8bf19cc3b82146405600c66c581356b580f4a5bba6b9b97c11579b3c17321ce9

Virtualization/Sandbox Evasion

Processes:

dupdater.exedupdater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dupdater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dupdater.exe

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files (x86)\Driver Updater\HTMLayout.dll	acprotect
\Program Files (x86)\Driver Updater\htmlayout.dll	acprotect
C:\Program Files (x86)\Driver Updater\HTMLayout.dll	acprotect
\Program Files (x86)\Driver Updater\htmlayout.dll	acprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

dupdater.exedupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dupdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dupdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dupdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dupdater.exe

Executes dropped EXE 6 IoCs

Processes:

DriverUpdaterSetup-2.7.0.1436.exedupdater.exeInstaller.exeDriverUpdaterSetup-2.7.0.1436.exedupdater.exeInstaller.exe

pid	process
4260	DriverUpdaterSetup-2.7.0.1436.exe
4476	dupdater.exe
3832	Installer.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4476	dupdater.exe
3832	Installer.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

dupdater.exedupdater.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Wine	dupdater.exe
Key opened	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Wine	dupdater.exe

Loads dropped DLL 20 IoCs

Processes:

dupdater.exedupdater.exe

pid	process
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe
4476	dupdater.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3848-117-0x0000000000B40000-0x0000000000EC3000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\DriverUpdaterSetup-2.7.0.1436.exe	upx
C:\Users\Admin\AppData\Local\Temp\DriverUpdaterSetup-2.7.0.1436.exe	upx
behavioral1/memory/3848-123-0x0000000000B40000-0x0000000000EC3000-memory.dmp	upx
behavioral1/memory/3848-124-0x0000000000B40000-0x0000000000EC3000-memory.dmp	upx
behavioral1/memory/4260-125-0x0000000000400000-0x0000000002A55000-memory.dmp	upx
behavioral1/memory/4260-127-0x0000000000400000-0x0000000002A55000-memory.dmp	upx
behavioral1/memory/4260-133-0x0000000000400000-0x0000000002A55000-memory.dmp	upx
behavioral1/memory/4260-167-0x0000000000400000-0x0000000002A55000-memory.dmp	upx
behavioral1/memory/4260-173-0x0000000000400000-0x0000000002A55000-memory.dmp	upx
C:\Program Files (x86)\Driver Updater\HTMLayout.dll	upx
\Program Files (x86)\Driver Updater\htmlayout.dll	upx
behavioral1/memory/4476-194-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-214-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-217-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-219-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-299-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-338-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-349-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/3848-117-0x0000000000B40000-0x0000000000EC3000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\DriverUpdaterSetup-2.7.0.1436.exe	upx
C:\Users\Admin\AppData\Local\Temp\DriverUpdaterSetup-2.7.0.1436.exe	upx
behavioral1/memory/3848-123-0x0000000000B40000-0x0000000000EC3000-memory.dmp	upx
behavioral1/memory/3848-124-0x0000000000B40000-0x0000000000EC3000-memory.dmp	upx
behavioral1/memory/4260-125-0x0000000000400000-0x0000000002A55000-memory.dmp	upx
behavioral1/memory/4260-127-0x0000000000400000-0x0000000002A55000-memory.dmp	upx
behavioral1/memory/4260-133-0x0000000000400000-0x0000000002A55000-memory.dmp	upx
behavioral1/memory/4260-167-0x0000000000400000-0x0000000002A55000-memory.dmp	upx
behavioral1/memory/4260-173-0x0000000000400000-0x0000000002A55000-memory.dmp	upx
C:\Program Files (x86)\Driver Updater\HTMLayout.dll	upx
\Program Files (x86)\Driver Updater\htmlayout.dll	upx
behavioral1/memory/4476-194-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-214-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-217-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-219-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-299-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-338-0x0000000010000000-0x0000000010261000-memory.dmp	upx
behavioral1/memory/4476-349-0x0000000010000000-0x0000000010261000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

Processes:

DriverUpdaterSetup-2.7.0.1436.exedupdater.exeDriverUpdaterSetup-2.7.0.1436.exedupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DriverUpdaterSetup-2.7.0.1436.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DriverUpdaterSetup-2.7.0.1436.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dupdater.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

dupdater.exedupdater.exe

description ioc process

File opened for modification \??\PhysicalDrive0 dupdater.exe
File opened for modification \??\PhysicalDrive0 dupdater.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	dupdater.exe
File opened for modification	\??\PhysicalDrive0	dupdater.exe

Drops file in System32 directory 64 IoCs

Processes:

dupdater.exeDrvInst.exedupdater.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\SETA50C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_4411de1bdd5382d9\disk.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_1496862836cc181d\kdnic.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\volmgr.inf_amd64_84149a6ef7112aa8\volmgr.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\SETA50D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_de4c68ea4fb1be53\compositebus.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_91108ad24fd52958\vhdmp.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\audioendpoint.inf_amd64_b8966bfe6600218e\audioendpoint.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\volmgr.inf_amd64_84149a6ef7112aa8\volmgr.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_06bb16552d790e06\cpu.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_58a93fc6c89329f3\volume.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_e22da3cb2d7a1ed6\hdaudbus.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\pci.inf_amd64_4cf9a878972c8fa1\pci.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\audioendpoint.inf_amd64_b8966bfe6600218e\audioendpoint.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\netrtl64.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\SETA50D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\RtNicProp64.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\basicdisplay.inf_amd64_85cec69e2fcef504\basicdisplay.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mssmbios.inf_amd64_98bded6d6f406ee7\mssmbios.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\SETA50C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_e6c89cc58804e205\machine.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vdrvroot.inf_amd64_bf07d1948babd2cd\vdrvroot.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndisvirtualbus.inf_amd64_311b5482b2fc4ccc\ndisvirtualbus.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\basicdisplay.inf_amd64_85cec69e2fcef504\basicdisplay.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mssmbios.inf_amd64_98bded6d6f406ee7\mssmbios.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_58a93fc6c89329f3\volume.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\SETA50D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\SETA50D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_2272ffce58da1b4a\swenum.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\SETA50B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_4411de1bdd5382d9\disk.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_74965e869fab271a\mshdc.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\netrtl64.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_46273d75d66bd849\hal.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_17acd95043918fe1\volsnap.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\SETA50B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\printqueue.inf_amd64_eb83bfa648f15d52\printqueue.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_72dbcbbbb0666b3f\monitor.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_b2036a5d6cbf5691\umbus.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\Rtnic64.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\printqueue.inf_amd64_eb83bfa648f15d52\printqueue.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_8e5f608c0111283d\usbport.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\pci.inf_amd64_4cf9a878972c8fa1\pci.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_2b4e9b8ed43ceb06\acpi.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\Rtnic64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\RtNicProp64.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\SETA4FA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cdrom.inf_amd64_8343533b38a2a0da\cdrom.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_2b4e9b8ed43ceb06\acpi.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\SETA4FA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\SETA50B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_e15abe7d25aa2071\input.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\netrtl64.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_82738beb7b514250\keyboard.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\swenum.inf_amd64_2272ffce58da1b4a\swenum.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_9e4fd69bbfb40126\rdpbus.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_b0ca8be2ac09ed24\msmouse.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_de4c68ea4fb1be53\compositebus.PNF	dupdater.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_9e4fd69bbfb40126\rdpbus.PNF	dupdater.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9ff03c77-f378-d645-b2e5-6dd6799c6157}\netrtl64.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\basicrender.inf_amd64_f1f1af29566626b0\basicrender.PNF	dupdater.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

dupdater.exedupdater.exe

pid process

4476 dupdater.exe
4476 dupdater.exe

Drops file in Program Files directory 34 IoCs

Processes:

DriverUpdaterSetup-2.7.0.1436.exeDriverUpdaterSetup-2.7.0.1436.exe

description	ioc	process
File created	C:\Program Files (x86)\Driver Updater\Qt5Gui.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Qt5Network.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\DriverUpdaterUninstaller.exe	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\platforms\qwindows.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\x64\	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\htmlayout.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\DriverUpdaterUninstaller.exe	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\imageformats\	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Qt5Core.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\libcurl.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Qt5Xml.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\libcurl.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Qt5Widgets.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Win32\	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\x64\Installer.exe	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\dupdater.exe	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\imageformats\qico.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\platforms\	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Qt5Network.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\htmlayout.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\imageformats\qico.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Qt5Xml.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Win32\Installer.exe	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\dupdater.exe	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Qt5Core.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Qt5Widgets.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\x64\Installer.exe	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Qt5Gui.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Win32\	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\x64\	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\platforms\	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\platforms\qwindows.dll	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\imageformats\	DriverUpdaterSetup-2.7.0.1436.exe
File created	C:\Program Files (x86)\Driver Updater\Win32\Installer.exe	DriverUpdaterSetup-2.7.0.1436.exe

Drops file in Windows directory 4 IoCs

Processes:

DrvInst.exeInstaller.exeDrvInst.exeInstaller.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	Installer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4284 3848 WerFault.exe InstallerDU__a591.exe
4284 3848 WerFault.exe InstallerDU__a591.exe

pid	pid_target	process	target process
4284	3848	WerFault.exe	InstallerDU__a591.exe
4284	3848	WerFault.exe	InstallerDU__a591.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

dupdater.exedupdater.exesvchost.exeInstaller.exesvchost.exeInstaller.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003\	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Class	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Class	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ContainerID	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Driver	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	Installer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceType	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Installer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	dupdater.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Installer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID	dupdater.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceCharacteristics	dupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	dupdater.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	dupdater.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeDrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

dupdater.exedupdater.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	dupdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dupdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dupdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	dupdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dupdater.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dupdater.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

dupdater.exedupdater.exe

pid process

4476 dupdater.exe
4476 dupdater.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DriverUpdaterSetup-2.7.0.1436.exedupdater.exeDriverUpdaterSetup-2.7.0.1436.exedupdater.exe

pid	process
4260	DriverUpdaterSetup-2.7.0.1436.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4476	dupdater.exe
4476	dupdater.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4476	dupdater.exe
4476	dupdater.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

dupdater.exedupdater.exe

pid process

4476 dupdater.exe
4476 dupdater.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

svchost.exesvchost.exe

description	pid	process
Token: SeAuditPrivilege	4988	svchost.exe
Token: SeSecurityPrivilege	4988	svchost.exe
Token: SeAuditPrivilege	4988	svchost.exe
Token: SeSecurityPrivilege	4988	svchost.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

InstallerDU__a591.exeDriverUpdaterSetup-2.7.0.1436.exedupdater.exeInstaller.exeInstallerDU__a591.exeDriverUpdaterSetup-2.7.0.1436.exedupdater.exeInstaller.exe

pid	process
3848	InstallerDU__a591.exe
3848	InstallerDU__a591.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4476	dupdater.exe
4476	dupdater.exe
3832	Installer.exe
3848	InstallerDU__a591.exe
3848	InstallerDU__a591.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4260	DriverUpdaterSetup-2.7.0.1436.exe
4476	dupdater.exe
4476	dupdater.exe
3832	Installer.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

InstallerDU__a591.exeDriverUpdaterSetup-2.7.0.1436.exedupdater.exesvchost.exeInstallerDU__a591.exeDriverUpdaterSetup-2.7.0.1436.exedupdater.exesvchost.exe

description	pid	process	target process
PID 3848 wrote to memory of 4260	3848	InstallerDU__a591.exe	DriverUpdaterSetup-2.7.0.1436.exe
PID 3848 wrote to memory of 4260	3848	InstallerDU__a591.exe	DriverUpdaterSetup-2.7.0.1436.exe
PID 3848 wrote to memory of 4260	3848	InstallerDU__a591.exe	DriverUpdaterSetup-2.7.0.1436.exe
PID 4260 wrote to memory of 4476	4260	DriverUpdaterSetup-2.7.0.1436.exe	dupdater.exe
PID 4260 wrote to memory of 4476	4260	DriverUpdaterSetup-2.7.0.1436.exe	dupdater.exe
PID 4260 wrote to memory of 4476	4260	DriverUpdaterSetup-2.7.0.1436.exe	dupdater.exe
PID 4476 wrote to memory of 3832	4476	dupdater.exe	Installer.exe
PID 4476 wrote to memory of 3832	4476	dupdater.exe	Installer.exe
PID 4988 wrote to memory of 4972	4988	svchost.exe	DrvInst.exe
PID 4988 wrote to memory of 4972	4988	svchost.exe	DrvInst.exe
PID 3848 wrote to memory of 4260	3848	InstallerDU__a591.exe	DriverUpdaterSetup-2.7.0.1436.exe
PID 3848 wrote to memory of 4260	3848	InstallerDU__a591.exe	DriverUpdaterSetup-2.7.0.1436.exe
PID 3848 wrote to memory of 4260	3848	InstallerDU__a591.exe	DriverUpdaterSetup-2.7.0.1436.exe
PID 4260 wrote to memory of 4476	4260	DriverUpdaterSetup-2.7.0.1436.exe	dupdater.exe
PID 4260 wrote to memory of 4476	4260	DriverUpdaterSetup-2.7.0.1436.exe	dupdater.exe
PID 4260 wrote to memory of 4476	4260	DriverUpdaterSetup-2.7.0.1436.exe	dupdater.exe
PID 4476 wrote to memory of 3832	4476	dupdater.exe	Installer.exe
PID 4476 wrote to memory of 3832	4476	dupdater.exe	Installer.exe
PID 4988 wrote to memory of 4972	4988	svchost.exe	DrvInst.exe
PID 4988 wrote to memory of 4972	4988	svchost.exe	DrvInst.exe

C:\Users\Admin\AppData\Local\Temp\InstallerDU__a591.exe
"C:\Users\Admin\AppData\Local\Temp\InstallerDU__a591.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Local\Temp\DriverUpdaterSetup-2.7.0.1436.exe
"C:\Users\Admin\AppData\Local\Temp\DriverUpdaterSetup-2.7.0.1436.exe" /partnerId=a591 /vid=591
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260

C:\Program Files (x86)\Driver Updater\dupdater.exe
"C:\Program Files (x86)\Driver Updater\dupdater.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476

C:\Program Files (x86)\Driver Updater\x64\Installer.exe
"C:/Program Files (x86)/Driver Updater/x64/Installer.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 852
2⤵
- Program crash
PID:4284

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{eee047bf-7557-d942-8339-be5b2820633e}\netrtl64.inf" "9" "63f9b9907" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\users\admin\appdata\roaming\carambis\driver updater\unpack-temp"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4972

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "11" "PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18" "C:\Windows\INF\oem3.inf" "netrtl64.inf:a9e8526ee4bf707c:RTL8139a.ndi:6.111.723.2009:pci\ven_10ec&dev_8139&rev_20," "63f9b9907" "0000000000000174"
2⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\InstallerDU__a591.exe
"C:\Users\Admin\AppData\Local\Temp\InstallerDU__a591.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Local\Temp\DriverUpdaterSetup-2.7.0.1436.exe
"C:\Users\Admin\AppData\Local\Temp\DriverUpdaterSetup-2.7.0.1436.exe" /partnerId=a591 /vid=591
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260

C:\Program Files (x86)\Driver Updater\dupdater.exe
"C:\Program Files (x86)\Driver Updater\dupdater.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476

C:\Program Files (x86)\Driver Updater\x64\Installer.exe
"C:/Program Files (x86)/Driver Updater/x64/Installer.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 852
2⤵
- Program crash
PID:4284

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{eee047bf-7557-d942-8339-be5b2820633e}\netrtl64.inf" "9" "63f9b9907" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\users\admin\appdata\roaming\carambis\driver updater\unpack-temp"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4972

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "11" "PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18" "C:\Windows\INF\oem3.inf" "netrtl64.inf:a9e8526ee4bf707c:RTL8139a.ndi:6.111.723.2009:pci\ven_10ec&dev_8139&rev_20," "63f9b9907" "0000000000000174"
2⤵
PID:3452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion