e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb

General

Target

e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb.exe
Size

3.4MB
MD5

b94ce19e4246833352a43055d5393cfc
SHA1

ad6ae98fd61fe4a9ea0a1f9aa23212b383e313ba
SHA256

e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb
SHA512

a4e5e6c6679d58ff7f5b9eba833daf8265c59a259b7153fa48844656278301b3fb7f5bad69cf618a5d235e79e1902b160473bdc8645cba4865997651bb63b96d
SSDEEP

98304:K3yobVyq03fv0oKATM6A/7zf8iEFb1OL6PVgNZzb:Iyey13EoXM68vHO5fPeNZP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1740	drvprosetup.exe
956	drvprosetup.tmp

Loads dropped DLL 5 IoCs

pid	Process
1608	e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb.exe
1740	drvprosetup.exe
956	drvprosetup.tmp
956	drvprosetup.tmp
956	drvprosetup.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	drvprosetup.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	drvprosetup.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1740	1608	e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb.exe	28
PID 1608 wrote to memory of 1740	1608	e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb.exe	28
PID 1608 wrote to memory of 1740	1608	e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb.exe	28
PID 1608 wrote to memory of 1740	1608	e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb.exe	28
PID 1608 wrote to memory of 1740	1608	e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb.exe	28
PID 1608 wrote to memory of 1740	1608	e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb.exe	28
PID 1608 wrote to memory of 1740	1608	e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb.exe	28
PID 1740 wrote to memory of 956	1740	drvprosetup.exe	29
PID 1740 wrote to memory of 956	1740	drvprosetup.exe	29
PID 1740 wrote to memory of 956	1740	drvprosetup.exe	29
PID 1740 wrote to memory of 956	1740	drvprosetup.exe	29
PID 1740 wrote to memory of 956	1740	drvprosetup.exe	29
PID 1740 wrote to memory of 956	1740	drvprosetup.exe	29
PID 1740 wrote to memory of 956	1740	drvprosetup.exe	29

C:\Users\Admin\AppData\Local\Temp\e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb.exe
"C:\Users\Admin\AppData\Local\Temp\e7237a81090e5450f744b938ea8130b719fb735a5ecdd1c7dc8ddd56e1440abb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
  C:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\is-A1ME7.tmp\drvprosetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-A1ME7.tmp\drvprosetup.tmp" /SL5="$60120,2637513,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe

Filesize
3.0MB

MD5
e2bc1e4dbb1b4a5342b8dea5ba2ec9da

SHA1
5325f6df57aa9d6cae42964aba0e035ab64edfd6

SHA256
c7cf53ed5ed00bce7d76401ce81ea293e3e7e773a58aace75719f489bc52dfcd

SHA512
5e8f0b900ac38539d77204bbc6e3aed42c3e7d39279b0d21fe2fe1f37fe27e63f96d70fa7dd175198a747be0e3e04133e66ba84943fe06bdc162a826ce8d78f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe

Filesize
3.0MB

MD5
e2bc1e4dbb1b4a5342b8dea5ba2ec9da

SHA1
5325f6df57aa9d6cae42964aba0e035ab64edfd6

SHA256
c7cf53ed5ed00bce7d76401ce81ea293e3e7e773a58aace75719f489bc52dfcd

SHA512
5e8f0b900ac38539d77204bbc6e3aed42c3e7d39279b0d21fe2fe1f37fe27e63f96d70fa7dd175198a747be0e3e04133e66ba84943fe06bdc162a826ce8d78f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A1ME7.tmp\drvprosetup.tmp

Filesize
1.1MB

MD5
dcb39cc84c9294a56d2f2a01211377bf

SHA1
ea30b92f18668d34e421821f343a7061e8138086

SHA256
55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

SHA512
6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

Download Submit
\Users\Admin\AppData\Local\Temp\drvprosetup.exe

Filesize
3.0MB

MD5
e2bc1e4dbb1b4a5342b8dea5ba2ec9da

SHA1
5325f6df57aa9d6cae42964aba0e035ab64edfd6

SHA256
c7cf53ed5ed00bce7d76401ce81ea293e3e7e773a58aace75719f489bc52dfcd

SHA512
5e8f0b900ac38539d77204bbc6e3aed42c3e7d39279b0d21fe2fe1f37fe27e63f96d70fa7dd175198a747be0e3e04133e66ba84943fe06bdc162a826ce8d78f1

Download Submit
\Users\Admin\AppData\Local\Temp\is-A1ME7.tmp\drvprosetup.tmp

Filesize
1.1MB

MD5
dcb39cc84c9294a56d2f2a01211377bf

SHA1
ea30b92f18668d34e421821f343a7061e8138086

SHA256
55ca4a2da5da485d1216ad825572165c23d1440204f0bbfac127f6cfe45a6108

SHA512
6579250d2ac658c860f40fd85fd525c0856fb7ad4faa75122e8685eac407c7c99ad7078450eaf106ecef60654693ddfa18a421dab4be7eee4ec20d097bc57cd7

Download Submit
\Users\Admin\AppData\Local\Temp\is-A4GTL.tmp\DrvProHelper.dll

Filesize
1.2MB

MD5
c5d6b7f4520e35daaaa9f8c1b0c3477c

SHA1
da3371df6b0dcdf0fd2ab812e2f62b4b6cfdc187

SHA256
4d1725cd717e0d907c2b24185a8993fba90ed98953093fed4954f985f685897f

SHA512
b4bb63e9be54f28df02d43aa8adbfb22ea4167eee40833963ae40b497471f8116af2521fcb929d02389177c31e9b3848cb9a4f8cf2faa73375b8d06af5b0c1bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-A4GTL.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-A4GTL.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/956-68-0x0000000002CF1000-0x0000000002DFA000-memory.dmp

Filesize
1.0MB

Download
memory/1740-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1740-57-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1740-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1740-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1740-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing