4c5b025fa80c437f82cf0f3de7b2c6552fcff579c412a869d0192c3f83bf1ddb

General

Target

4c5b025fa80c437f82cf0f3de7b2c6552fcff579c412a869d0192c3f83bf1ddb.exe
Size

3.4MB
MD5

e7e86bb56c73976d17606946d1ae7399
SHA1

3df59e2654583268370a9406e1c7b20fd06be983
SHA256

4c5b025fa80c437f82cf0f3de7b2c6552fcff579c412a869d0192c3f83bf1ddb
SHA512

a886ae4bdcc5921036f82b9244878b03382e4a6c4a4c8d8058f573e0d83600bd960b34db65b4de4490667077995d2e6be8ad6031874f371a98440454d7c6df1a
SSDEEP

98304:o3yobVyq03fv0oKATM6A/7zf8iEFb1OL6PVgNZzt:iyey13EoXM68vHO5fPeNZx

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

drvprosetup.exedrvprosetup.tmp

pid process

4240 drvprosetup.exe
4880 drvprosetup.tmp
Loads dropped DLL 2 IoCs

Processes:

drvprosetup.tmp

pid process

4880 drvprosetup.tmp
4880 drvprosetup.tmp

pid	process
4240	drvprosetup.exe
4880	drvprosetup.tmp

pid	process
4880	drvprosetup.tmp
4880	drvprosetup.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

drvprosetup.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	drvprosetup.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	drvprosetup.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4c5b025fa80c437f82cf0f3de7b2c6552fcff579c412a869d0192c3f83bf1ddb.exedrvprosetup.exe

description	pid	process	target process
PID 1648 wrote to memory of 4240	1648	4c5b025fa80c437f82cf0f3de7b2c6552fcff579c412a869d0192c3f83bf1ddb.exe	drvprosetup.exe
PID 1648 wrote to memory of 4240	1648	4c5b025fa80c437f82cf0f3de7b2c6552fcff579c412a869d0192c3f83bf1ddb.exe	drvprosetup.exe
PID 1648 wrote to memory of 4240	1648	4c5b025fa80c437f82cf0f3de7b2c6552fcff579c412a869d0192c3f83bf1ddb.exe	drvprosetup.exe
PID 4240 wrote to memory of 4880	4240	drvprosetup.exe	drvprosetup.tmp
PID 4240 wrote to memory of 4880	4240	drvprosetup.exe	drvprosetup.tmp
PID 4240 wrote to memory of 4880	4240	drvprosetup.exe	drvprosetup.tmp

C:\Users\Admin\AppData\Local\Temp\4c5b025fa80c437f82cf0f3de7b2c6552fcff579c412a869d0192c3f83bf1ddb.exe
"C:\Users\Admin\AppData\Local\Temp\4c5b025fa80c437f82cf0f3de7b2c6552fcff579c412a869d0192c3f83bf1ddb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
C:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Local\Temp\is-CESQ0.tmp\drvprosetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CESQ0.tmp\drvprosetup.tmp" /SL5="$90064,2637513,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
Filesize
3.0MB

MD5
e2bc1e4dbb1b4a5342b8dea5ba2ec9da

SHA1
5325f6df57aa9d6cae42964aba0e035ab64edfd6

SHA256
c7cf53ed5ed00bce7d76401ce81ea293e3e7e773a58aace75719f489bc52dfcd

SHA512
5e8f0b900ac38539d77204bbc6e3aed42c3e7d39279b0d21fe2fe1f37fe27e63f96d70fa7dd175198a747be0e3e04133e66ba84943fe06bdc162a826ce8d78f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
Filesize
3.0MB

MD5
e2bc1e4dbb1b4a5342b8dea5ba2ec9da

SHA1
5325f6df57aa9d6cae42964aba0e035ab64edfd6

SHA256
c7cf53ed5ed00bce7d76401ce81ea293e3e7e773a58aace75719f489bc52dfcd

SHA512
5e8f0b900ac38539d77204bbc6e3aed42c3e7d39279b0d21fe2fe1f37fe27e63f96d70fa7dd175198a747be0e3e04133e66ba84943fe06bdc162a826ce8d78f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7HF75.tmp\DrvProHelper.dll
Filesize
1.2MB

MD5
c5d6b7f4520e35daaaa9f8c1b0c3477c

SHA1
da3371df6b0dcdf0fd2ab812e2f62b4b6cfdc187

SHA256
4d1725cd717e0d907c2b24185a8993fba90ed98953093fed4954f985f685897f

SHA512
b4bb63e9be54f28df02d43aa8adbfb22ea4167eee40833963ae40b497471f8116af2521fcb929d02389177c31e9b3848cb9a4f8cf2faa73375b8d06af5b0c1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7HF75.tmp\DrvProHelper.dll
Filesize
1.2MB

MD5
c5d6b7f4520e35daaaa9f8c1b0c3477c

SHA1
da3371df6b0dcdf0fd2ab812e2f62b4b6cfdc187

SHA256
4d1725cd717e0d907c2b24185a8993fba90ed98953093fed4954f985f685897f

SHA512
b4bb63e9be54f28df02d43aa8adbfb22ea4167eee40833963ae40b497471f8116af2521fcb929d02389177c31e9b3848cb9a4f8cf2faa73375b8d06af5b0c1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CESQ0.tmp\drvprosetup.tmp
Filesize
1.1MB

MD5
dcb39cc84c9294a56d2f2a01211377bf

SHA1
ea30b92f18668d34e421821f343a7061e8138086

SHA256
55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

SHA512
6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CESQ0.tmp\drvprosetup.tmp
Filesize
1.1MB

MD5
dcb39cc84c9294a56d2f2a01211377bf

SHA1
ea30b92f18668d34e421821f343a7061e8138086

SHA256
55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

SHA512
6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

Download Submit
memory/4240-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4240-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4240-132-0x0000000000000000-mapping.dmp

Download
memory/4240-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4240-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4880-136-0x0000000000000000-mapping.dmp

Download
memory/4880-142-0x0000000003310000-0x0000000003456000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing