436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701

Analysis

max time kernel
243s
max time network
343s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exe
Size

3.4MB
MD5

8892eb7c0ba4e0c20816f5ce0f86a9dc
SHA1

15b8c189360dc509e5dde7666ea96964086b13ab
SHA256

436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701
SHA512

46c65d9e01da4d67e2b2e0306f571e13314edea07cf331dbb4f2f3d123154df156a3b9907525436465749bf7246ee01cfc4b6ca6bf05009c809d86b1ace76342
SSDEEP

98304:c3yobVyq03fv0oKATM6A/7zf8iEFb1OL6PVgNZzO:eyey13EoXM68vHO5fPeNZy

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

drvprosetup.exedrvprosetup.tmp

pid process

1740 drvprosetup.exe
960 drvprosetup.tmp

pid	process
1740	drvprosetup.exe
960	drvprosetup.tmp

Loads dropped DLL 8 IoCs

Processes:

436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exedrvprosetup.exedrvprosetup.tmp

pid	process
1488	436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exe
1740	drvprosetup.exe
960	drvprosetup.tmp
960	drvprosetup.tmp
960	drvprosetup.tmp
960	drvprosetup.tmp
960	drvprosetup.tmp
960	drvprosetup.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

drvprosetup.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	drvprosetup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver Pro = "C:\\Program Files (x86)\\Driver Pro\\DPLauncher.exe"	drvprosetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

Processes:

drvprosetup.tmp

description	ioc	process
File created	C:\Program Files (x86)\Driver Pro\is-579E5.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-JR37T.tmp	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DriverPro.exe	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DrvProHelper.dll	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-2HDLV.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-PL5DL.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-FB2DN.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-LVC77.tmp	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DPTray.exe	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\7z.dll	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DPStartScan.exe	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-0BFGV.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-VK2EP.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\unins000.msg	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DriverPro.chm	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\sqlite3.dll	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-NCPML.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-5N75O.tmp	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\unins000.dat	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\unins000.dat	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-DN6O3.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-OR6CN.tmp	drvprosetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

drvprosetup.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	drvprosetup.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	drvprosetup.tmp

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

drvprosetup.tmp

pid process

960 drvprosetup.tmp
960 drvprosetup.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

drvprosetup.tmp

pid process

960 drvprosetup.tmp

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
960	drvprosetup.tmp
960	drvprosetup.tmp

pid	process
960	drvprosetup.tmp

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exedrvprosetup.exe

description	pid	process	target process
PID 1488 wrote to memory of 1740	1488	436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exe	drvprosetup.exe
PID 1488 wrote to memory of 1740	1488	436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exe	drvprosetup.exe
PID 1488 wrote to memory of 1740	1488	436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exe	drvprosetup.exe
PID 1488 wrote to memory of 1740	1488	436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exe	drvprosetup.exe
PID 1488 wrote to memory of 1740	1488	436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exe	drvprosetup.exe
PID 1488 wrote to memory of 1740	1488	436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exe	drvprosetup.exe
PID 1488 wrote to memory of 1740	1488	436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exe	drvprosetup.exe
PID 1740 wrote to memory of 960	1740	drvprosetup.exe	drvprosetup.tmp
PID 1740 wrote to memory of 960	1740	drvprosetup.exe	drvprosetup.tmp
PID 1740 wrote to memory of 960	1740	drvprosetup.exe	drvprosetup.tmp
PID 1740 wrote to memory of 960	1740	drvprosetup.exe	drvprosetup.tmp
PID 1740 wrote to memory of 960	1740	drvprosetup.exe	drvprosetup.tmp
PID 1740 wrote to memory of 960	1740	drvprosetup.exe	drvprosetup.tmp
PID 1740 wrote to memory of 960	1740	drvprosetup.exe	drvprosetup.tmp

C:\Users\Admin\AppData\Local\Temp\436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exe
"C:\Users\Admin\AppData\Local\Temp\436f62d38d0de6a0e2b4280cc3dc2264791757b47da6b86467f0cd682cad6701.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
  C:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\is-AA3KC.tmp\drvprosetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-AA3KC.tmp\drvprosetup.tmp" /SL5="$D0120,2637513,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe

Filesize
3.0MB

MD5
e2bc1e4dbb1b4a5342b8dea5ba2ec9da

SHA1
5325f6df57aa9d6cae42964aba0e035ab64edfd6

SHA256
c7cf53ed5ed00bce7d76401ce81ea293e3e7e773a58aace75719f489bc52dfcd

SHA512
5e8f0b900ac38539d77204bbc6e3aed42c3e7d39279b0d21fe2fe1f37fe27e63f96d70fa7dd175198a747be0e3e04133e66ba84943fe06bdc162a826ce8d78f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe

Filesize
3.0MB

MD5
e2bc1e4dbb1b4a5342b8dea5ba2ec9da

SHA1
5325f6df57aa9d6cae42964aba0e035ab64edfd6

SHA256
c7cf53ed5ed00bce7d76401ce81ea293e3e7e773a58aace75719f489bc52dfcd

SHA512
5e8f0b900ac38539d77204bbc6e3aed42c3e7d39279b0d21fe2fe1f37fe27e63f96d70fa7dd175198a747be0e3e04133e66ba84943fe06bdc162a826ce8d78f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AA3KC.tmp\drvprosetup.tmp

Filesize
1.1MB

MD5
dcb39cc84c9294a56d2f2a01211377bf

SHA1
ea30b92f18668d34e421821f343a7061e8138086

SHA256
55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

SHA512
6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AA3KC.tmp\drvprosetup.tmp

Filesize
1.1MB

MD5
dcb39cc84c9294a56d2f2a01211377bf

SHA1
ea30b92f18668d34e421821f343a7061e8138086

SHA256
55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

SHA512
6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

Download Submit
\Program Files (x86)\Driver Pro\DriverPro.exe

Filesize
3.3MB

MD5
3a97298f26466e270baa115b9484bb5e

SHA1
fc75fcc15ea9c8eab68d39bde2b80d19490cfc40

SHA256
78eb02cf5d4cc9b614dfaa8110e67e3b0f7d2f3baa5ea8ccdfeee33a07779016

SHA512
7ac71d20450ec1cbdc3f73f4739e9799152dd327066cab9f4d405c80e9cd7c4140c9544751ec5e694fcf61f783cba0477f00e57a9d050262d7bc1355cfd0f47e

Download Submit
\Program Files (x86)\Driver Pro\DriverPro.exe

Filesize
3.3MB

MD5
3a97298f26466e270baa115b9484bb5e

SHA1
fc75fcc15ea9c8eab68d39bde2b80d19490cfc40

SHA256
78eb02cf5d4cc9b614dfaa8110e67e3b0f7d2f3baa5ea8ccdfeee33a07779016

SHA512
7ac71d20450ec1cbdc3f73f4739e9799152dd327066cab9f4d405c80e9cd7c4140c9544751ec5e694fcf61f783cba0477f00e57a9d050262d7bc1355cfd0f47e

Download Submit
\Program Files (x86)\Driver Pro\unins000.exe

Filesize
1.1MB

MD5
dcb39cc84c9294a56d2f2a01211377bf

SHA1
ea30b92f18668d34e421821f343a7061e8138086

SHA256
55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

SHA512
6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

Download Submit
\Users\Admin\AppData\Local\Temp\drvprosetup.exe

Filesize
3.0MB

MD5
e2bc1e4dbb1b4a5342b8dea5ba2ec9da

SHA1
5325f6df57aa9d6cae42964aba0e035ab64edfd6

SHA256
c7cf53ed5ed00bce7d76401ce81ea293e3e7e773a58aace75719f489bc52dfcd

SHA512
5e8f0b900ac38539d77204bbc6e3aed42c3e7d39279b0d21fe2fe1f37fe27e63f96d70fa7dd175198a747be0e3e04133e66ba84943fe06bdc162a826ce8d78f1

Download Submit
\Users\Admin\AppData\Local\Temp\is-AA3KC.tmp\drvprosetup.tmp

Filesize
1.1MB

MD5
dcb39cc84c9294a56d2f2a01211377bf

SHA1
ea30b92f18668d34e421821f343a7061e8138086

SHA256
55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

SHA512
6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

Download Submit
\Users\Admin\AppData\Local\Temp\is-NLJ9E.tmp\DrvProHelper.dll

Filesize
1.2MB

MD5
c5d6b7f4520e35daaaa9f8c1b0c3477c

SHA1
da3371df6b0dcdf0fd2ab812e2f62b4b6cfdc187

SHA256
4d1725cd717e0d907c2b24185a8993fba90ed98953093fed4954f985f685897f

SHA512
b4bb63e9be54f28df02d43aa8adbfb22ea4167eee40833963ae40b497471f8116af2521fcb929d02389177c31e9b3848cb9a4f8cf2faa73375b8d06af5b0c1bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-NLJ9E.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NLJ9E.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/960-61-0x0000000000000000-mapping.dmp

Download
memory/960-69-0x0000000074831000-0x0000000074833000-memory.dmp

Filesize
8KB

Download
memory/1740-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1740-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1740-57-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download
memory/1740-55-0x0000000000000000-mapping.dmp

Download