55ac28e0ee392e64e273b11e4b6ea2455cfe57395f2da35540b95f7c4d9e4046

General

Target

tmp.exe
Size

2.2MB
MD5

6c4aa8255e878893238d9d7c46594409
SHA1

3e7c7e3e6465de376c25faeb1193b09525385ead
SHA256

55ac28e0ee392e64e273b11e4b6ea2455cfe57395f2da35540b95f7c4d9e4046
SHA512

26e0b2174d00f7efa4e026eb027dd98327dd472547972ae5f02129aa87dd25b8c1d70bf17dc0cd5afc9986d662b748c33eef319b71799f906d984450e3dffc74
SSDEEP

24576:kdVpasknxaPeDJXXVr6fqkWj9FYnvHmerRW6RGieK8PEMoXsQnBXrP3I2IvrrP3v:Mx0J1HiHg6RUFEMusQn5r422rTm27

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Windows\SysWOW64\instdrv.exe	tmp.exe
File created	C:\Windows\SysWOW64\5T3J3KSC.sys	tmp.exe
File created	C:\Windows\SysWOW64\instdrv.bat	tmp.exe

Executes dropped EXE 1 IoCs

Processes:

instdrv.exe

pid process

980 instdrv.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

960 cmd.exe
960 cmd.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1156 taskkill.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
980	instdrv.exe

pid	process
960	cmd.exe
960	cmd.exe

pid	process
1156	taskkill.exe

pid	process
460

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exepowercfg.exeinstdrv.exe

description	pid	process
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeShutdownPrivilege	1320	powercfg.exe
Token: SeShutdownPrivilege	1320	powercfg.exe
Token: SeShutdownPrivilege	1320	powercfg.exe
Token: SeShutdownPrivilege	1320	powercfg.exe
Token: SeShutdownPrivilege	1320	powercfg.exe
Token: SeCreatePagefilePrivilege	1320	powercfg.exe
Token: SeDebugPrivilege	980	instdrv.exe
Token: SeIncBasePriorityPrivilege	980	instdrv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exeinstdrv.exe

pid process

824 tmp.exe
980 instdrv.exe

pid	process
824	tmp.exe
980	instdrv.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

tmp.execmd.exe

description	pid	process	target process
PID 824 wrote to memory of 1156	824	tmp.exe	taskkill.exe
PID 824 wrote to memory of 1156	824	tmp.exe	taskkill.exe
PID 824 wrote to memory of 1156	824	tmp.exe	taskkill.exe
PID 824 wrote to memory of 1156	824	tmp.exe	taskkill.exe
PID 824 wrote to memory of 960	824	tmp.exe	cmd.exe
PID 824 wrote to memory of 960	824	tmp.exe	cmd.exe
PID 824 wrote to memory of 960	824	tmp.exe	cmd.exe
PID 824 wrote to memory of 960	824	tmp.exe	cmd.exe
PID 960 wrote to memory of 1320	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 1320	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 1320	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 1320	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 980	960	cmd.exe	instdrv.exe
PID 960 wrote to memory of 980	960	cmd.exe	instdrv.exe
PID 960 wrote to memory of 980	960	cmd.exe	instdrv.exe
PID 960 wrote to memory of 980	960	cmd.exe	instdrv.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im fix.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\SysWOW64\instdrv.bat
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\powercfg.exe
powercfg /h off
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\instdrv.exe
instdrv /i /s C:\Windows\SysWOW64\5T3J3KSC.sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\instdrv.bat

Filesize
100B

MD5
4befdfd1fb6cddd4481fb5c30321407f

SHA1
e2e338575d0838ec9931dbe17666ba9a9b9e1aac

SHA256
2b22c30ff8cbeeebe462acd0766ca521a19e21e5d704c54a7707629fcf387502

SHA512
b6b50f9a591849c45a965d307c4c9ab1751d9c694c6c61c28c662253af13ed061ce3cb2ce473a9f8ccfa3469d6de4aad8f68fc01bbf172b26bb5b4c8ed5d9ed4

Download Submit
C:\Windows\SysWOW64\instdrv.bat

Filesize
100B

MD5
4befdfd1fb6cddd4481fb5c30321407f

SHA1
e2e338575d0838ec9931dbe17666ba9a9b9e1aac

SHA256
2b22c30ff8cbeeebe462acd0766ca521a19e21e5d704c54a7707629fcf387502

SHA512
b6b50f9a591849c45a965d307c4c9ab1751d9c694c6c61c28c662253af13ed061ce3cb2ce473a9f8ccfa3469d6de4aad8f68fc01bbf172b26bb5b4c8ed5d9ed4

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads