Overview
overview
8Static
static
AsusSetup.exe
windows7-x64
1AsusSetup.exe
windows10-2004-x64
5AsusSetup.ini
windows7-x64
1AsusSetup.ini
windows10-2004-x64
1English.ini
windows7-x64
1English.ini
windows10-2004-x64
1French.ini
windows7-x64
1French.ini
windows10-2004-x64
1German.ini
windows7-x64
1German.ini
windows10-2004-x64
1Install.bat
windows7-x64
1Install.bat
windows10-2004-x64
5Japanese.ini
windows7-x64
1Japanese.ini
windows10-2004-x64
1Korean.ini
windows7-x64
1Korean.ini
windows10-2004-x64
1Russian.ini
windows7-x64
1Russian.ini
windows10-2004-x64
1SChinese.ini
windows7-x64
1SChinese.ini
windows10-2004-x64
1Spanish.ini
windows7-x64
1Spanish.ini
windows10-2004-x64
1TChinese.ini
windows7-x64
1TChinese.ini
windows10-2004-x64
1Ukrainian.ini
windows7-x64
1Ukrainian.ini
windows10-2004-x64
1ibtusb.cat
windows7-x64
8ibtusb.cat
windows10-2004-x64
1ibtusb.inf
windows7-x64
1ibtusb.inf
windows10-2004-x64
1ibtusb.exe
windows7-x64
ibtusb.exe
windows10-2004-x64
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2023, 05:11
Static task
static1
Behavioral task
behavioral1
Sample
AsusSetup.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
AsusSetup.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AsusSetup.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
AsusSetup.ini
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
English.ini
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral6
Sample
English.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
French.ini
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral8
Sample
French.ini
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
German.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral10
Sample
German.ini
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Install.bat
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral12
Sample
Install.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Japanese.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral14
Sample
Japanese.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Korean.ini
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
Korean.ini
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Russian.ini
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral18
Sample
Russian.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
SChinese.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral20
Sample
SChinese.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Spanish.ini
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral22
Sample
Spanish.ini
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
TChinese.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral24
Sample
TChinese.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Ukrainian.ini
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
Ukrainian.ini
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
ibtusb.cat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
ibtusb.cat
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
ibtusb.inf
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral30
Sample
ibtusb.inf
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
ibtusb.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
ibtusb.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
AsusSetup.exe
-
Size
4.5MB
-
MD5
f7fb56068b8070f3c68ddfbfd52983ad
-
SHA1
fb8395c271a8a7b14655d57d3270684515ca828d
-
SHA256
93fc1c1b990f8cabf405cf4910c9879eefd53ace9423e10434d59410c5bde5ab
-
SHA512
63a9a62f9e588f63e15a938b2f42663fb64d66b7ac2340f543c98f6727bf7dc621cc1b35b480c4edfe2788b265e14d5a17fa49846c57984ac0a8ef1307670baf
-
SSDEEP
98304:UmuSFdw5ujhIMdcbJFLOAkGkzdnEVomFHKnPM:Th6MdcNFLOyomFHKnPM
Malware Config
Signatures
-
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\ibtusb.inf_amd64_615ca03970ce1e94\ibtusb.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f93f534f-2259-0840-bb5a-fe395bdc95c3}\SET7767.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f93f534f-2259-0840-bb5a-fe395bdc95c3}\ibtusb.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f93f534f-2259-0840-bb5a-fe395bdc95c3}\SET77E5.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{f93f534f-2259-0840-bb5a-fe395bdc95c3}\SET77E5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ibtusb.inf_amd64_615ca03970ce1e94\ibtusb.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f93f534f-2259-0840-bb5a-fe395bdc95c3}\SET7805.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{f93f534f-2259-0840-bb5a-fe395bdc95c3}\SET7805.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f93f534f-2259-0840-bb5a-fe395bdc95c3}\ibtusb.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ibtusb.inf_amd64_615ca03970ce1e94\ibtusb.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{f93f534f-2259-0840-bb5a-fe395bdc95c3}\SET7767.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f93f534f-2259-0840-bb5a-fe395bdc95c3}\ibtusb.cat DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{f93f534f-2259-0840-bb5a-fe395bdc95c3} DrvInst.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File opened for modification C:\Windows\INF\setupapi.dev.log pnputil.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe -
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom pnputil.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs pnputil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID pnputil.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeAuditPrivilege 4920 svchost.exe Token: SeSecurityPrivilege 4920 svchost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4668 AsusSetup.exe 4668 AsusSetup.exe 4668 AsusSetup.exe 4668 AsusSetup.exe 4668 AsusSetup.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4668 wrote to memory of 2944 4668 AsusSetup.exe 79 PID 4668 wrote to memory of 2944 4668 AsusSetup.exe 79 PID 2944 wrote to memory of 2036 2944 cmd.exe 81 PID 2944 wrote to memory of 2036 2944 cmd.exe 81 PID 4920 wrote to memory of 376 4920 svchost.exe 83 PID 4920 wrote to memory of 376 4920 svchost.exe 83 PID 2944 wrote to memory of 2728 2944 cmd.exe 84 PID 2944 wrote to memory of 2728 2944 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsusSetup.exe"C:\Users\Admin\AppData\Local\Temp\AsusSetup.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\system32\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\Install.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\System32\pnputil.exe.\pnputil /add-driver "C:\Users\Admin\AppData\Local\Temp\ibtusb.inf" /install3⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2036
-
-
C:\Windows\system32\pnputil.exeC:\Windows/system32/pnputil /add-driver ibtusb.inf /install3⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2728
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{ffeeece4-0e75-3143-b83b-83f82d18c260}\ibtusb.inf" "9" "4873f9b9b" "000000000000014C" "WinSta0\Default" "0000000000000164" "208" "C:\Users\Admin\AppData\Local\Temp"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:376
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD50db4de032357484ccb341e63508d0550
SHA143560859a2cd9d42c847da98f7aa8690bfd1ff77
SHA2561adfe363507187084bf4eff10c77c2ee8a5cf6c2761ee4f65762bfef224bb0b0
SHA5123ace2fe93f241f7f6a7700019c45ef23c964b81d300467085ae57710f3c8a37110a42b944680ed67626e77117dfc074ac6d6ee6292c6fdc4050d95781bad7b3b
-
Filesize
6.3MB
MD5b5d96421a2bb00864c5865782ab76566
SHA1572c5a2f03c60d58cd4eb2eafa9af648590a76e5
SHA25615c52142638e99828fe4dc537fca15425c97a33262faf3fbc43d4eee44f45259
SHA51225ae4f539e808c78b62f270eb4cc668ce97635577300f0844950d26249f7808b61ad6a0e9aed7f84a09911582cca14f17b112831f4d20911d670b6ca1e22a839
-
Filesize
35KB
MD57be782b39efc950f66bfacf722649f63
SHA1eb313722e8fde13b7bdac599213736ae6450676d
SHA256b05b1f42c4fc01079bf1ab334bf281247b65b7c54c568fc9388d3ab7c6a657b0
SHA512e93bde2e05ba9737b5ecaa523b225cd1e8c9052414aea0d95b2acebdbcd8b6f9a1b90812770f2524c0977e16e711f49c72d23f3211aae13fb0d97e795d7c1cba
-
Filesize
35KB
MD57be782b39efc950f66bfacf722649f63
SHA1eb313722e8fde13b7bdac599213736ae6450676d
SHA256b05b1f42c4fc01079bf1ab334bf281247b65b7c54c568fc9388d3ab7c6a657b0
SHA512e93bde2e05ba9737b5ecaa523b225cd1e8c9052414aea0d95b2acebdbcd8b6f9a1b90812770f2524c0977e16e711f49c72d23f3211aae13fb0d97e795d7c1cba
-
Filesize
35KB
MD57be782b39efc950f66bfacf722649f63
SHA1eb313722e8fde13b7bdac599213736ae6450676d
SHA256b05b1f42c4fc01079bf1ab334bf281247b65b7c54c568fc9388d3ab7c6a657b0
SHA512e93bde2e05ba9737b5ecaa523b225cd1e8c9052414aea0d95b2acebdbcd8b6f9a1b90812770f2524c0977e16e711f49c72d23f3211aae13fb0d97e795d7c1cba