79c7b159ef873196fd54cada5cf812369bee2c6f694d7a474b5cba7969bb4276

Analysis

max time kernel
376s
max time network
441s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79c7b159ef873196fd54cada5cf812369bee2c6f694d7a474b5cba7969bb4276.exe
Size

3.3MB
MD5

487615775bd83d2f7eab1def54c4646c
SHA1

ae7c907113c1f1dc7cf92809d3b26e5aff4fe5c5
SHA256

79c7b159ef873196fd54cada5cf812369bee2c6f694d7a474b5cba7969bb4276
SHA512

1dc31770c6142778d2372582e7f3c48e9a165e7488f28ae7b3b69fd3003dd524e1eaadff14fe8fe64effe16ff444a001cc789fc79bc6afdc43ab7ae9f37134a4
SSDEEP

98304:O3YobVRxj94j/JpY6A7PFLiWg5RxjUZzV:UYeujnY6aIrYZh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

drvprosetup.exedrvprosetup.tmp

pid process

1048 drvprosetup.exe
4596 drvprosetup.tmp

pid	process
1048	drvprosetup.exe
4596	drvprosetup.tmp

Drops file in Program Files directory 9 IoCs

Processes:

drvprosetup.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Driver Pro\DriverPro.exe	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DrvProHelper.dll	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\unins000.dat	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DriverPro.chm	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\7z.dll	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\sqlite3.dll	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-S4NE2.tmp	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DPStartScan.exe	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DPTray.exe	drvprosetup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

drvprosetup.tmp

pid process

4596 drvprosetup.tmp
4596 drvprosetup.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

drvprosetup.tmp

pid process

4596 drvprosetup.tmp

pid	process
4596	drvprosetup.tmp
4596	drvprosetup.tmp

pid	process
4596	drvprosetup.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

79c7b159ef873196fd54cada5cf812369bee2c6f694d7a474b5cba7969bb4276.exedrvprosetup.exe

description	pid	process	target process
PID 3748 wrote to memory of 1048	3748	79c7b159ef873196fd54cada5cf812369bee2c6f694d7a474b5cba7969bb4276.exe	drvprosetup.exe
PID 3748 wrote to memory of 1048	3748	79c7b159ef873196fd54cada5cf812369bee2c6f694d7a474b5cba7969bb4276.exe	drvprosetup.exe
PID 3748 wrote to memory of 1048	3748	79c7b159ef873196fd54cada5cf812369bee2c6f694d7a474b5cba7969bb4276.exe	drvprosetup.exe
PID 1048 wrote to memory of 4596	1048	drvprosetup.exe	drvprosetup.tmp
PID 1048 wrote to memory of 4596	1048	drvprosetup.exe	drvprosetup.tmp
PID 1048 wrote to memory of 4596	1048	drvprosetup.exe	drvprosetup.tmp

C:\Users\Admin\AppData\Local\Temp\79c7b159ef873196fd54cada5cf812369bee2c6f694d7a474b5cba7969bb4276.exe
"C:\Users\Admin\AppData\Local\Temp\79c7b159ef873196fd54cada5cf812369bee2c6f694d7a474b5cba7969bb4276.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
C:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\is-184EV.tmp\drvprosetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-184EV.tmp\drvprosetup.tmp" /SL5="$F0054,2543061,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
Filesize
2.9MB

MD5
20a1ff6efbfc6d83a0a6008f45914e9e

SHA1
c3bda8bb56403824402e825ec2c7e022e7d31c13

SHA256
508060dc54b63e210eb42a4f0519a7eb09ac8c1138084b078795ba9bb2bd0828

SHA512
4b3d5d159f5d660b29a6908cf23336272afe475b479a70ba2de5dc067106f2d026f13ccffd43318611e96f2dc4cd1f770474a288a26ebee59a31db891c461f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
Filesize
2.9MB

MD5
20a1ff6efbfc6d83a0a6008f45914e9e

SHA1
c3bda8bb56403824402e825ec2c7e022e7d31c13

SHA256
508060dc54b63e210eb42a4f0519a7eb09ac8c1138084b078795ba9bb2bd0828

SHA512
4b3d5d159f5d660b29a6908cf23336272afe475b479a70ba2de5dc067106f2d026f13ccffd43318611e96f2dc4cd1f770474a288a26ebee59a31db891c461f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-184EV.tmp\drvprosetup.tmp
Filesize
1.1MB

MD5
938604f6ac59637bac93477c279247b2

SHA1
7d463ead499fb69ee4d785429ba8783b5bbef43a

SHA256
38a41372c1ca922a7aa14c82fd09656c0d168acf9cbc481b8e3d05f2302bcce3

SHA512
2e22e8c7c4f0652bba62eec7e8103e530c0a6a5a61aedb13bf2501ffa158bc02a3efbdb36684fa80b282b50225e5e1385dd27b25c98a7b18eb97e55d445fd3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-184EV.tmp\drvprosetup.tmp
Filesize
1.1MB

MD5
938604f6ac59637bac93477c279247b2

SHA1
7d463ead499fb69ee4d785429ba8783b5bbef43a

SHA256
38a41372c1ca922a7aa14c82fd09656c0d168acf9cbc481b8e3d05f2302bcce3

SHA512
2e22e8c7c4f0652bba62eec7e8103e530c0a6a5a61aedb13bf2501ffa158bc02a3efbdb36684fa80b282b50225e5e1385dd27b25c98a7b18eb97e55d445fd3eb

Download Submit
memory/1048-132-0x0000000000000000-mapping.dmp

Download
memory/1048-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1048-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1048-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4596-138-0x0000000000000000-mapping.dmp

Download