An In-Depth Look at Windows Kernel Threats
Show in Graph
Image Description
Common Information
Type Value
UUID 30ca5775-9383-4fae-ac46-745851c6bc78
Fingerprint 864c47bd54437b7ea5ec24782f5f890c5e592f0d26c418a68e197bcc43065d2a
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 5, 2023, 4:43 p.m.
Added to db April 14, 2024, 10:55 a.m.
Last updated Aug. 30, 2024, 10:52 p.m.
Headline An In-Depth Look at Windows Kernel Threats
Title An In-Depth Look at Windows Kernel Threats
Detected Hints/Tags/Attributes 305/4/190
Source URLs
Redirection Url
Details Source https://documents.trendmicro.com/assets/white_papers/wp-an-in-depth-look-at-windows-kernel-threats.pdf
URL Provider
Details Provider Source level domain
Details trendmicro.com documents.trendmicro.com
Attributes
Details Type #Events CTI Value
Details CVE 6 
cve-2022-26522
Details CVE 6 
cve-2022-26523
Details CVE 2 
cve-2017-16238
Details Domain 245 
shutterstock.com
Details Domain 25 
eclypsium.com
Details Domain 3 
browse.vc
Details Domain 3 
techopedia.com
Details Domain 175 
www.zdnet.com
Details Domain 70 
nakedsecurity.sophos.com
Details Domain 604 
www.trendmicro.com
Details Domain 34 
msrc-blog.microsoft.com
Details Domain 452 
msrc.microsoft.com
Details Domain 207 
learn.microsoft.com
Details Domain 2 
learn.microsoft
Details Domain 368 
microsoft.com
Details Domain 89 
arstechnica.com
Details Domain 397 
www.microsoft.com
Details Domain 36 
decoded.avast.io
Details Domain 67 
citizenlab.ca
Details Domain 2 
www.aon.com
Details Domain 124 
www.sentinelone.com
Details Domain 132 
trendmicro.com
Details Domain 71 
news.sophos.com
Details Domain 141 
research.checkpoint.com
Details Domain 403 
securelist.com
Details Domain 1373 
twitter.com
Details Domain 262 
www.welivesecurity.com
Details Domain 224 
unit42.paloaltonetworks.com
Details Domain 88 
securityintelligence.com
Details Domain 261 
blog.talosintelligence.com
Details Domain 2 
repnz.github.io
Details Domain 57 
www.theregister.com
Details Domain 11 
www.novetta.com
Details Domain 29 
www.techrepublic.com
Details Domain 768 
www.youtube.com
Details Domain 123 
www.reuters.com
Details Domain 80 
www.eset.com
Details Domain 66 
www.malwarebytes.com
Details Domain 72 
symantec-enterprise-blogs.security.com
Details Domain 3 
minerva-labs.com
Details Domain 128 
www.bitdefender.com
Details Domain 1 
avast.io
Details Domain 12 
www.gdatasoftware.com
Details Domain 425 
isc.sans.edu
Details Domain 21 
lab52.io
Details Domain 20 
avertium.com
Details Domain 13 
quointelligence.eu
Details Domain 21 
github.io
Details Domain 25 
content.fireeye.com
Details Domain 182 
www.mandiant.com
Details Domain 280 
thehackernews.com
Details Domain 3 
threats.amnpardaz.com
Details Domain 132 
www.sophos.com
Details Domain 84 
www.zscaler.com
Details Domain 172 
www.crowdstrike.com
Details Domain 2 
buckets.grayhatwarfare.com
Details File 533 
ntdll.dll
Details File 76 
gdi32.dll
Details File 748 
kernel32.dll
Details File 14 
hal.dll
Details File 2 
halacpi.dll
Details File 3 
halmacpi.dll
Details File 2 
bootvid.dll
Details File 125 
ntoskrnl.exe
Details File 22 
ntkrnlpa.exe
Details File 291 
user32.dll
Details File 165 
csrss.exe
Details File 115 
win32k.sys
Details File 229 
advapi32.dll
Details File 30 
ci.dll
Details File 26 
rtcore64.sys
Details File 3 
physmem.sys
Details File 8 
aswarpot.sys
Details File 7 
dlpumgr32.exe
Details File 478 
lsass.exe
Details File 2 
vc.db
Details File 1 
viraglt64.sys
Details File 2 
divergent.exe
Details File 2 
mdivergent.exe
Details File 5 
scesrv.dll
Details File 306 
services.exe
Details File 12 
ndis.sys
Details File 1122 
svchost.exe
Details File 6 
autochk.exe
Details File 9 
driver.sys
Details File 2 
calldriver.exe
Details File 5 
svchost.txt
Details File 2 
ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
Details File 1 
hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
Details File 1 
kill-antivirus.html
Details File 3 
netdooka-framework-distributed-via-privateloader-ppi.html
Details File 1 
log4shell.html
Details File 1 
doppelpaymer-ransomware.html
Details File 1 
tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html
Details File 2 
eset_invisimole.pdf
Details File 1 
divergent-analysis.html
Details File 1 
the-slingshot-apt_report_eng_final.pdf
Details File 2 
derusbi.pdf
Details File 1 
uses-new-arrival-vector-and-improves-malware-arsenal.html
Details File 1 
fivesys-creat5699-en-en.pdf
Details File 2 
moonbounce_technical-details_eng.pdf
Details File 1 
new-uefi-firmware-vulnerabilities.html
Details File 1 
sophoslabs-uncut-mykings-report.pdf
Details Microsoft Patch Numbers 4 
KB3033929
Details MITRE ATT&CK Techniques 298 
T1562.001
Details MITRE ATT&CK Techniques 208 
T1068
Details MITRE ATT&CK Techniques 440 
T1055
Details MITRE ATT&CK Techniques 70 
T1562.004
Details MITRE ATT&CK Techniques 1 
T0830
Details MITRE ATT&CK Techniques 107 
T1564
Details MITRE ATT&CK Techniques 265 
T1222
Details MITRE ATT&CK Techniques 207 
T1547
Details MITRE ATT&CK Techniques 16 
T1587.002
Details Threat Actor Identifier - APT 522 
APT41
Details Url 25 
https://www.trendmicro
Details Url 1 
https://www.techtarget
Details Url 1 
https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/windows-kernel-mode-kernel-library.
Details Url 1 
https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-and-credential-guard.
Details Url 1 
https://www.zdnet.com/article/new-moriya-rootkit-stealthily-backdoors-windows-systems/.
Details Url 1 
https://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/.
Details Url 15 
https://www.trendmicro.com/en_us
Details Url 1 
https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-
Details Url 3 
https://msrc.microsoft.com/update-guide/vulnerability
Details Url 1 
https://learn.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware.
Details Url 1 
https://learn.microsoft
Details Url 1 
https://arstechnica.com/information-technology/2022/10/how-a-microsoft-blunder-opened-
Details Url 1 
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html?ite=159715&ito
Details Url 1 
https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-
Details Url 30 
https://www.microsoft.com
Details Url 1 
https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/.
Details Url 1 
https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-
Details Url 1 
https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-
Details Url 1 
https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/.
Details Url 1 
https://news.sophos.com/en-us/2020/02/06/living-off-
Details Url 1 
https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-
Details Url 1 
https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/.
Details Url 1 
https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/.
Details Url 1 
https://usa.kaspersky.com/about/press-releases/2021_ghostemperor-apt-targets-high-profile-victims-using-
Details Url 1 
https://twitter.com/trendmicrorsrch/status/1398270334068011016.
Details Url 1 
https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/.
Details Url 1 
https://www.trendmicro.com/en_us/research/21/d/iron-
Details Url 5 
https://www.microsoft.com/security
Details Url 1 
https://www.welivesecurity.com/wp-content/uploads/2020/06/eset_invisimole.pdf
Details Url 1 
https://unit42.paloaltonetworks.com/acidbox-rare-malware/.
Details Url 1 
https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-
Details Url 1 
https://blog.talosintelligence.com/2019/09/divergent-analysis.html?m=1
Details Url 1 
https://www.theregister.com/2016/09/23/capcom_street_fighter_v.
Details Url 1 
https://www.novetta.com/wp-
Details Url 1 
https://www.welivesecurity.com/2012/05/11/king-of-spam-festi-botnet-analysis/.
Details Url 1 
https://www.eset.com/sg/about/newsroom/press-releases1/awards/cyber-espionage-group-turla-and-its-latest-
Details Url 1 
https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-
Details Url 1 
https://www.techrepublic.com/article/nvidias-breach-might-help-cybercriminals-run-malware-
Details Url 1 
https://www.youtube.com/watch?v=1h9tefkjfxs&t=320s&ab_
Details Url 1 
https://www.reuters.com/world/europe/cyprus-games-writer-denies-links-
Details Url 2 
https://www.eset.com/int/about/newsroom/press-releases
Details Url 1 
https://www.malwarebytes.com/blog/threat-intelligence/2022/03
Details Url 1 
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-
Details Url 1 
https://www.trendmicro.com/en_us/research/22/c/purple-fox-
Details Url 1 
https://minerva-labs.com/blog/malicious-telegram-installer-drops-purple-fox-rootkit/.
Details Url 1 
https://www.bitdefender.com/blog/labs/digitally-signed-rootkitsare-back-a-
Details Url 1 
https://www.bitdefender.com/files/news/casestudies/study/405/bitdefender-dt-whitepaper-
Details Url 1 
https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp.
Details Url 1 
https://isc.sans.edu/forums/diary
Details Url 1 
https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/.
Details Url 1 
https://securelist.com/luckymouse-
Details Url 2 
https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/.
Details Url 1 
https://content.fireeye.com/apt-41/rpt-apt41.
Details Url 1 
https://www.mandiant.com/resources/blog/game-over-detecting-and-stopping-an-apt41-
Details Url 1 
https://www.bitdefender.com/blog/labs/inside-scranos-a-cross-platform-rootkit-enabled-
Details Url 1 
https://www.bitdefender.com/blog/labs/six-years-and-counting-inside-the-complex-zacinlo-
Details Url 1 
https://securelist.com/cosmicstrand-uefi-firmware-
Details Url 1 
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/.
Details Url 1 
https://www.sentinelone.com/labs/another-brick-in-the-wall-uncovering-smm-
Details Url 1 
https://www.welivesecurity.com/2022/04/19/when-
Details Url 1 
https://thehackernews.com/2022/07/new-uefi-firmware-vulnerabilities.html
Details Url 1 
https://threats.amnpardaz.com/en/2021/12/28/implant-arm-ilobleed-a/.
Details Url 1 
https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-
Details Url 1 
https://securelist.com/finspy-unseen-findings/104322/.
Details Url 1 
https://securelist.com/mosaicregressor/98849/.
Details Url 1 
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-
Details Url 1 
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-uncut-mykings-report.pdf
Details Url 1 
https://www.zscaler.com/blogs
Details Url 1 
https://www.microsoft.com/security/blog/2017/06/07/platinum-continues-
Details Url 1 
https://www.zdnet.com/article/hacking-team-stealthy-spyware-rootkit-stays-entrenched-
Details Url 1 
https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria.
Details Url 1 
https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/.
Details Url 1 
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-
Details Url 1 
https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-
Details Url 1 
https://buckets.grayhatwarfare.com/.
Details Url 1 
https://www.mandiant.com/resources/blog/hunting-attestation-signed-