0397591fa7b81d79e9071a0b37a5facd4d83ce4c6722fed1a6842cf03ec0e827

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/03/2023, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driver_booster_setup.exe
Size

27.6MB
MD5

3fca4bff9ed758c69c3d50066b09a66e
SHA1

211d519fb9431abe68f567a3c9066e0ccf376fe6
SHA256

0397591fa7b81d79e9071a0b37a5facd4d83ce4c6722fed1a6842cf03ec0e827
SHA512

f7ff1bee5ccb507d1699dd822335685a3bc86ecacf4d2529641697766e9fd20a7b466db3b495be3289dc9826317a5568251d7424df7f752c4bcd54d0ade28382
SSDEEP

786432:I45GZ1mR8trLRqeGWlPr5r050V7CRV3XcgdWOq7D:hO1mR8tn+4PNrS6CRV3XcgdWOqX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1588	driver_booster_setup.tmp
1708	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
1940	driver_booster_setup.exe
1588	driver_booster_setup.tmp
1588	driver_booster_setup.tmp
1588	driver_booster_setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1588	driver_booster_setup.tmp
1588	driver_booster_setup.tmp
1708	setup.exe
1708	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	driver_booster_setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1708	setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1588	1940	driver_booster_setup.exe	27
PID 1940 wrote to memory of 1588	1940	driver_booster_setup.exe	27
PID 1940 wrote to memory of 1588	1940	driver_booster_setup.exe	27
PID 1940 wrote to memory of 1588	1940	driver_booster_setup.exe	27
PID 1940 wrote to memory of 1588	1940	driver_booster_setup.exe	27
PID 1940 wrote to memory of 1588	1940	driver_booster_setup.exe	27
PID 1940 wrote to memory of 1588	1940	driver_booster_setup.exe	27
PID 1588 wrote to memory of 1708	1588	driver_booster_setup.tmp	28
PID 1588 wrote to memory of 1708	1588	driver_booster_setup.tmp	28
PID 1588 wrote to memory of 1708	1588	driver_booster_setup.tmp	28
PID 1588 wrote to memory of 1708	1588	driver_booster_setup.tmp	28
PID 1588 wrote to memory of 1708	1588	driver_booster_setup.tmp	28
PID 1588 wrote to memory of 1708	1588	driver_booster_setup.tmp	28
PID 1588 wrote to memory of 1708	1588	driver_booster_setup.tmp	28

C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
"C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\is-DAMPK.tmp\driver_booster_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DAMPK.tmp\driver_booster_setup.tmp" /SL5="$70124,28190529,139264,C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\is-3K04U.tmp-dbinst\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-3K04U.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe" /title="Driver Booster 10" /dbver=10.3.0.124 /eula="C:\Users\Admin\AppData\Local\Temp\is-3K04U.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IObit\iobitpromotion.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\1678396975\ENGLISH.lng

Filesize
24KB

MD5
8e7f2723f0e72bc6abefca738c9c1ca4

SHA1
969a4a6f31e146040a101d526886ede9a7c5c432

SHA256
f3c690feab9ab2b7dea8ea6334b484768f19caaf85dfa14be2bce5e4fdbffd4b

SHA512
9a3efa9dd002394050cbd457adb67121fcae7a31b66b42e3d612725b9166bd76c4f8c73ed039226c16248461c7f4f1fb6cac91960b7bb57a3273fbd022b1e232

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3K04U.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
9b91178de5fa5fe77fa6f41eabf8bda2

SHA1
7daadf0183720c7fc2425cf1110bf864a2919b95

SHA256
a7f09f96ae7a680d5fd9308b4d6826ec9d45c438c47f557d4671c9cf808a944a

SHA512
8262cb79022021b313df37de2666ab0e7d5e972ad784ee10a79ae8ca033ec3d5ddc2d0f530a017f89eb0da4d6e74debca08a305c7b8b3e4cef8431b8e5fab153

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3K04U.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
9b91178de5fa5fe77fa6f41eabf8bda2

SHA1
7daadf0183720c7fc2425cf1110bf864a2919b95

SHA256
a7f09f96ae7a680d5fd9308b4d6826ec9d45c438c47f557d4671c9cf808a944a

SHA512
8262cb79022021b313df37de2666ab0e7d5e972ad784ee10a79ae8ca033ec3d5ddc2d0f530a017f89eb0da4d6e74debca08a305c7b8b3e4cef8431b8e5fab153

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3K04U.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
9b91178de5fa5fe77fa6f41eabf8bda2

SHA1
7daadf0183720c7fc2425cf1110bf864a2919b95

SHA256
a7f09f96ae7a680d5fd9308b4d6826ec9d45c438c47f557d4671c9cf808a944a

SHA512
8262cb79022021b313df37de2666ab0e7d5e972ad784ee10a79ae8ca033ec3d5ddc2d0f530a017f89eb0da4d6e74debca08a305c7b8b3e4cef8431b8e5fab153

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DAMPK.tmp\driver_booster_setup.tmp

Filesize
1.2MB

MD5
68b52a0b8e3d45bf3b520a0e7f16dad1

SHA1
e50408326eafb5ca8adc70db29c33b64e25bbbbd

SHA256
b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b

SHA512
b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf

Download Submit
\Users\Admin\AppData\Local\Temp\is-3K04U.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
9b91178de5fa5fe77fa6f41eabf8bda2

SHA1
7daadf0183720c7fc2425cf1110bf864a2919b95

SHA256
a7f09f96ae7a680d5fd9308b4d6826ec9d45c438c47f557d4671c9cf808a944a

SHA512
8262cb79022021b313df37de2666ab0e7d5e972ad784ee10a79ae8ca033ec3d5ddc2d0f530a017f89eb0da4d6e74debca08a305c7b8b3e4cef8431b8e5fab153

Download Submit
\Users\Admin\AppData\Local\Temp\is-3K04U.tmp\DriverBooster.exe

Filesize
8.6MB

MD5
c30015d70bed519d1fd68ff7a50600c2

SHA1
650b40b1274b3167d46d891305891179aac016aa

SHA256
5ab040f5aec997470a0e61a032f32eeda3ef67c887b5a85f4e2bf96b99567c2a

SHA512
7dc8c4a9b01ff395d8cd7a9ed6f70dced223cac841aa239df83d197913b56d6ba6809be68b108464841cec34987645d4b408af1b61e38072bccfd8749b0a0723

Download Submit
\Users\Admin\AppData\Local\Temp\is-3K04U.tmp\DriverBooster.exe

Filesize
8.6MB

MD5
c30015d70bed519d1fd68ff7a50600c2

SHA1
650b40b1274b3167d46d891305891179aac016aa

SHA256
5ab040f5aec997470a0e61a032f32eeda3ef67c887b5a85f4e2bf96b99567c2a

SHA512
7dc8c4a9b01ff395d8cd7a9ed6f70dced223cac841aa239df83d197913b56d6ba6809be68b108464841cec34987645d4b408af1b61e38072bccfd8749b0a0723

Download Submit
\Users\Admin\AppData\Local\Temp\is-DAMPK.tmp\driver_booster_setup.tmp

Filesize
1.2MB

MD5
68b52a0b8e3d45bf3b520a0e7f16dad1

SHA1
e50408326eafb5ca8adc70db29c33b64e25bbbbd

SHA256
b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b

SHA512
b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf

Download Submit
memory/1588-103-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1588-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1708-108-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1708-185-0x0000000002AE0000-0x0000000002B20000-memory.dmp

Filesize
256KB

Download
memory/1708-208-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/1708-209-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1708-210-0x0000000002AE0000-0x0000000002B20000-memory.dmp

Filesize
256KB

Download
memory/1940-54-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1940-105-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download