2f6abee23ee3204c3a5282d93d56a52ed0fb020671160c448c0c52ced25f9d8b

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-10-2022 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HUAWEI3G/DriverUninstall.exe
Size

325KB
MD5

329c83407b52f6a1beda0af5b2525a30
SHA1

8ad483ed219f76890af8bb045314eff28aba08e5
SHA256

76346e98edf15518d02247998c10b206d3e1137b7f55428118d335f58821e751
SHA512

e484c3e2ac434ce28395e31d8bc8a671989eda6077e4a23fb42d0a88534382afbd43c524a42781146fa347fa555ada0a751ccd91a0091e1226e1b1f0b7acbd48
SSDEEP

6144:1ilWRc7sUnxXKhd7qsp7Hc96WUU1w7nCknjA0OEPP:1LGxXKhd7qCjGy7neEPP

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\ewdcsc.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_jucdcacm.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_jucdcecm.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_juwwanecm.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_busfilter.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_usbenumfilter.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ewusbwwan.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ewsmartcard.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_hwupgrade.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ewusbdev.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_hwusbdev.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ewusbmdm.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_juextctrl.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_jubusenum.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_cdcacm.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_wwanecm.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ew_mbbusbdev.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ewusbfake.sys	devsetup64.exe
File opened for modification	C:\Windows\system32\drivers\ewusbnet.sys	devsetup64.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	devsetup64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	devsetup64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2000	DriverUninstall.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1032	2000	DriverUninstall.exe	28
PID 2000 wrote to memory of 1032	2000	DriverUninstall.exe	28
PID 2000 wrote to memory of 1032	2000	DriverUninstall.exe	28
PID 2000 wrote to memory of 1032	2000	DriverUninstall.exe	28

C:\Users\Admin\AppData\Local\Temp\HUAWEI3G\DriverUninstall.exe
"C:\Users\Admin\AppData\Local\Temp\HUAWEI3G\DriverUninstall.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\HUAWEI3G\devsetup64.exe
  /uninstall /debug
  2⤵
  - Drops file in Drivers directory
  - Checks processor information in registry
  PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-55-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download