Overview
overview
8Static
static
AsusSetup.exe
windows7-x64
1AsusSetup.exe
windows10-2004-x64
5AsusSetup.ini
windows7-x64
1AsusSetup.ini
windows10-2004-x64
1English.ini
windows7-x64
1English.ini
windows10-2004-x64
1French.ini
windows7-x64
1French.ini
windows10-2004-x64
1German.ini
windows7-x64
1German.ini
windows10-2004-x64
1Install.bat
windows7-x64
1Install.bat
windows10-2004-x64
5Japanese.ini
windows7-x64
1Japanese.ini
windows10-2004-x64
1Korean.ini
windows7-x64
1Korean.ini
windows10-2004-x64
1Russian.ini
windows7-x64
1Russian.ini
windows10-2004-x64
1SChinese.ini
windows7-x64
1SChinese.ini
windows10-2004-x64
1Spanish.ini
windows7-x64
1Spanish.ini
windows10-2004-x64
1TChinese.ini
windows7-x64
1TChinese.ini
windows10-2004-x64
1Ukrainian.ini
windows7-x64
1Ukrainian.ini
windows10-2004-x64
1ibtusb.cat
windows7-x64
8ibtusb.cat
windows10-2004-x64
1ibtusb.inf
windows7-x64
1ibtusb.inf
windows10-2004-x64
1ibtusb.exe
windows7-x64
ibtusb.exe
windows10-2004-x64
Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2023, 05:11
Static task
static1
Behavioral task
behavioral1
Sample
AsusSetup.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
AsusSetup.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AsusSetup.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
AsusSetup.ini
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
English.ini
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
English.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
French.ini
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral8
Sample
French.ini
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
German.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
German.ini
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Install.bat
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral12
Sample
Install.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Japanese.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
Japanese.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Korean.ini
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
Korean.ini
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Russian.ini
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral18
Sample
Russian.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
SChinese.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
SChinese.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Spanish.ini
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral22
Sample
Spanish.ini
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
TChinese.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral24
Sample
TChinese.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Ukrainian.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
Ukrainian.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
ibtusb.cat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
ibtusb.cat
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
ibtusb.inf
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral30
Sample
ibtusb.inf
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
ibtusb.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
ibtusb.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
Install.bat
-
Size
308B
-
MD5
05ea96804213722f35f7ca76e1e3e350
-
SHA1
a873c5dc79a671ea5c33bc1a21f853b60a794f3e
-
SHA256
fa439350a1259088825dd533111de0b43b8d851f68daa3eeb49b0d498834010e
-
SHA512
08ee3f84b198fe1fbccca17260d6185ba37e87ffc5acf8eda1ecf9e4b670900b51d9917a2ef8ddd30308ea603ddac35789abb4ded8e05ada6a996fb5c14bcec7
Malware Config
Signatures
-
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\ibtusb.inf_amd64_615ca03970ce1e94\ibtusb.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ibtusb.inf_amd64_615ca03970ce1e94\ibtusb.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f8f701de-2d97-f14b-b69e-e18a76160cb6}\SET81D9.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{f8f701de-2d97-f14b-b69e-e18a76160cb6}\SET81D9.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ibtusb.inf_amd64_615ca03970ce1e94\ibtusb.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f8f701de-2d97-f14b-b69e-e18a76160cb6}\SET81D8.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{f8f701de-2d97-f14b-b69e-e18a76160cb6}\SET81D8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f8f701de-2d97-f14b-b69e-e18a76160cb6}\ibtusb.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f8f701de-2d97-f14b-b69e-e18a76160cb6} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f8f701de-2d97-f14b-b69e-e18a76160cb6}\SET81C7.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{f8f701de-2d97-f14b-b69e-e18a76160cb6}\SET81C7.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f8f701de-2d97-f14b-b69e-e18a76160cb6}\ibtusb.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f8f701de-2d97-f14b-b69e-e18a76160cb6}\ibtusb.cat DrvInst.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe -
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID pnputil.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeAuditPrivilege 4484 svchost.exe Token: SeSecurityPrivilege 4484 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2248 wrote to memory of 4404 2248 cmd.exe 80 PID 2248 wrote to memory of 4404 2248 cmd.exe 80 PID 4484 wrote to memory of 1432 4484 svchost.exe 82 PID 4484 wrote to memory of 1432 4484 svchost.exe 82 PID 2248 wrote to memory of 5012 2248 cmd.exe 83 PID 2248 wrote to memory of 5012 2248 cmd.exe 83
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Install.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\System32\pnputil.exe.\pnputil /add-driver "C:\Users\Admin\AppData\Local\Temp\ibtusb.inf" /install2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4404
-
-
C:\Windows\system32\pnputil.exeC:\Windows/system32/pnputil /add-driver ibtusb.inf /install2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5012
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f56256e9-a680-9f43-b841-5493656b6620}\ibtusb.inf" "9" "4873f9b9b" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Users\Admin\AppData\Local\Temp"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1432
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD50db4de032357484ccb341e63508d0550
SHA143560859a2cd9d42c847da98f7aa8690bfd1ff77
SHA2561adfe363507187084bf4eff10c77c2ee8a5cf6c2761ee4f65762bfef224bb0b0
SHA5123ace2fe93f241f7f6a7700019c45ef23c964b81d300467085ae57710f3c8a37110a42b944680ed67626e77117dfc074ac6d6ee6292c6fdc4050d95781bad7b3b
-
Filesize
6.3MB
MD5b5d96421a2bb00864c5865782ab76566
SHA1572c5a2f03c60d58cd4eb2eafa9af648590a76e5
SHA25615c52142638e99828fe4dc537fca15425c97a33262faf3fbc43d4eee44f45259
SHA51225ae4f539e808c78b62f270eb4cc668ce97635577300f0844950d26249f7808b61ad6a0e9aed7f84a09911582cca14f17b112831f4d20911d670b6ca1e22a839
-
Filesize
35KB
MD57be782b39efc950f66bfacf722649f63
SHA1eb313722e8fde13b7bdac599213736ae6450676d
SHA256b05b1f42c4fc01079bf1ab334bf281247b65b7c54c568fc9388d3ab7c6a657b0
SHA512e93bde2e05ba9737b5ecaa523b225cd1e8c9052414aea0d95b2acebdbcd8b6f9a1b90812770f2524c0977e16e711f49c72d23f3211aae13fb0d97e795d7c1cba
-
Filesize
35KB
MD57be782b39efc950f66bfacf722649f63
SHA1eb313722e8fde13b7bdac599213736ae6450676d
SHA256b05b1f42c4fc01079bf1ab334bf281247b65b7c54c568fc9388d3ab7c6a657b0
SHA512e93bde2e05ba9737b5ecaa523b225cd1e8c9052414aea0d95b2acebdbcd8b6f9a1b90812770f2524c0977e16e711f49c72d23f3211aae13fb0d97e795d7c1cba
-
Filesize
35KB
MD57be782b39efc950f66bfacf722649f63
SHA1eb313722e8fde13b7bdac599213736ae6450676d
SHA256b05b1f42c4fc01079bf1ab334bf281247b65b7c54c568fc9388d3ab7c6a657b0
SHA512e93bde2e05ba9737b5ecaa523b225cd1e8c9052414aea0d95b2acebdbcd8b6f9a1b90812770f2524c0977e16e711f49c72d23f3211aae13fb0d97e795d7c1cba