HackTool.Win64.EDRSandBlast.D
Trojan.Win64.Hacktool (IKARUS)
Windows
Threat Type: Hacking Tool
Destructiveness: No
Encrypted: No
In the wild: Yes
TECHNICAL DETAILS
443,904 bytes
EXE
No
16 Apr 2024
Drops files, Connects to URLs/IPs, Displays windows
Installation
This Hacking Tool adds the following processes:
- {Grayware File Path}\{Grayware File Name}.exe
Dropping Routine
This Hacking Tool drops the following files:
- {Grayware File Path}\Ntoskrnl.pdb → deleted afterwards
- {Grayware File Path}\fltMgr.pdb → deleted afterwards
- {Grayware File Path}\wdigest.pdb → deleted afterwards
- {Grayware File Path}\WNBIOS.sys → vulnerable driver
Other Details
This Hacking Tool does the following:
- It employs techniques utilized to bypass EDR detections both in user and kernel mode.
- It performs the following actions to bypass EDR detections:
- Kernel Notify Routines Callbacks Removal → by exploiting an arbitrary kernel memory read/write primitive through exploiting a vulnerable driver
- Object Callbacks Removal → by disabling the Enabled flag in the OB_CALLBACK_ENTRY structure, unlinking the CallbackList of threads and process, or disabling object callbacks through disabling the SupportsObjectCallbacks bit in the ObjectTypeFlags field
- Minifilters' Callbacks Unlinking → by scanning structures used by the Windows Filter Manager to detect callback nodes containing monitoring functions and unlink them from their lists, making them temporarily invisible from the filter manager
- Disable ETW Microsoft-Windows-Threat-Intelligence Provider → by patching in kernel memory during runtime the ETW TI provider
- Userland Hooking Bypass → by either removing the hooks, using a custom or the existing EDR's trampoline to jump over and execute the rest of the function as is, using a duplicate DLL, or using direct syscall methods
- It detects EDR drivers and processes.
- It bypasses RunAsPPL by elevating its protection level higher than the LSASS process.
- It bypasses Credential Guard by enabling Wdigest to store cleartext credentials in LSASS memory.
- It downloads symbols from the Microsoft Symbol Server for the ntoskrnl.exe, fltmgr.sys, and wdigest.dll. If a corresponding *Offsets.csv file exists, it appends the acquired offsets from the symbols to the file.
- It connects to the following URL(s) to download symbols from the Microsoft Symbol Server:
- https://{BLOCKED}icrosoft.com/download/symbols/ntkrnlmp.pdb/2E37F962D699492CAAF3F9F4E9770B1D2/ntkrnlmp.pdb
- https://{BLOCKED}crosoft.com/download/symbols/fltMgr.pdb/BDB830D5AD37A0994727A90DE1D97BA41/fltMgr.pdb
- https://{BLOCKED}crosoft.com/download/symbols/wdigest.pdb/D0FEB1356A4987BF32419D0533E05AED1/wdigest.pdb
- It checks for the presence of the following files:
- {Grayware File Path}\NtoskrnlOffsets.csv → contains offsets used to perform Offsets Retrieval
- {Grayware File Path}\FltmgrOffsets.csv → contains offsets used to perform Offsets Retrieval
- {Grayware File Path}\WdigestOffsets.csv → contains offsets used to perform Offsets Retrieval
- It conducts offset retrieval to perform kernel monitoring bypass operations.
- It checks for the existence of the following service:
- Service Name: {8 Random Characters}
- If the service above is not found, it is then created with the following details and started subsequently:
- Name: {8 Random Characters}
- Display Name: {8 Random Characters}
- Type: Driver service
- Start Type: Auto start
- Binary Path: {Grayware File Path}\WNBIOS.sys
- It reverses its routines and deletes the installed service when the command "exit" is entered on its console.
- It displays its logs on a console:
SOLUTION
9.800
2.747.00
25 Jul 2024
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Restart in Safe Mode
Step 4
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\{8 Random Characters}
Step 5
Restart in normal mode and scan your computer with your Trend Micro product for files detected as HackTool.Win64.EDRSandBlast.D. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 6
Search and delete these files
- {Grayware File Path}\ntoskrnl.pdb
- {Grayware File Path}\fltMgr.pdb
- {Grayware File Path}\wdigest.pdb
- {Grayware File Path}\WNBIOS.sys
- {Grayware File Path}\NtoskrnlOffsets.csv
- {Grayware File Path}\FltmgrOffsets.csv
- {Grayware File Path}\WdigestOffsets.csv
Step 7
Scan your computer with your Trend Micro product to delete files detected as HackTool.Win64.EDRSandBlast.D. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.