Overview
overview
7Static
static
1HVLink PRO 11.8.exe
windows7-x64
6HVLink PRO 11.8.exe
windows10-2004-x64
6ISSetupPre...er.exe
windows7-x64
7ISSetupPre...er.exe
windows10-2004-x64
7ISSetupPre...il.exe
windows7-x64
ISSetupPre...il.exe
windows10-2004-x64
1ISSetupPre...n8.bat
windows7-x64
1ISSetupPre...n8.bat
windows10-2004-x64
5ISSetupPre...il.exe
windows7-x64
1ISSetupPre...il.exe
windows10-2004-x64
1Resubmissions
07/03/2023, 13:26
230307-qpnn8aab39 7Analysis
-
max time kernel
77s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
07/03/2023, 13:26
Static task
static1
Behavioral task
behavioral1
Sample
HVLink PRO 11.8.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
HVLink PRO 11.8.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
ISSetupPrerequisites/FTDI VCP Driver.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
ISSetupPrerequisites/FTDI VCP Driver.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
ISSetupPrerequisites/PnPutil.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
ISSetupPrerequisites/PnPutil.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
ISSetupPrerequisites/USBWin8.bat
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
ISSetupPrerequisites/USBWin8.bat
Resource
win10v2004-20230221-en
Behavioral task
behavioral9
Sample
ISSetupPrerequisites/certutil.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
ISSetupPrerequisites/certutil.exe
Resource
win10v2004-20230220-en
General
-
Target
ISSetupPrerequisites/USBWin8.bat
-
Size
72B
-
MD5
306d0c087795c34e27308a787947d130
-
SHA1
9399a7fec392844973ef5ed3c2b7dda46c4f0578
-
SHA256
f661626802bc4cf3394cee22c991a272fb083dd8f856279798b7b097c2336b53
-
SHA512
d333ae68c2127191fb3e9a6186217360aab8afe7e2bf2b5df76db596440fabd32e50c315edf33593a4964bb6d323d56d3ed5fbf9324e172555e8e672e3a0c997
Malware Config
Signatures
-
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\SET6AF4.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\SET6AF4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\usbser.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\SET6B04.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\SET6B04.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\usbser.inf DrvInst.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log PnPutil.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeAuditPrivilege 336 svchost.exe Token: SeSecurityPrivilege 336 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3300 wrote to memory of 2104 3300 cmd.exe 85 PID 3300 wrote to memory of 2104 3300 cmd.exe 85 PID 3300 wrote to memory of 2104 3300 cmd.exe 85 PID 3300 wrote to memory of 2948 3300 cmd.exe 86 PID 3300 wrote to memory of 2948 3300 cmd.exe 86 PID 3300 wrote to memory of 2948 3300 cmd.exe 86 PID 336 wrote to memory of 3924 336 svchost.exe 88 PID 336 wrote to memory of 3924 336 svchost.exe 88 PID 3924 wrote to memory of 3416 3924 DrvInst.exe 89 PID 3924 wrote to memory of 3416 3924 DrvInst.exe 89
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ISSetupPrerequisites\USBWin8.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\ISSetupPrerequisites\certutil.execertutil.exe -p 1354 -importPFX cdcseries.pfx2⤵PID:2104
-
-
C:\Users\Admin\AppData\Local\Temp\ISSetupPrerequisites\PnPutil.exepnputil.exe -a usbser.inf2⤵
- Drops file in Windows directory
PID:2948
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{616a9b3d-6862-1045-9316-16edd4b1ea03}\usbser.inf" "9" "4d994a78b" "0000000000000160" "WinSta0\Default" "0000000000000170" "208" "C:\Users\Admin\AppData\Local\Temp\ISSetupPrerequisites"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{f79dd26e-ea86-3144-a8e8-d04d1aa09358} Global\{5cd69b88-39a5-cc4e-b19b-be59f5f66090} C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\usbser.inf C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\usbser.cat3⤵PID:3416
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD574f5266295df09d62df4702d25f2b721
SHA14c9ea23d35c75367aba4e15fab51ee7c724fdf09
SHA256750254c1f2ced29119a83b71e91e9acca0c6b9082839fafc4eb8cc82f840bd93
SHA512bd67d2eee5d516b0b48d1ba4bb908ae2e16d374e59915d598068329317126c4a4af1d1d652af00a596f93b6e406545c89d1b4923c388cc68eb62e30dde884947
-
Filesize
891B
MD567d6edf78385537e7ddbaafc25e651c6
SHA10a844f64786ea9f292efbb8ae7706feaba0eeccf
SHA2568af2489e6c855907fa31344468fecfd432b73c84fe58ca657633423ba9af78a4
SHA512c074417af7cc1bad995b4f9fb501cf70efc4af111065d81ebba2117f08e9e5a427bf93678b165249f92ddb711ab09a3c0ef5d270006d340f37128d0f13b19d3c
-
Filesize
4KB
MD574f5266295df09d62df4702d25f2b721
SHA14c9ea23d35c75367aba4e15fab51ee7c724fdf09
SHA256750254c1f2ced29119a83b71e91e9acca0c6b9082839fafc4eb8cc82f840bd93
SHA512bd67d2eee5d516b0b48d1ba4bb908ae2e16d374e59915d598068329317126c4a4af1d1d652af00a596f93b6e406545c89d1b4923c388cc68eb62e30dde884947
-
Filesize
891B
MD567d6edf78385537e7ddbaafc25e651c6
SHA10a844f64786ea9f292efbb8ae7706feaba0eeccf
SHA2568af2489e6c855907fa31344468fecfd432b73c84fe58ca657633423ba9af78a4
SHA512c074417af7cc1bad995b4f9fb501cf70efc4af111065d81ebba2117f08e9e5a427bf93678b165249f92ddb711ab09a3c0ef5d270006d340f37128d0f13b19d3c
-
Filesize
4KB
MD574f5266295df09d62df4702d25f2b721
SHA14c9ea23d35c75367aba4e15fab51ee7c724fdf09
SHA256750254c1f2ced29119a83b71e91e9acca0c6b9082839fafc4eb8cc82f840bd93
SHA512bd67d2eee5d516b0b48d1ba4bb908ae2e16d374e59915d598068329317126c4a4af1d1d652af00a596f93b6e406545c89d1b4923c388cc68eb62e30dde884947
-
Filesize
891B
MD567d6edf78385537e7ddbaafc25e651c6
SHA10a844f64786ea9f292efbb8ae7706feaba0eeccf
SHA2568af2489e6c855907fa31344468fecfd432b73c84fe58ca657633423ba9af78a4
SHA512c074417af7cc1bad995b4f9fb501cf70efc4af111065d81ebba2117f08e9e5a427bf93678b165249f92ddb711ab09a3c0ef5d270006d340f37128d0f13b19d3c