a146cf8b84d5e38a583fa9a69b922d2b6c78f55a995a0447b34a88c6f2449af3

General

Target

driver_booster_setup.exe
Size

29.1MB
MD5

176d5e834d6e8588b77b4f9f039297e8
SHA1

ede5a8e6ea191eb41f38b7c3609a8b9e3d71c3f3
SHA256

a146cf8b84d5e38a583fa9a69b922d2b6c78f55a995a0447b34a88c6f2449af3
SHA512

1a6d2e44ec18e701370e62fb70096ada429bb89897ef93d611c7b550517d2285079f6b9dd0969ff445d23a1fa63ffb1c3b3777e0a1e11e86acd5d8cd8d90e57c
SSDEEP

786432:UNuGPNGtIg+Wmt5f5oC7qz09Logz14lbgZw:UNusGCFWmLf5oAZzalx

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	driver_booster_setup.tmp

Executes dropped EXE 2 IoCs

pid	Process
4368	driver_booster_setup.tmp
3352	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4368	driver_booster_setup.tmp
4368	driver_booster_setup.tmp
4368	driver_booster_setup.tmp
4368	driver_booster_setup.tmp
3352	setup.exe
3352	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	driver_booster_setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3352	setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 4368	4312	driver_booster_setup.exe	82
PID 4312 wrote to memory of 4368	4312	driver_booster_setup.exe	82
PID 4312 wrote to memory of 4368	4312	driver_booster_setup.exe	82
PID 4368 wrote to memory of 3352	4368	driver_booster_setup.tmp	83
PID 4368 wrote to memory of 3352	4368	driver_booster_setup.tmp	83
PID 4368 wrote to memory of 3352	4368	driver_booster_setup.tmp	83

C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
"C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\is-3O6ML.tmp\driver_booster_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3O6ML.tmp\driver_booster_setup.tmp" /SL5="$50090,29778900,139264,C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Users\Admin\AppData\Local\Temp\is-A6IMB.tmp-dbinst\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-A6IMB.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe" /title="Driver Booster 11" /dbver=11.0.0.21 /eula="C:\Users\Admin\AppData\Local\Temp\is-A6IMB.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IObit\iobitpromotion.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\1695047436\ENGLISH.lng

Filesize
24KB

MD5
6265a3d8b6ea027b596c0c6e9afd5c38

SHA1
4502ff9bccfcbee6d6fc5d65e5381288f2d9f3a0

SHA256
193facd48ea0e183c7825c5efa2638c594cb73d9b40a1505a5ce14b478c6fb2e

SHA512
54b3492a3f4bfaf9f6b02b6d95710a5f7b0b8ef1078623ea77303f253bd0e1d44dad3e725afe0afa12a433b21b8d0cfea55c0214bf09213de7a3cebbf78fd8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\appver-ac.ini

Filesize
852B

MD5
d9ce701424b850ef8ae544e661868110

SHA1
a78819b10dafb4fc4334b5401c1d55b6f1c75aeb

SHA256
900670772ad4957ec82d45eea253fde657452ad709eb3f477559e1cd0f76995f

SHA512
95572ca0bbf91c39b6c2bdd1d9f5bf0e42da6fd83e06ded16c1b823e87b6664ed71ea026f3decd402b89f5a94f1af4760fd38548a8d6e2ec2d72141bbfe09af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3O6ML.tmp\driver_booster_setup.tmp

Filesize
1.2MB

MD5
68b52a0b8e3d45bf3b520a0e7f16dad1

SHA1
e50408326eafb5ca8adc70db29c33b64e25bbbbd

SHA256
b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b

SHA512
b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A6IMB.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
e17fcb38300501b2285179b0b1ace9b1

SHA1
584e0db0709cc6e0239f15f9ca145b2954af8a7d

SHA256
8cc6c79137b3f203ebf70f485d581fcc39d677f978b7dd821eca5194b85f6480

SHA512
d1a3849d397a50ce5862b62d9eb8115434933a79eb88dee64a1f4f03bd9eb9091ff3d25b592b04b42ef1354bc115470563d9a013f85407da91d1f511bc687921

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A6IMB.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
e17fcb38300501b2285179b0b1ace9b1

SHA1
584e0db0709cc6e0239f15f9ca145b2954af8a7d

SHA256
8cc6c79137b3f203ebf70f485d581fcc39d677f978b7dd821eca5194b85f6480

SHA512
d1a3849d397a50ce5862b62d9eb8115434933a79eb88dee64a1f4f03bd9eb9091ff3d25b592b04b42ef1354bc115470563d9a013f85407da91d1f511bc687921

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A6IMB.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
e17fcb38300501b2285179b0b1ace9b1

SHA1
584e0db0709cc6e0239f15f9ca145b2954af8a7d

SHA256
8cc6c79137b3f203ebf70f485d581fcc39d677f978b7dd821eca5194b85f6480

SHA512
d1a3849d397a50ce5862b62d9eb8115434933a79eb88dee64a1f4f03bd9eb9091ff3d25b592b04b42ef1354bc115470563d9a013f85407da91d1f511bc687921

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A6IMB.tmp\EULA.rtf

Filesize
28KB

MD5
b0381f0ba7ead83ea3bd882c1de4cd48

SHA1
c740f811623061595d76fce2ebb4e69d34316f3b

SHA256
44bc9472169403484a0d384f1ca81989ef7e4b07441758e8a0110078933cbcb5

SHA512
6cfb8bc562d22843d043411720db97d0b4cbac96a20983d83d19e59b8428ec202f2532cc5af254438dc34fca4161abbd3f6bac8d397590e41b6d41e60700e78a

Download Submit
memory/3352-61-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3352-165-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3352-164-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/3352-138-0x0000000003100000-0x0000000003110000-memory.dmp

Filesize
64KB

Download
memory/3352-166-0x0000000003100000-0x0000000003110000-memory.dmp

Filesize
64KB

Download
memory/4312-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4312-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4312-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4368-32-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4368-58-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4368-33-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4368-6-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing