Analysis
-
max time kernel
42s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 13:26
Behavioral task
behavioral1
Sample
feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
Resource
win7-20220812-en
windows7-x64
4 signatures
150 seconds
General
-
Target
feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
-
Size
408KB
-
MD5
08252eaf125435946783fcbc9874a064
-
SHA1
e47fe7b0c4dcaf172cfb785ae17f7963046a891d
-
SHA256
feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9
-
SHA512
a8329da82ec7e418f4aa108ae11d0d584a8884dd9e6f9ff6c97977000d5e437884b85782dff30fc871c3c4e4ffed64ffac5b4511f5c228df49d3feaf62c3a9c9
-
SSDEEP
6144:qTzncPRf7XWpbpKSmJ2qL6WsVOKcQwm3LBlKC:gA5Mdhmo6H2cC
Malware Config
Signatures
-
Drops file in Drivers directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\rdprefmp.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\wmiacpi.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\megasas.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\serial.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\uliagpkx.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\System32\drivers\ipnat.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\serenum.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\speeder.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\amdk8.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\nvraid.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\ohci1394.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\IPMIDrv.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\bthmodem.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\dmvsc.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\drmkaud.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\evbda.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\elxstor.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\VMBusHID.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\BrFiltLo.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\kbdhid.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\qwavedrv.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\sfloppy.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\compbatt.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\System32\DRIVERS\scfilter.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\DRIVERS\smb.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\stexstor.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\System32\DRIVERS\netbt.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\adpu320.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\MSPCLOCK.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\System32\drivers\rdpdr.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\sisraid4.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\1394ohci.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\cmdide.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\lsi_fc.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\System32\drivers\rdpvideominiport.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\System32\Drivers\Beep.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\lsi_scsi.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\pcmcia.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\System32\Drivers\RDPWD.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\tsusbhub.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\System32\drivers\volmgrx.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\msiscsi.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\arc.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\DRIVERS\asyncmac.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\flpydisk.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\HpSAMD.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\intelide.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\DRIVERS\ndisuio.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\vms3cap.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\amdppm.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\vsmraid.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\System32\drivers\mshidkmdf.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\usbprint.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\DRIVERS\lltdio.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\acpipmi.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\System32\Drivers\BrUsbMdm.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\DRIVERS\nwifi.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\nvstor.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\sffp_mmc.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\amdide.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\System32\Drivers\spldr.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\usbohci.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\vhdmp.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe File opened for modification C:\Windows\system32\drivers\SiSRaid2.sys feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe -
resource yara_rule behavioral1/memory/1184-54-0x0000000000400000-0x00000000004AE000-memory.dmp vmprotect behavioral1/memory/1184-56-0x0000000000400000-0x00000000004AE000-memory.dmp vmprotect behavioral1/memory/1184-58-0x0000000000400000-0x00000000004AE000-memory.dmp vmprotect -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1184 feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe 1184 feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe"C:\Users\Admin\AppData\Local\Temp\feb1a66ea77a6fdc4b1c690df5d2a851687768afffc060198aa77754e811aae9.exe"1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:1184