##############################BE AWARE#####################################
############################## BACKDOOR SPOTTED ##############################
TROJAN DROPPER FAMILY …
@Lost could you explain that my friend …
I dont say it was done on purpose not accusing anybody maybe it is a false positive but launching from LocaleData/temp/ seems very odd for me …
biosromvar64.sys is related to HYNSIDE APP/ Driver aKa HOUVE …
running at windows startup why 
https://imgur.com/Bqg688z
Google it :
https://www.herdprotect.com/biosromvar64…cccace478a.aspx
https://www.herdprotect.com/signer-insyd…ecd9f9e9e2.aspx
NOT KNOWN FALSE POSITIVEs …
H2OUVE-W-Q2S.exe is a trojan houve app backdooring the firmware
Analysis of the malware : 
https://www.hybrid-analysis.com/sample/1…vironmentId=120
1 st sample on 17 june 2019 …
here a scan of HOUVE
Functions :
Privilege esclation, RDP backdoor via sys file …
Remote Access
Reads terminal service related keys (often RDP related)
Spyware
Contains ability to open the clipboard
Fingerprint
Queries firmware table information (may be used to fingerprint/evade)
Queries sensitive IE security settings
Reads the active computer name
Evasive
Marks file for deletion
The input sample contains a known anti-VM trick
Listing all services running at boot-up : files is erased btw on my computer and RDP is hardened
…
https://imgur.com/Bqg688z
EVERYBODY LOOK FOR THE PATH AND FOR THE FILE AT WINDOWS STARTUP? CLOSE ALL UNESSARY SERVICES AND USE SYSHARDENER TO HARDEN AT LEAST SMB 1/2/3.0 PROTOCOLS AND RDP AND ERASE THE SYSFILE DO IN CMD A “SFC.EXE /SCANNOW” to check windows integrity, DO ALL FULL SCAN WITH AV and CHECK WITH ZPHSUITE ALL THE SUSPICIOUS KEY REG IN REGEDIT !!!
ZHP SUITE FOR MALWARE ANALYSIS:
https://nicolascoolman.eu/en/2020/02/11/zhpsuite/
SYSHARDENER : go FIREWALL RULES CHECK ALL APPLY BLOCK ALL …
THEN MAIN WINDOWS go load config and look for ALL_ON_WIN10 file follow the instructions and look for help button in case of needing more intel on all the features of this beautiful app : ALWAYS USE SRP DO YOUR OWN WHITE LIST, DISABLE SMB, BLOCK ALL SCRIPTS, DISABLE RDC ,BLOCK WINDOWS SCRIPT HOST, CMD, POWERSHELL, and BLOCK REMOTE ACCESS AND REGISTRY …
Here to download, more advices on this website : https://www.novirusthanks.org/products/syshardener/
BE ADVISED : iam downloading the malware for malware analysis my file has been deleted by AV long time ago working on the 06/19-2019 file from here
https://www.hybrid-analysis.com/sample/1…46c0195fc335a2d
Will do a static analysis meanwhile here some intels
Filename
H2OUVE-W-Q2S.exe
Size
1014KiB (1038631 bytes)
Type
peexe executable
Description
PE32 executable (GUI) Intel 80386, for MS Windows
Architecture
WINDOWS
SHA256
16bd6b966009775a4c454fcadf8c3cc02f3ef3966ece982de46c0195fc335a2dCopy SHA256 to clipboard
Compiler/Packer
VC8 → Microsoft Corporation
PDB Timestamp
PDB Pathway
:\haozip_3.0_Release\rczip\bin\Win32\release\pdb\HaoZip7zSetup_enu.pdb
Classification (TrID)
41.0% (.EXE) Win32 Executable MS Visual C++ (generic)
36.3% (.EXE) Win64 Executable (generic)
8.6% (.DLL) Win32 Dynamic Link Library (generic)
5.9% (.EXE) Win32 Executable (generic)
2.6% (.EXE) OS/2 Executable (generic)
File Sections
Name Entropy Virtual Address Virtual Size Raw Size MD5
.text 6.6269914217 0x1000 0x3fcc5 0x3fe00 6320b3585c84ba8470530211007929e0
.rdata 4.87201653812 0x41000 0xcbe2 0xcc00 9e7d086d4cde66ab3e0e0452f44bdce9
.data 4.8497175926 0x4e000 0xa420 0x4200 dd942e1819d595341effa82450f35448
.rsrc 4.86677707249 0x59000 0x215e4 0x21600 a88a82d5dab9cd3c9c79c244b982c22d
File Imports
H2OUVE-W-Q2S.exe (PID: 3788) 34/79
cmd.exe %WINDIR%\system32\cmd.exe /c “”%PROGRAMFILES%(x86)\RunQ2S.bat" " (PID: 3952)
H2OUVE-W.exe /flash:VarData.xml (PID: 4064
Malicious Indicators9
Anti-Detection/Stealthyness
Queries firmware table information (may be used to fingerprint/evade)
Environment Awareness
The input sample contains a known anti-VM trick
details
Found VM detection artifact “CPUID trick” in “16bd6b966009775a4c454fcadf8c3cc02f3ef3966ece982de46c0195fc335a2d.bin” (Offset: 320120)
source
Extracted File
relevance
5/10
External Systems
Sample was identified as malicious by a large number of Antivirus engines
details
33/69 Antivirus vendors marked sample as malicious (47% detection rate)
source
External System
relevance
10/10
Sample was identified as malicious by at least one Antivirus engine
details
4/15 Antivirus vendors marked sample as malicious (26% detection rate)
33/69 Antivirus vendors marked sample as malicious (47% detection rate)
source
External System
relevance
8/10
General
Contains ability to start/interact with device drivers
details
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
source
Hybrid Analysis Technology
relevance
8/10
Installation/Persistance
Allocates virtual memory in a remote process
details
"H2OUVE-W-Q2S.exe" allocated memory in “%WINDIR%\AppPatch\sysmain.sdb”
“cmd.exe” allocated memory in “\Device\MountPointManager"
source
API Call
relevance
7/10
ATT&CK ID
T1055 (Show technique in the MITRE ATT&CK™ matrix)
Drops system driver
details
"biosromvar64.sys” has type “PE32+ executable (native) x86-64 for MS Windows"
source
Extracted File
relevance
10/10
ATT&CK ID
T1215 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
References suspicious system modules
details
"ntoskrnl.exe"
source
String
relevance
5/10
ATT&CK ID
T1215 (Show technique in the MITRE ATT&CK™ matrix)
Hiding 1 Malicious Indicators
All indicators are available only in the private webservice or standalone version
Suspicious Indicators26
Anti-Reverse Engineering
Looks up many procedures within the same disassembly stream (often used to hide usage)
details
Found 18 calls to [email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
Found 18 calls to [email protected] (Show Stream)
source
Hybrid Analysis Technology
relevance
10/10
Cryptographic Related
Found a cryptographic related string
details
"DES” (Indicator: “des”; File: “smibiosrom.dll.1839381160”)
source
String
relevance
10/10
Environment Awareness
Contains ability to query CPU information
details
cpuid from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
cpuid from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
cpuid from H2OUVE-W.exe (PID: 4064) (Show Stream)
cpuid (Show Stream)
source
Hybrid Analysis Technology
relevance
10/10
ATT&CK ID
T1082 (Show technique in the MITRE ATT&CK™ matrix)
Reads the active computer name
details
"H2OUVE-W-Q2S.exe" (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME”; Key: “COMPUTERNAME”)
“H2OUVE-W.exe” (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME”; Key: “COMPUTERNAME”)
source
Registry Access
relevance
5/10
ATT&CK ID
T1012 (Show technique in the MITRE ATT&CK™ matrix)
External Systems
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
details
1/66 reputation engines marked “http://www.haozip.com” as malicious (1% detection rate)
source
External System
relevance
10/10
General
Contains ability to find and load resources of a specific module
details
[email protected] from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
source
Hybrid Analysis Technology
relevance
1/10
Reads configuration files
details
"H2OUVE-W-Q2S.exe" read file “%PROGRAMFILES%(x86)\desktop.ini”
“H2OUVE-W-Q2S.exe” read file “%USERPROFILE%\Desktop\desktop.ini"
source
API Call
relevance
4/10
Installation/Persistance
Drops executable files
details
"smibiosrom.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“H2OUVE-W.exe” has type “MS-DOS executable COFF for MS-DOS DJGPP go32 DOS extender UPX compressed”
“biosromvar64.sys” has type “PE32+ executable (native) x86-64 for MS Windows"
source
Extracted File
relevance
10/10
Writes data to a remote process
details
"cmd.exe” wrote 32 bytes to a remote process “%PROGRAMFILES%(x86)\H2OUVE-W.exe” (Handle: 124)
“cmd.exe” wrote 52 bytes to a remote process “%PROGRAMFILES%(x86)\H2OUVE-W.exe” (Handle: 124)
“cmd.exe” wrote 4 bytes to a remote process “%PROGRAMFILES%(x86)\H2OUVE-W.exe” (Handle: 124)
“cmd.exe” wrote 8 bytes to a remote process “%PROGRAMFILES%(x86)\H2OUVE-W.exe” (Handle: 124)
source
API Call
relevance
6/10
ATT&CK ID
T1055 (Show technique in the MITRE ATT&CK™ matrix)
Network Related
Found potential IP address in binary/memory
details
Heuristic match: “” (del %0) else (ping 127.0.0.1 -n 2&del ““
Heuristic match: “else (ping 127.0.0.1 -n 2&del “”, Heuristic match: “1.0.0.11-beta4"
source
String
relevance
3/10
Remote Access Related
Reads terminal service related keys (often RDP related)
details
"H2OUVE-W-Q2S.exe” (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER”; Key: “TSUSERENABLED”)
source
Registry Access
relevance
10/10
ATT&CK ID
T1076 (Show technique in the MITRE ATT&CK™ matrix)
Spyware/Information Retrieval
Contains ability to open the clipboard
details
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] (Show Stream)
source
Hybrid Analysis Technology
relevance
10/10
ATT&CK ID
T1115 (Show technique in the MITRE ATT&CK™ matrix)
System Destruction
Marks file for deletion
details
”%PROGRAMFILES%(x86)\H2OUVE-W.exe” marked “%PROGRAMFILES%(x86)\VarEditDebug.log” for deletion
source
API Call
relevance
10/10
ATT&CK ID
T1107 (Show technique in the MITRE ATT&CK™ matrix)
Opens file with deletion access rights
details
"H2OUVE-W.exe” opened “%TEMP%\smibiosrom.dll” with delete access
"H2OUVE-W.exe" opened “%TEMP%\biosromvar64.sys” with delete access
"H2OUVE-W.exe" opened “%PROGRAMFILES%(x86)\VarEditDebug.log” with delete access
source
API Call
relevance
7/10
System Security
Modifies proxy settings
details
"H2OUVE-W-Q2S.exe" (Access type: “DELETEVAL”; Path: “HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP”; Key: “PROXYBYPASS”)
“H2OUVE-W-Q2S.exe” (Access type: “DELETEVAL”; Path: “HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP”; Key: “PROXYBYPASS”)
source
Registry Access
relevance
10/10
ATT&CK ID
T1112 (Show technique in the MITRE ATT&CK™ matrix)
Queries sensitive IE security settings
details
"H2OUVE-W-Q2S.exe" (Path: “HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY”; Key: “DISABLESECURITYSETTINGSCHECK”)
source
Registry Access
relevance
8/10
ATT&CK ID
T1012 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
CRC value set in PE header does not match actual value
details
"16bd6b966009775a4c454fcadf8c3cc02f3ef3966ece982de46c0195fc335a2d.bin" claimed CRC 495180 while the actual is CRC 1078657
"H2OUVE-W.exe" claimed CRC 2580230 while the actual is CRC 458206
"biosromvar64.sys" claimed CRC 72556 while the actual is CRC 2580230
source
Static Parser
relevance
10/10
Imports suspicious APIs
details
GetFileAttributesW
GetTempPathW
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
UnhandledExceptionFilter
CreateThread
ExitThread
TerminateProcess
LoadLibraryW
GetVersionExW
GetTickCount
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetTempFileNameW
WriteFile
FindNextFileW
FindFirstFileW
CreateFileW
CreateFileA
GetCommandLineW
GetCommandLineA
GetModuleHandleA
GetModuleHandleW
FindResourceW
CreateProcessW
Sleep
VirtualAlloc
ShellExecuteW
ShellExecuteExW
StartServiceW
CreateServiceW
DeviceIoControl
LockResource
GetWindowThreadProcessId
GetLastActivePopup
SetWindowsHookExW
RegCreateKeyExW
RegDeleteValueW
RegCloseKey
OpenProcessToken
RegEnumKeyW
RegCreateKeyW
RegOpenKeyExW
RegDeleteKeyW
RegOpenKeyExA
RegOpenKeyW
CopyFileW
GetFileSizeEx
GetFileAttributesExW
GetCursorPos
source
Static Parser
relevance
1/10
Installs hooks/patches the running process
details
"H2OUVE-W-Q2S.exe" wrote bytes “60129573” to virtual address “0x74E5E324” (part of module “WININET.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “b830129573ffe0” to virtual address “0x752B1368” (part of module “WS2_32.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “b8c0159573ffe0” to virtual address “0x74B036B4” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “d83ab074” to virtual address “0x74B10274” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “7111c9007a3bc800ab8b02007f950200fc8c0200729602006cc805001ecdc5007d26c500” to virtual address “0x766307E4” (part of module “USER32.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “b840139573ffe0” to virtual address “0x74B03AD8” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “d83a0200” to virtual address “0x74B04E38” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “d83a0200” to virtual address “0x74B04D78” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “d83ab074” to virtual address “0x74B10258” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “b436b074” to virtual address “0x74B10278” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “c0df26771cf92577ccf825770d64277700000000c011567500000000fc3e567500000000e0135675000000009457bb7425e02677c6e0267700000000bc6aba7400000000cf315675000000009319bb74000000002c32567500000000” to virtual address “0x74EA1000” (part of module “NSI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “68130000” to virtual address “0x752B1680” (part of module “WS2_32.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “b436b074” to virtual address “0x74B1025C” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “d83ab074” to virtual address “0x74B101FC” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “d83ab074” to virtual address “0x74B101E0” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “b436b074” to virtual address “0x74B10200” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “b4360200” to virtual address “0x74B04EA4” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “b436b074” to virtual address “0x74B101E4” (part of module “SSPICLI.DLL”)
“H2OUVE-W-Q2S.exe” wrote bytes “b4360200” to virtual address “0x74B04D68” (part of module “SSPICLI.DLL”)
“cmd.exe” wrote bytes “7111c9007a3bc800ab8b02007f950200fc8c0200729602006cc805001ecdc5007d26c500” to virtual address “0x766307E4” (part of module “USER32.DLL”)
source
Hook Detection
relevance
10/10
ATT&CK ID
T1179 (Show technique in the MITRE ATT&CK™ matrix)
Reads information about supported languages
details
"H2OUVE-W-Q2S.exe" (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE”; Key: “00000409”)
“H2OUVE-W.exe” (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE”; Key: “00000409”)
source
Registry Access
relevance
3/10
ATT&CK ID
T1012 (Show technique in the MITRE ATT&CK™ matrix)
Hiding 6 Suspicious Indicators
All indicators are available only in the private webservice or standalone version
Informative24
Anti-Detection/Stealthyness
Contains ability to lookup its own filename
details
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
source
Hybrid Analysis Technology
relevance
5/10
Anti-Reverse Engineering
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
details
[email protected] from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
[email protected] from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
[email protected] from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] (Show Stream)
source
Hybrid Analysis Technology
relevance
1/10
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
details
Found reference to API [email protected] from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
Found reference to API [email protected] from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
Found reference to API [email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
Found reference to API [email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
Found reference to API [email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
source
Hybrid Analysis Technology
relevance
10/10
Environment Awareness
Contains ability to query machine time
details
[email protected] (Show Stream)
[email protected] from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
[email protected] from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] (Show Stream)
source
Hybrid Analysis Technology
relevance
1/10
ATT&CK ID
T1124 (Show technique in the MITRE ATT&CK™ matrix)
Contains ability to query the machine timezone
details
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] (Show Stream)
source
Hybrid Analysis Technology
relevance
1/10
ATT&CK ID
T1124 (Show technique in the MITRE ATT&CK™ matrix)
Contains ability to query the machine version
details
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
[email protected] from H2OUVE-W-Q2S.exe (PID: 3788) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
source
Hybrid Analysis Technology
relevance
1/10
Makes a code branch decision directly after an API that is environment aware
details
Found API call [email protected] directly followed by “cmp eax, edi” and “je 0045E3D7h” from H2OUVE-W.exe (PID: 4064) (Show Stream)
Found API call [email protected] directly followed by “cmp dword ptr [ebp-00000120h], 06h” and “jc 0043F80Fh” from H2OUVE-W.exe (PID: 4064) (Show Stream)
Found API call [email protected] directly followed by “cmp dword ptr [ebp-00000088h], 02h” and “xor ecx, ebp” (Show Stream)
Found API call [email protected] directly followed by “cmp eax, edi” and “je 0045E3D7h” (Show Stream)
Found API call [email protected] directly followed by “cmp dword ptr [ebp-00000120h], 06h” and “jc 0043F80Fh” (Show Stream)
Found API call [email protected] directly followed by “cmp dword ptr [ebp-00000088h], 02h” and “xor ecx, ebp” (Show Stream)
source
Hybrid Analysis Technology
relevance
10/10
Possibly tries to detect the presence of a debugger
details
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] from H2OUVE-W.exe (PID: 4064) (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
[email protected] (Show Stream)
source
Hybrid Analysis Technology
relevance
1/10
Reads the registry for installed applications
details
"H2OUVE-W-Q2S.exe" (Path: “HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\RUNQ2S.BAT”)
“H2OUVE-W-Q2S.exe” (Path: “HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\RUNQ2S.BAT”)
source
Registry Access
relevance
10/10
ATT&CK ID
T1012 (Show technique in the MITRE ATT&CK™ matrix)
General
Contains PDB pathways
details
"e:\haozip_3.0_Release\rczip\bin\Win32\release\pdb\HaoZip7zSetup_enu.pdb"
“d:\working\insydeh2ouve\windows\driver\smibiosrom\flswdm\objfre_win7_x86\i386\biosromvar.pdb”
“d:\working\insydeh2ouve\windows\driver\smibiosrom\flswdm\objfre_win7_amd64\amd64\biosromvarx64.pdb"
source
String
relevance
1/10
Creates a writable file in a temporary directory
details
"H2OUVE-W.exe” created file “%TEMP%\smibiosrom.dll”
“H2OUVE-W.exe” created file “%TEMP%\biosromvar64.sys"
source
API Call
relevance
1/10
Creates mutants
details
”\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
“Local\ZonesLockedCacheCounterMutex”
“Local\ZonesCacheCounterMutex"
source
Created Mutant
relevance
3/10
Drops files marked as clean
details
Antivirus vendors marked dropped file “smibiosrom.dll” as clean (type is “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”), Antivirus vendors marked dropped file “H2OUVE-W.exe” as clean (type is “MS-DOS executable COFF for MS-DOS DJGPP go32 DOS extender UPX compressed”), Antivirus vendors marked dropped file “RunQ2S.bat” as clean (type is “ASCII text with no line terminators”)
source
Extracted File
relevance
10/10
Overview of unique CLSIDs touched in registry
details
"H2OUVE-W-Q2S.exe” touched “Computer” (Path: “HKCU\WOW6432NODE\CLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER”)
“H2OUVE-W-Q2S.exe” touched “Memory Mapped Cache Mgr” (Path: “HKCU\WOW6432NODE\CLSID{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}”)
“H2OUVE-W-Q2S.exe” touched “Security Manager” (Path: “HKCU\WOW6432NODE\CLSID{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\TREATAS”)
source
Registry Access
relevance
3/10
Runs shell commands
details
"%WINDIR%\system32\cmd.exe /c “”%PROGRAMFILES%(x86)\RunQ2S.bat" “” on 2019-7-17.15:35:57.593
source
Monitored Target
relevance
5/10
Spawns new processes
details
Spawned process “cmd.exe” with commandline “%WINDIR%\system32\cmd.exe /c “”%PROGRAMFILES%(x86)\RunQ2S.bat” …" (Show Process), Spawned process “H2OUVE-W.exe” with commandline “/flash:VarData.xml” (Show Process)
source
Monitored Target
relevance
3/10
Spawns new processes that are not known child processes
details
Spawned process “cmd.exe” with commandline “%WINDIR%\system32\cmd.exe /c “”%PROGRAMFILES%(x86)\RunQ2S.bat” …" (Show Process), Spawned process “H2OUVE-W.exe” with commandline “/flash:VarData.xml” (Show Process)
source
Monitored Target
relevance
3/10
Installation/Persistance
Connects to LPC ports
details
"H2OUVE-W-Q2S.exe" connecting to “\ThemeApiPort”
“H2OUVE-W.exe” connecting to “\ThemeApiPort"
source
API Call
relevance
1/10
Dropped files
details
"smibiosrom.dll” has type “PE32 executable (DLL) (GUI) Intel 80386 for MS Windows”
“H2OUVE-W.exe” has type “MS-DOS executable COFF for MS-DOS DJGPP go32 DOS extender UPX compressed”
“RunQ2S.bat” has type “ASCII text with no line terminators”
“biosromvar64.sys” has type “PE32+ executable (native) x86-64 for MS Windows”
“VarData.xml” has type “ASCII text with CRLF line terminators"
source
Extracted File
relevance
3/10
Opens the MountPointManager (often used to detect additional infection locations)
details
"cmd.exe” opened “\Device\MountPointManager"
source
API Call
relevance
5/10
Touches files in the Windows directory
details
"H2OUVE-W-Q2S.exe” touched file “C:\Windows\SysWOW64\en-US\user32.dll.mui”
“H2OUVE-W-Q2S.exe” touched file “C:\Windows\Globalization\Sorting\SortDefault.nls”
“H2OUVE-W-Q2S.exe” touched file “C:\Windows\SysWOW64\en-US\msctf.dll.mui”
“H2OUVE-W-Q2S.exe” touched file “%LOCALAPPDATA%\Microsoft\Windows\Caches”
“H2OUVE-W-Q2S.exe” touched file “C:\Users%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db”
“H2OUVE-W-Q2S.exe” touched file “C:\Users%USERNAME%\AppData\Local\Microsoft\Windows\Caches{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db”
“H2OUVE-W-Q2S.exe” touched file “C:\Windows\Fonts\StaticCache.dat”
“H2OUVE-W-Q2S.exe” touched file “C:\Windows\AppPatch\sysmain.sdb”
“H2OUVE-W-Q2S.exe” touched file “%LOCALAPPDATA%\Microsoft\Windows\Caches”
“H2OUVE-W-Q2S.exe” touched file “%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db”
“H2OUVE-W-Q2S.exe” touched file “%LOCALAPPDATA%\Microsoft\Windows\Caches{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db”
“cmd.exe” touched file “C:\Windows\SysWOW64\en-US\cmd.exe.mui”
“cmd.exe” touched file “C:\Windows\Globalization\Sorting\SortDefault.nls”
“cmd.exe” touched file “C:\Windows\AppPatch\sysmain.sdb”
“H2OUVE-W.exe” touched file “C:\Windows\Fonts\StaticCache.dat”
“H2OUVE-W.exe” touched file “C:\Windows\Globalization\Sorting\SortDefault.nls”
“H2OUVE-W.exe” touched file “C:\Windows\SysWOW64\imageres.dll”
“H2OUVE-W.exe” touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
source
API Call
relevance
7/10
Network Related
Found potential URL in binary/memory
details
Pattern match: "http://www.haozip.com"
Pattern match: “www.insydesw.com"
source
String
relevance
10/10
System Security
Opens the Kernel Security Device Driver (KsecDD) of Windows
details
"H2OUVE-W-Q2S.exe” opened “\Device\KsecDD”
“H2OUVE-W.exe” opened “\Device\KsecDD"
source
API Call
relevance
10/10
ATT&CK ID
T1215 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
Matched Compiler/Packer signature
details
"16bd6b966009775a4c454fcadf8c3cc02f3ef3966ece982de46c0195fc335a2d.bin” was detected as “VC8 → Microsoft Corporation”
“smibiosrom.dll” was detected as “Visual C++ 2005 DLL → Microsoft”
“H2OUVE-W.exe” was detected as "VC8 → Microsoft Corporation"
source
Static Parser
relevance
10/10
ATT&CK ID
T1002 (Show technique in the MITRE ATT&CK™ matrix)
EDIT by Fernando: Put the details into a “spoiler” (to save space)
