Analysis

  • max time kernel
    144s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 22:42

General

  • Target

    6ba062dc89fe70a8f2717139aea3affa399dd9a4b82403765288cd55c35043f1.exe

  • Size

    3.4MB

  • MD5

    503c4b386c163c80f324d5ac56a4ad53

  • SHA1

    a1b78ea1e0c3bcf105bd9c3e5cafd6c85cf64e9f

  • SHA256

    6ba062dc89fe70a8f2717139aea3affa399dd9a4b82403765288cd55c35043f1

  • SHA512

    d967081de978ceea4c08d9d016974a984d67253921d32b607fd06a858507722904ed93ed9bc67a7fc97e6b54e4fc7daffefccf6fbcaac9763062a3fa8d65f67b

  • SSDEEP

    98304:o3yobVyq03fv0oKATM6A/7zf8iEFb1OL6PVgNZzJ:iyey13EoXM68vHO5fPeNZd

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ba062dc89fe70a8f2717139aea3affa399dd9a4b82403765288cd55c35043f1.exe
    "C:\Users\Admin\AppData\Local\Temp\6ba062dc89fe70a8f2717139aea3affa399dd9a4b82403765288cd55c35043f1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
      C:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1148
      • C:\Users\Admin\AppData\Local\Temp\is-0H7GT.tmp\drvprosetup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-0H7GT.tmp\drvprosetup.tmp" /SL5="$60124,2637513,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:996
        • C:\Program Files (x86)\Driver Pro\DPTray.exe
          "C:\Program Files (x86)\Driver Pro\DPTray.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1824
        • C:\Program Files (x86)\Driver Pro\DriverPro.exe
          "C:\Program Files (x86)\Driver Pro\DriverPro.exe" /INSTALL
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1240
        • C:\Program Files (x86)\Driver Pro\DPStartScan.exe
          "C:\Program Files (x86)\Driver Pro\DPStartScan.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1764
          • C:\Program Files (x86)\Driver Pro\DriverPro.exe
            "C:\Program Files (x86)\Driver Pro\DriverPro.exe" /START
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1532
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /TN "Driver Pro Schedule" /TR "\"C:\Program Files (x86)\Driver Pro\DPTray.exe\"" /SC ONLOGON /RL HIGHEST /F
              6⤵
              • Creates scheduled task(s)
              PID:928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Driver Pro\DPStartScan.exe

    Filesize

    820KB

    MD5

    9fae434d3c8d6afebfd505bce63de58b

    SHA1

    a00c6a47e1cd4bce95a2399666deb3f2800642de

    SHA256

    fe4ec103e5b51521647251de95c27e86965d82278d4a68275b6fa215ae03c14e

    SHA512

    fc80ffa7a3381dd8c2f47be215394653ca6c8756d3d3813ce9760f6f0ca250ba26dd701f3694810c364712e541b5dc34ae51900312205d95765152d393c4c6e3

  • C:\Program Files (x86)\Driver Pro\DPTray.exe

    Filesize

    811KB

    MD5

    907a19ad8ed1f74c0d2933462ca6b902

    SHA1

    a3d349ab61b92226f3dff7061a4700408ac5b677

    SHA256

    587c95cce578d266ab78a736dfca0197d46bee23beff24336b874dec1fc9e33e

    SHA512

    66be1ef5c3e159f7b3d28eb2cb1a9629213aa53a35362811386f38fe72b6e9aa964e2e5c2fa65912207c75f121a593fd1d17ff2a44a6a4170077d8f460049245

  • C:\Program Files (x86)\Driver Pro\DriverPro.exe

    Filesize

    3.3MB

    MD5

    3a97298f26466e270baa115b9484bb5e

    SHA1

    fc75fcc15ea9c8eab68d39bde2b80d19490cfc40

    SHA256

    78eb02cf5d4cc9b614dfaa8110e67e3b0f7d2f3baa5ea8ccdfeee33a07779016

    SHA512

    7ac71d20450ec1cbdc3f73f4739e9799152dd327066cab9f4d405c80e9cd7c4140c9544751ec5e694fcf61f783cba0477f00e57a9d050262d7bc1355cfd0f47e

  • C:\Program Files (x86)\Driver Pro\DriverPro.exe

    Filesize

    3.3MB

    MD5

    3a97298f26466e270baa115b9484bb5e

    SHA1

    fc75fcc15ea9c8eab68d39bde2b80d19490cfc40

    SHA256

    78eb02cf5d4cc9b614dfaa8110e67e3b0f7d2f3baa5ea8ccdfeee33a07779016

    SHA512

    7ac71d20450ec1cbdc3f73f4739e9799152dd327066cab9f4d405c80e9cd7c4140c9544751ec5e694fcf61f783cba0477f00e57a9d050262d7bc1355cfd0f47e

  • C:\Program Files (x86)\Driver Pro\DriverPro.exe

    Filesize

    3.3MB

    MD5

    3a97298f26466e270baa115b9484bb5e

    SHA1

    fc75fcc15ea9c8eab68d39bde2b80d19490cfc40

    SHA256

    78eb02cf5d4cc9b614dfaa8110e67e3b0f7d2f3baa5ea8ccdfeee33a07779016

    SHA512

    7ac71d20450ec1cbdc3f73f4739e9799152dd327066cab9f4d405c80e9cd7c4140c9544751ec5e694fcf61f783cba0477f00e57a9d050262d7bc1355cfd0f47e

  • C:\Program Files (x86)\Driver Pro\English.ini

    Filesize

    12KB

    MD5

    8f88e83e8022bfacd1e11529fcbac372

    SHA1

    2827f7593329022d8a6672133b67d542363e5be9

    SHA256

    d4fa4405d07c959d8578d344d1fcb3bd834003682ea96ee49b048f7d1eba8679

    SHA512

    dc3d181f416633a90297a43a710c77193c4b5c387037ad4084d10372a90151cba176330d4b463f07bc1c18f09c0a84be493e16e38b84946deaf081a6567af371

  • C:\Program Files (x86)\Driver Pro\sqlite3.dll

    Filesize

    508KB

    MD5

    0f66e8e2340569fb17e774dac2010e31

    SHA1

    406bb6854e7384ff77c0b847bf2f24f3315874a3

    SHA256

    de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

    SHA512

    39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

  • C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe

    Filesize

    3.0MB

    MD5

    e2bc1e4dbb1b4a5342b8dea5ba2ec9da

    SHA1

    5325f6df57aa9d6cae42964aba0e035ab64edfd6

    SHA256

    c7cf53ed5ed00bce7d76401ce81ea293e3e7e773a58aace75719f489bc52dfcd

    SHA512

    5e8f0b900ac38539d77204bbc6e3aed42c3e7d39279b0d21fe2fe1f37fe27e63f96d70fa7dd175198a747be0e3e04133e66ba84943fe06bdc162a826ce8d78f1

  • C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe

    Filesize

    3.0MB

    MD5

    e2bc1e4dbb1b4a5342b8dea5ba2ec9da

    SHA1

    5325f6df57aa9d6cae42964aba0e035ab64edfd6

    SHA256

    c7cf53ed5ed00bce7d76401ce81ea293e3e7e773a58aace75719f489bc52dfcd

    SHA512

    5e8f0b900ac38539d77204bbc6e3aed42c3e7d39279b0d21fe2fe1f37fe27e63f96d70fa7dd175198a747be0e3e04133e66ba84943fe06bdc162a826ce8d78f1

  • C:\Users\Admin\AppData\Local\Temp\is-0H7GT.tmp\drvprosetup.tmp

    Filesize

    1.1MB

    MD5

    dcb39cc84c9294a56d2f2a01211377bf

    SHA1

    ea30b92f18668d34e421821f343a7061e8138086

    SHA256

    55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

    SHA512

    6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

  • C:\Users\Admin\AppData\Local\Temp\is-0H7GT.tmp\drvprosetup.tmp

    Filesize

    1.1MB

    MD5

    dcb39cc84c9294a56d2f2a01211377bf

    SHA1

    ea30b92f18668d34e421821f343a7061e8138086

    SHA256

    55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

    SHA512

    6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

  • C:\Users\Admin\AppData\Roaming\Driver Pro\program.log

    Filesize

    170B

    MD5

    a43ac703b47970b1c1e393cf72bbfb4e

    SHA1

    a39f1174cf62b56dc4ac2ec784e7aea0e85abfd8

    SHA256

    f4d08cd7ef2edfe3abd40583bb4ecef999eb2683f7e4bf2b446d611610404d78

    SHA512

    51b38d621dae9ec0d9c08b6ae98555af08868e6df5fd7d43e69369b133a89cdef274b8a418c0a52c5c3b36c53199c510ed74a92eede3a61f21cf56be23812e3b

  • \Program Files (x86)\Driver Pro\DPStartScan.exe

    Filesize

    820KB

    MD5

    9fae434d3c8d6afebfd505bce63de58b

    SHA1

    a00c6a47e1cd4bce95a2399666deb3f2800642de

    SHA256

    fe4ec103e5b51521647251de95c27e86965d82278d4a68275b6fa215ae03c14e

    SHA512

    fc80ffa7a3381dd8c2f47be215394653ca6c8756d3d3813ce9760f6f0ca250ba26dd701f3694810c364712e541b5dc34ae51900312205d95765152d393c4c6e3

  • \Program Files (x86)\Driver Pro\DPTray.exe

    Filesize

    811KB

    MD5

    907a19ad8ed1f74c0d2933462ca6b902

    SHA1

    a3d349ab61b92226f3dff7061a4700408ac5b677

    SHA256

    587c95cce578d266ab78a736dfca0197d46bee23beff24336b874dec1fc9e33e

    SHA512

    66be1ef5c3e159f7b3d28eb2cb1a9629213aa53a35362811386f38fe72b6e9aa964e2e5c2fa65912207c75f121a593fd1d17ff2a44a6a4170077d8f460049245

  • \Program Files (x86)\Driver Pro\DriverPro.exe

    Filesize

    3.3MB

    MD5

    3a97298f26466e270baa115b9484bb5e

    SHA1

    fc75fcc15ea9c8eab68d39bde2b80d19490cfc40

    SHA256

    78eb02cf5d4cc9b614dfaa8110e67e3b0f7d2f3baa5ea8ccdfeee33a07779016

    SHA512

    7ac71d20450ec1cbdc3f73f4739e9799152dd327066cab9f4d405c80e9cd7c4140c9544751ec5e694fcf61f783cba0477f00e57a9d050262d7bc1355cfd0f47e

  • \Program Files (x86)\Driver Pro\DriverPro.exe

    Filesize

    3.3MB

    MD5

    3a97298f26466e270baa115b9484bb5e

    SHA1

    fc75fcc15ea9c8eab68d39bde2b80d19490cfc40

    SHA256

    78eb02cf5d4cc9b614dfaa8110e67e3b0f7d2f3baa5ea8ccdfeee33a07779016

    SHA512

    7ac71d20450ec1cbdc3f73f4739e9799152dd327066cab9f4d405c80e9cd7c4140c9544751ec5e694fcf61f783cba0477f00e57a9d050262d7bc1355cfd0f47e

  • \Program Files (x86)\Driver Pro\DriverPro.exe

    Filesize

    3.3MB

    MD5

    3a97298f26466e270baa115b9484bb5e

    SHA1

    fc75fcc15ea9c8eab68d39bde2b80d19490cfc40

    SHA256

    78eb02cf5d4cc9b614dfaa8110e67e3b0f7d2f3baa5ea8ccdfeee33a07779016

    SHA512

    7ac71d20450ec1cbdc3f73f4739e9799152dd327066cab9f4d405c80e9cd7c4140c9544751ec5e694fcf61f783cba0477f00e57a9d050262d7bc1355cfd0f47e

  • \Program Files (x86)\Driver Pro\sqlite3.dll

    Filesize

    508KB

    MD5

    0f66e8e2340569fb17e774dac2010e31

    SHA1

    406bb6854e7384ff77c0b847bf2f24f3315874a3

    SHA256

    de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

    SHA512

    39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

  • \Program Files (x86)\Driver Pro\sqlite3.dll

    Filesize

    508KB

    MD5

    0f66e8e2340569fb17e774dac2010e31

    SHA1

    406bb6854e7384ff77c0b847bf2f24f3315874a3

    SHA256

    de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

    SHA512

    39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

  • \Program Files (x86)\Driver Pro\unins000.exe

    Filesize

    1.1MB

    MD5

    dcb39cc84c9294a56d2f2a01211377bf

    SHA1

    ea30b92f18668d34e421821f343a7061e8138086

    SHA256

    55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

    SHA512

    6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

  • \Users\Admin\AppData\Local\Temp\drvprosetup.exe

    Filesize

    3.0MB

    MD5

    e2bc1e4dbb1b4a5342b8dea5ba2ec9da

    SHA1

    5325f6df57aa9d6cae42964aba0e035ab64edfd6

    SHA256

    c7cf53ed5ed00bce7d76401ce81ea293e3e7e773a58aace75719f489bc52dfcd

    SHA512

    5e8f0b900ac38539d77204bbc6e3aed42c3e7d39279b0d21fe2fe1f37fe27e63f96d70fa7dd175198a747be0e3e04133e66ba84943fe06bdc162a826ce8d78f1

  • \Users\Admin\AppData\Local\Temp\is-0H7GT.tmp\drvprosetup.tmp

    Filesize

    1.1MB

    MD5

    dcb39cc84c9294a56d2f2a01211377bf

    SHA1

    ea30b92f18668d34e421821f343a7061e8138086

    SHA256

    55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

    SHA512

    6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

  • \Users\Admin\AppData\Local\Temp\is-9JE39.tmp\DrvProHelper.dll

    Filesize

    1.2MB

    MD5

    c5d6b7f4520e35daaaa9f8c1b0c3477c

    SHA1

    da3371df6b0dcdf0fd2ab812e2f62b4b6cfdc187

    SHA256

    4d1725cd717e0d907c2b24185a8993fba90ed98953093fed4954f985f685897f

    SHA512

    b4bb63e9be54f28df02d43aa8adbfb22ea4167eee40833963ae40b497471f8116af2521fcb929d02389177c31e9b3848cb9a4f8cf2faa73375b8d06af5b0c1bc

  • \Users\Admin\AppData\Local\Temp\is-9JE39.tmp\_isetup\_shfoldr.dll

    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

  • \Users\Admin\AppData\Local\Temp\is-9JE39.tmp\_isetup\_shfoldr.dll

    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

  • memory/928-96-0x0000000000000000-mapping.dmp

  • memory/996-62-0x0000000000000000-mapping.dmp

  • memory/996-69-0x0000000074B21000-0x0000000074B23000-memory.dmp

    Filesize

    8KB

  • memory/996-68-0x0000000002D11000-0x0000000002E1A000-memory.dmp

    Filesize

    1.0MB

  • memory/1148-84-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1148-60-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1148-94-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1148-58-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1148-57-0x0000000075F81000-0x0000000075F83000-memory.dmp

    Filesize

    8KB

  • memory/1148-55-0x0000000000000000-mapping.dmp

  • memory/1240-77-0x0000000000000000-mapping.dmp

  • memory/1532-90-0x0000000000000000-mapping.dmp

  • memory/1764-87-0x0000000000000000-mapping.dmp

  • memory/1824-75-0x0000000000000000-mapping.dmp