e02061a4626f950b41d89c21e9a780f8aee5c5ddda7880b753d660db09117910

Analysis

max time kernel
242s
max time network
247s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driver_booster_setup.exe
Size

27.6MB
MD5

ccc48304afa2e7c58492babc297db8a4
SHA1

decd98730cf34e1567965f6fb7085569fc1053e8
SHA256

e02061a4626f950b41d89c21e9a780f8aee5c5ddda7880b753d660db09117910
SHA512

79bd4dda233b714ecd6746c5f78f9d441852e333202fc74da6430d23d7dc1deadebb5a5608da63ac63ee0891a99ee259d3498d58ac59621226d8bf7862de4b04
SSDEEP

786432:e9ThknZ2E7r7s8OoqHeTfy3UjKt1tdypqVEB8YFj:e9ThknZ2+9OFHe7qO0dhEh

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 2 IoCs

pid	Process
1156	driver_booster_setup.tmp
1356	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
2012	driver_booster_setup.exe
1156	driver_booster_setup.tmp
1156	driver_booster_setup.tmp
1156	driver_booster_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1156	driver_booster_setup.tmp
1156	driver_booster_setup.tmp
1356	setup.exe
1356	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1156	driver_booster_setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1356	setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1156	2012	driver_booster_setup.exe	28
PID 2012 wrote to memory of 1156	2012	driver_booster_setup.exe	28
PID 2012 wrote to memory of 1156	2012	driver_booster_setup.exe	28
PID 2012 wrote to memory of 1156	2012	driver_booster_setup.exe	28
PID 2012 wrote to memory of 1156	2012	driver_booster_setup.exe	28
PID 2012 wrote to memory of 1156	2012	driver_booster_setup.exe	28
PID 2012 wrote to memory of 1156	2012	driver_booster_setup.exe	28
PID 1156 wrote to memory of 1356	1156	driver_booster_setup.tmp	29
PID 1156 wrote to memory of 1356	1156	driver_booster_setup.tmp	29
PID 1156 wrote to memory of 1356	1156	driver_booster_setup.tmp	29
PID 1156 wrote to memory of 1356	1156	driver_booster_setup.tmp	29
PID 1156 wrote to memory of 1356	1156	driver_booster_setup.tmp	29
PID 1156 wrote to memory of 1356	1156	driver_booster_setup.tmp	29
PID 1156 wrote to memory of 1356	1156	driver_booster_setup.tmp	29

C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
"C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\is-2MF9P.tmp\driver_booster_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2MF9P.tmp\driver_booster_setup.tmp" /SL5="$C0122,28225140,139264,C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\is-6MTIB.tmp-dbinst\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-6MTIB.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe" /title="Driver Booster 10" /dbver=10.4.0.128 /eula="C:\Users\Admin\AppData\Local\Temp\is-6MTIB.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IObit\iobitpromotion.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\1682974120\ENGLISH.lng

Filesize
24KB

MD5
8e7f2723f0e72bc6abefca738c9c1ca4

SHA1
969a4a6f31e146040a101d526886ede9a7c5c432

SHA256
f3c690feab9ab2b7dea8ea6334b484768f19caaf85dfa14be2bce5e4fdbffd4b

SHA512
9a3efa9dd002394050cbd457adb67121fcae7a31b66b42e3d612725b9166bd76c4f8c73ed039226c16248461c7f4f1fb6cac91960b7bb57a3273fbd022b1e232

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2MF9P.tmp\driver_booster_setup.tmp

Filesize
1.2MB

MD5
68b52a0b8e3d45bf3b520a0e7f16dad1

SHA1
e50408326eafb5ca8adc70db29c33b64e25bbbbd

SHA256
b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b

SHA512
b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6MTIB.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
3d403676517f6a99de035a04dc3f3f82

SHA1
ed69d8f485374dfb58a5b651b1f3f1bab8ee9541

SHA256
668f4f4ef277783cc66408d6631b63e9a24ffcd978834835fdb8fb2aa345a56e

SHA512
4ba6f75e9b518474bf9b846cda386bde0ca65233dd489b357b967e842af71ebca6e325b9fc9b8a0d1d775b16198ff31a6c2d2223797d2a3c490d5da001e8887e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6MTIB.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
3d403676517f6a99de035a04dc3f3f82

SHA1
ed69d8f485374dfb58a5b651b1f3f1bab8ee9541

SHA256
668f4f4ef277783cc66408d6631b63e9a24ffcd978834835fdb8fb2aa345a56e

SHA512
4ba6f75e9b518474bf9b846cda386bde0ca65233dd489b357b967e842af71ebca6e325b9fc9b8a0d1d775b16198ff31a6c2d2223797d2a3c490d5da001e8887e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6MTIB.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
3d403676517f6a99de035a04dc3f3f82

SHA1
ed69d8f485374dfb58a5b651b1f3f1bab8ee9541

SHA256
668f4f4ef277783cc66408d6631b63e9a24ffcd978834835fdb8fb2aa345a56e

SHA512
4ba6f75e9b518474bf9b846cda386bde0ca65233dd489b357b967e842af71ebca6e325b9fc9b8a0d1d775b16198ff31a6c2d2223797d2a3c490d5da001e8887e

Download Submit
\Users\Admin\AppData\Local\Temp\is-2MF9P.tmp\driver_booster_setup.tmp

Filesize
1.2MB

MD5
68b52a0b8e3d45bf3b520a0e7f16dad1

SHA1
e50408326eafb5ca8adc70db29c33b64e25bbbbd

SHA256
b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b

SHA512
b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf

Download Submit
\Users\Admin\AppData\Local\Temp\is-6MTIB.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
3d403676517f6a99de035a04dc3f3f82

SHA1
ed69d8f485374dfb58a5b651b1f3f1bab8ee9541

SHA256
668f4f4ef277783cc66408d6631b63e9a24ffcd978834835fdb8fb2aa345a56e

SHA512
4ba6f75e9b518474bf9b846cda386bde0ca65233dd489b357b967e842af71ebca6e325b9fc9b8a0d1d775b16198ff31a6c2d2223797d2a3c490d5da001e8887e

Download Submit
\Users\Admin\AppData\Local\Temp\is-6MTIB.tmp\DriverBooster.exe

Filesize
8.6MB

MD5
5ff2b8b8bf24896093f7e44374fabf95

SHA1
69bc407fe124e7e475a90cb9702f768a4b412da3

SHA256
77b5f3864c9ded87ccdc2c550d1ac107c918c224ee9aeada6f3fd8834f935d91

SHA512
391ea2b19131d73f194afc2ddd594f8648e6acd9c0a7fabffcff1fb27d83ddbd91367bfbf32f7b354d31ae931dea04b73045236eb98848d65fe4de8ee02fb50e

Download Submit
\Users\Admin\AppData\Local\Temp\is-6MTIB.tmp\DriverBooster.exe

Filesize
8.6MB

MD5
5ff2b8b8bf24896093f7e44374fabf95

SHA1
69bc407fe124e7e475a90cb9702f768a4b412da3

SHA256
77b5f3864c9ded87ccdc2c550d1ac107c918c224ee9aeada6f3fd8834f935d91

SHA512
391ea2b19131d73f194afc2ddd594f8648e6acd9c0a7fabffcff1fb27d83ddbd91367bfbf32f7b354d31ae931dea04b73045236eb98848d65fe4de8ee02fb50e

Download Submit
memory/1156-110-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1156-81-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1156-74-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1156-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1156-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1156-69-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1356-191-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/1356-117-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1356-121-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/1356-194-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/1356-195-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/1356-196-0x0000000002B40000-0x0000000002B80000-memory.dmp

Filesize
256KB

Download
memory/1356-213-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/1356-215-0x0000000002B40000-0x0000000002B80000-memory.dmp

Filesize
256KB

Download
memory/1356-216-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/1356-222-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2012-113-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2012-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2012-54-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download