4 byte(s) at winmm.dll:waveOutOpen+0x0 (0x7581451e) | |||
Overwrite 1 byte(s) at winmm.dll:waveOutOpen+0x4 (0x75814522) | |||
Overwrite 4 byte(s) at ole32.dll:CoCreateInstance+0x0 (0x75da9d0b) | |||
Overwrite 1 byte(s) at ole32.dll:CoCreateInstance+0x4 (0x75da9d0f) | |||
Overwrite 4 byte(s) at user32.dll:GetCursorPos+0x0 (0x75aa1218) | |||
Overwrite 1 byte(s) at user32.dll:GetCursorPos+0x4 (0x75aa121c) | |||
Overwrite 4 byte(s) at user32.dll:WindowFromPoint+0x0 (0x75abed12) | |||
Overwrite 1 byte(s) at user32.dll:WindowFromPoint+0x4 (0x75abed16) | |||
Overwrite 4 byte(s) at user32.dll:GetForegroundWindow+0x0 (0x75aa2320) | |||
Overwrite 1 byte(s) at user32.dll:GetForegroundWindow+0x4 (0x75aa2324) | |||
| Process | Allocate a page with write and execute permissions | |
Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READWRITE"). | |||
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | |||
| Anti Analysis | Dynamic API usage | |
Resolve more than 50 APIs. | |||
| Process | Create system object | |
Create mutex with name "Global\B10C62E4-234C-4BF6-A1D5-1C0309CED145". | |||
Create mutex with name "Global\C3819288-93FA-4E29-A254-BD9476B53C20". | |||
Create mutex with name "Global\6C29A0C8-62C6-415C-9538-B87690BC58D2". | |||
Create mutex with name "Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9". | |||
| Anti Analysis | Delay execution | |
One thread sleeps more than 5 minutes. | |||
| Process | Create process with hidden window | |
The process "C:\Windows\SysWOW64\ping.exe 127.0.0.1 -t" starts with hidden window. | |||
| Network | Perform DNS request | |
Resolve "127.0.0.1". | |||
| Network | Connect to remote host | |
Outgoing TCP connection to host "6zrt3vuwf-39qwkam.com:80". | |||
| Network | Download data | |
Url "http://6zrt3vuwf-39qwkam.com/evh0yGtD7e5QO1U4Y2xrPTMuNyZiaWQ9bm9uYW1lJmFpZD02NjY3MSZzaWQ9MCZyZD0xNDgxMDE2OTc037x". | |||
| Network | Connect to HTTP server | |
Remote address "6zrt3vuwf-39qwkam.com". | |||
