de96ed1e44c63ab6597e98d314fe01d9b2e9a711aefaf688d6e5238e602fbe28

Analysis

max time kernel
114s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

intel网卡驱动prowinx64legacy.exe
Size

49.1MB
MD5

13ea4a941de2b3e70cc82c800d46fa8e
SHA1

c82c5e12225b45359a6fac59f6b20790a92a9614
SHA256

de96ed1e44c63ab6597e98d314fe01d9b2e9a711aefaf688d6e5238e602fbe28
SHA512

8ccde83c3fd6f9447b424c85e16852eba5184e9004605b6c857b2a1965eca242048d41ff79c58eea4ff0096bc1fbd10642b0d3022f96c90fbb1a76414a52df3c
SSDEEP

1572864:W2xqpzQ5VJD3LQ025f+K6v5f6u4YWN7aWFBuSYoB/tHd:5oA/QD+KE5sYquSRB/tHd

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	intel网卡驱动prowinx64legacy.exe

Executes dropped EXE 1 IoCs

pid	Process
5088	DxSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5088	DxSetup.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 5088	1536	intel网卡驱动prowinx64legacy.exe	84
PID 1536 wrote to memory of 5088	1536	intel网卡驱动prowinx64legacy.exe	84

C:\Users\Admin\AppData\Local\Temp\intel网卡驱动prowinx64legacy.exe
"C:\Users\Admin\AppData\Local\Temp\intel网卡驱动prowinx64legacy.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\apps\prosetdx\winx64Legacy\DxSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\apps\prosetdx\winx64Legacy\DxSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\APPS\PROSETDX\Winx64Legacy\DxSetup.exe

Filesize
365KB

MD5
43e5336bd4411d6a09d15e47a23d6aee

SHA1
b0d01433231d5427bd841849610c9f461632c59d

SHA256
2c6bde2f88b5530d1937ab40064e14381ff3b27100abf48c8f25c68ee6dff716

SHA512
41e86182615aba42ba9c39d611246480d0be03706517b8f2b36145474d3d22830137598814b0b84238c63f049e0008a9ae47060ca55b17c1dd8d3ba2a0485500

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\APPS\PROSETDX\Winx64Legacy\DxSetup.exe

Filesize
365KB

MD5
43e5336bd4411d6a09d15e47a23d6aee

SHA1
b0d01433231d5427bd841849610c9f461632c59d

SHA256
2c6bde2f88b5530d1937ab40064e14381ff3b27100abf48c8f25c68ee6dff716

SHA512
41e86182615aba42ba9c39d611246480d0be03706517b8f2b36145474d3d22830137598814b0b84238c63f049e0008a9ae47060ca55b17c1dd8d3ba2a0485500

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\APPS\TOOLS\DIAGS.EXE

Filesize
634KB

MD5
77b5121eff5d47599ea35dde713bae7a

SHA1
6f7cca2a37f3f231a4eeae6155f3b011398a1834

SHA256
58bd84773e92d61a4afab7a73232907a109daa8c7f983a80d0ba2861e92feac8

SHA512
e6826f481c71e3b483d9743784fbcb5d57675a0e986a288a5421824b5c7dca01b58c2fccf334d6a333718ab58a6b1d1f1d2f1753160bdd3684116b557063591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\APPS\TOOLS\DOCS\note.gif

Filesize
474B

MD5
cd682003d8db84eb0f4a4506f8cbc6eb

SHA1
7f7f79b456e5247b8225368f029fecc746c8e808

SHA256
37a9ccf06fbed727d2adce074dd365a6ed1eadcd9a747b70047ad00d1b508b62

SHA512
2bf8912578f4b1cf05f12e8ebb90310bb6242b256b4ecd6d3a1b5d86ed952349b2efa1745f70a89badc99cbec46b23dcdb6ee8175a66a203fe5083e233a98223

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\DEU\note.gif

Filesize
1008B

MD5
d87f9b5d0ff89a7a668ba405c376063d

SHA1
7f481f93ae98b7d4431c130b4a6a4318e6f7a7eb

SHA256
1f9c3f6e8b8a9e624a265dcb993a6c43f74d06d6666959e8361638fa5fce0dd3

SHA512
1309b0816a00a76b478e78310939a134ae81d65fa7eb4e505536b2a065fbc97ae0fb523787d6122877001954f0234c04c38813cad7fd4172ff69cf01cf4bffac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\DEU\style.css

Filesize
2KB

MD5
d924bce7907fae6e41f56fc10abd5e04

SHA1
5f9db74079f8f2ef5e1228fc2909f0cb74cf07e5

SHA256
3c3d292ea1e44c6ad190b264ed192115a2c3ae56126885ea605d466d7e5e2360

SHA512
ded7f874b1f7f9f8994b04aa1475c02a80ee112918836132556cbe601c31e7b1af4de79341f0536e12df62b1f1737ddae52dcc2c5c08f3ddb6f54abe2d77d149

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\chs.gif

Filesize
263B

MD5
730c1bd040995f09f18bb9a67510a4c1

SHA1
332484dcdf386674387db9eb03e2e2c409438ce1

SHA256
0a5ab8798bf0b47c994e62f5318ac0efd29f0be6e7c13cff43504d1443013f79

SHA512
e2278219d524e82d8e3a811f4fcb8461f8ec618ea37de1830fb54b689a951fbc90b3c097f01f0739ef55eb80fcd63cf76ae325013a99356ebefaf487c48e0ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\cht.gif

Filesize
279B

MD5
23acbde2b19d3c866c97ea7a0169d76a

SHA1
8ea13910f199293d91fea726bc4aee46ca1a4b55

SHA256
f452f6fb71d41dc8371fa3ec6a4f8ff569c54d7bb6a41615018d5032acb9768b

SHA512
c140ee7f1119df5f7353818e161e3f8906e57c18d5706cfd707b0480b728af94cc401d3aff1dc8dd58cef0f38f2b4d706ab3e7f676926487e73357ffabc1ff50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\deu.png

Filesize
640B

MD5
db29153ee815586c891ab13c4e28fda9

SHA1
6de02a86ffbb92aacb572b108f379839e117d471

SHA256
8b4b48acef596db5015be869c7bc3c2d83c6ba8fec8fdce5f54e73655b0a687d

SHA512
4a35e558e96eb35f6f07f0a839594fa8aedf8223734f108a0f8c80df508529421b07448fe56b954d47639c178924e07f0505a6c0808101fa50a85846d66c8021

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\enu.png

Filesize
560B

MD5
ee8a5905aff472ae666defa7f435b02e

SHA1
735dd0c73eca08282035d1f3a2b051dc7329b1fe

SHA256
c2f3e641eaa3ff2c3ff745ecd4c2e5c6cc32b531f2f4cdb243be2c6cfc0df65f

SHA512
0a6dfb59ee49831169d56724c708ae91b876364819ecd4d16ac8280140f338fc8142ad2088c8e56f63ca880e8939ec39e515b2932d958f367359358c83f60f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\esn.png

Filesize
651B

MD5
347661ce8ef86f1f381d8f932d4fd267

SHA1
4651b684fd5a1e5712e2ea022cf1a2d18e0c0e3e

SHA256
7c0b17f837007fa01d2c3e1cdb4c3b5aff092c1c76aebfda223248e312dc5792

SHA512
68566c84abcade819c77d9e85568b5d56159c3d3088a97da052eab30e95dd3af9d40a6c00ab184e2970fec270bc5be12e629ad118aca9aaff6757237f1e1c5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\fra.png

Filesize
621B

MD5
f683583c07072e474f8f0ea21c811a6b

SHA1
6633794a62df9b27840e0871426ae2f7155f74ba

SHA256
6b8e58a8f8684a677306591cccb021b042e0b4bf271206bbc37753d6f6132536

SHA512
97285e9d1661cb27905108c5d1e0e91f16c74253c191f3c3e5b7cd4e66d6a1d17ceff6da35a3aba6f6cbb07feddb413b22d8604f49c20f5f470652ba2bd86445

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\ita.png

Filesize
583B

MD5
632ec284f510be9023c0f0944c3352f0

SHA1
a944ded941a4d3f7babe6930d1a98f700a4e490b

SHA256
8866b82e11e5a42ba92335c7e37bb4f10abce0013e419a096b77a0ed50480969

SHA512
1f90fd5b77c50eee1bffdea63ab8a1d494036f8a590dbf59e52fef3730d77060071e211a194f1cef316c7eede8195131613ad56cf5dcf47df85622c24d82f4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\jpn.gif

Filesize
242B

MD5
2896760a9644bdefca6094cc527e7a4d

SHA1
f254577b3c01fa8157a0206d9e38e605a7352e1f

SHA256
3266d106a81afbbde12116a698a9ef2472d420191262454d3f1d0e04898cce0d

SHA512
90fa1c19390e1c8f40254fe97e2ded10bdbb27e224d03e97879cda3297c99f4bf25b8e0a1f3e4c3b94c6c95403a7a1ac4a89cea6742cbc1eb610bb436103ad48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\kor.gif

Filesize
217B

MD5
d08b982c870318c45789d4003c921f5b

SHA1
cc270e5922b2db258ed7765cbbaafbf9d0373c08

SHA256
274f8b2682bcaeb747edb670ff8754939d2ffc6cf63411c9d06539814517ed27

SHA512
b6ed0eb4deae7c06ffa3799fd6b9b0b03f8616df689cc4308ddcde584092fc812fdea34a1b61e36f96c9c2e58b8416447f63528ce728af6603cec7960887468a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DOCS\QUICK\ptb.png

Filesize
763B

MD5
6b12466d81ec435548133c0e6af96ee0

SHA1
1d73398d806915c5162a2865413540625c91f764

SHA256
bbbfcdb71146c7d5d04beaa7e8488fd1813aaa0e6a26d9f07197f3a7e3421100

SHA512
e6a5dcd595b095f1789c7f1fd187d734e8ce9a2002960fc54a971be85c07a8dd7ac74989ed2a1bedf1a3b6acc603e5e64694add003b1b44324ea84e37978fc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PRO1000\Winx64\NDIS62\NicCo36.dll

Filesize
35KB

MD5
4aa441f4ad7491bdb2162f87a1da6a3a

SHA1
e48e237e886738de29d03a754cbee9bbfebc91dd

SHA256
56954c185a7d8ccd391c08fa998b59b13765688cd53bbcfc56e4fe2079b5e4bb

SHA512
0853115d14ab683c7e0c49cf3ac2e57ac64a36c7387c6dc777c17f8cfd03186244f0b8ee4a71afaf6f514f696096e0a6c5f413c0fc079f44829cd46adb78b23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PROXGB\Winx64\NDIS62\PROUnstl.exe

Filesize
421KB

MD5
c151c0044cd5f75105e728829c4185bf

SHA1
be8c22f742843e389fb816a983b5790610b3bde7

SHA256
f0a556986b0fd6032362e6ebd904a5bff9b32c051a11326f73022869f82d457e

SHA512
03efd950428599ee49a712cf7136cb9e85cbcca4f447582c15f62983f11ed17e03aa3303b9f90f641c65cfb7a81f2f36f61f5cba60821d5c5c58ce510420280c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\apps\prosetdx\winx64Legacy\DxSetup.exe

Filesize
365KB

MD5
43e5336bd4411d6a09d15e47a23d6aee

SHA1
b0d01433231d5427bd841849610c9f461632c59d

SHA256
2c6bde2f88b5530d1937ab40064e14381ff3b27100abf48c8f25c68ee6dff716

SHA512
41e86182615aba42ba9c39d611246480d0be03706517b8f2b36145474d3d22830137598814b0b84238c63f049e0008a9ae47060ca55b17c1dd8d3ba2a0485500

Download Submit