8fc521653d7167d4339a6a158def934c8fa46d7f3c75eb1d3420f53069128561

Analysis

max time kernel
91s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2023 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Driver Booster/IObit Driver Booster Pro 9.0.1.104/driver_booster_setup.exe
Size

25.6MB
MD5

2239050b84ccb221ee934b3f70e95a37
SHA1

18ebfc24a9078646d915aafba7f3b741dcee9540
SHA256

ce7419d681ced5a78e17a8e0253a495268e1b226e89663e094b5cea462380731
SHA512

556924369e2f3e8e78c56d9d4f5372be021a2edd2484daa2882663564bc90516ce1539ce6e5e3db0b493d5fc50875e5a5c667468857ab5bb0084eb81332caa60
SSDEEP

786432:jwly9Z49ItYMHxLuuA/BCPSaMNeC+SogJEEb7X9bM:jwlykL2uuKBC6aMN22EEC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3504	driver_booster_setup.tmp
1136	setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	driver_booster_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3504	driver_booster_setup.tmp
3504	driver_booster_setup.tmp
3504	driver_booster_setup.tmp
3504	driver_booster_setup.tmp
1136	setup.exe
1136	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3504	driver_booster_setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1136	setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 3504	1284	driver_booster_setup.exe	81
PID 1284 wrote to memory of 3504	1284	driver_booster_setup.exe	81
PID 1284 wrote to memory of 3504	1284	driver_booster_setup.exe	81
PID 3504 wrote to memory of 1136	3504	driver_booster_setup.tmp	86
PID 3504 wrote to memory of 1136	3504	driver_booster_setup.tmp	86
PID 3504 wrote to memory of 1136	3504	driver_booster_setup.tmp	86

C:\Users\Admin\AppData\Local\Temp\Driver Booster\IObit Driver Booster Pro 9.0.1.104\driver_booster_setup.exe
"C:\Users\Admin\AppData\Local\Temp\Driver Booster\IObit Driver Booster Pro 9.0.1.104\driver_booster_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\is-V035K.tmp\driver_booster_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-V035K.tmp\driver_booster_setup.tmp" /SL5="$80064,26073627,139264,C:\Users\Admin\AppData\Local\Temp\Driver Booster\IObit Driver Booster Pro 9.0.1.104\driver_booster_setup.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\is-K42IR.tmp-dbinst\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-K42IR.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\Driver Booster\IObit Driver Booster Pro 9.0.1.104\driver_booster_setup.exe" /title="Driver Booster 9" /dbver=9.0.1.104 /eula="C:\Users\Admin\AppData\Local\Temp\is-K42IR.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-K42IR.tmp-dbinst\setup.exe

Filesize
8.0MB

MD5
21529fbac4ff8cbd6c7bfbed738688a3

SHA1
7c34b3ffa84b9db355777c2ad0f2c4fb706ce01b

SHA256
bd1aa026c9309700a831a4052673c59651a082fc5a7bf7fcae515d4e2a6556fd

SHA512
45a2b7f5fe96b1e47977d01dd62ec9027207d5cfe455247ae17f0bd550a374df77aa99fd7ed3919754883312fb18f656f920e35715bce51797a3c4f8015b68b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K42IR.tmp-dbinst\setup.exe

Filesize
8.0MB

MD5
21529fbac4ff8cbd6c7bfbed738688a3

SHA1
7c34b3ffa84b9db355777c2ad0f2c4fb706ce01b

SHA256
bd1aa026c9309700a831a4052673c59651a082fc5a7bf7fcae515d4e2a6556fd

SHA512
45a2b7f5fe96b1e47977d01dd62ec9027207d5cfe455247ae17f0bd550a374df77aa99fd7ed3919754883312fb18f656f920e35715bce51797a3c4f8015b68b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V035K.tmp\driver_booster_setup.tmp

Filesize
1.2MB

MD5
68b52a0b8e3d45bf3b520a0e7f16dad1

SHA1
e50408326eafb5ca8adc70db29c33b64e25bbbbd

SHA256
b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b

SHA512
b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf

Download Submit
memory/1284-132-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-136-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-140-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download