dca710d1a0ba14a54229b5d88b46def4a7db4bf55ec0c898d600099a569b8552

Analysis

max time kernel
120s
max time network
144s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x64/tap-driver/install.bat
Size

124B
MD5

8c131f20776352ecab095e66d122f6aa
SHA1

d8c25830df67b0b704ae753ee4e2d8d219f7f618
SHA256

c76be0a1160d03700c2dce2a67a4485c54d007819f596f5c12064da4c47123bc
SHA512

1745248472cf92dd1d1d80bc0e3549ad5686f287b18b612b68091173bce6b7b54f22ebd43c7bf53743602df8e5b34250e82554ec11656475735f59abe52202bb

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\SET9CDC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\SET9CDD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\SET9CDC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\SET9CDD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\SET9CDB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\SET9CDB.tmp	DrvInst.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2808	rundll32.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	2080	tapinstall.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	1976	DrvInst.exe
Token: SeRestorePrivilege	2808	rundll32.exe
Token: SeRestorePrivilege	2808	rundll32.exe
Token: SeRestorePrivilege	2808	rundll32.exe
Token: SeRestorePrivilege	2808	rundll32.exe
Token: SeRestorePrivilege	2808	rundll32.exe
Token: SeRestorePrivilege	2808	rundll32.exe
Token: SeRestorePrivilege	2808	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2080	2672	cmd.exe	29
PID 2672 wrote to memory of 2080	2672	cmd.exe	29
PID 2672 wrote to memory of 2080	2672	cmd.exe	29
PID 1976 wrote to memory of 2808	1976	DrvInst.exe	31
PID 1976 wrote to memory of 2808	1976	DrvInst.exe	31
PID 1976 wrote to memory of 2808	1976	DrvInst.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\x64\tap-driver\install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\x64\tap-driver\tapinstall.exe
  tapinstall.exe install OemVista.inf tap0901
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2080

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{445d3a66-4af7-63d9-abb0-bf426dd07262}\oemvista.inf" "9" "6d14a44ff" "0000000000000328" "WinSta0\Default" "0000000000000560" "208" "c:\users\admin\appdata\local\temp\x64\tap-driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{63ec5193-a622-48d1-2a23-ea14745ce07e} Global\{284370a8-a4e7-34c9-5376-1e12bb65ba39} C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\tap0901.cat
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab9907.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9948.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{445D3~1\tap0901.sys

Filesize
26KB

MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{445d3a66-4af7-63d9-abb0-bf426dd07262}\oemvista.inf

Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Users\Admin\AppData\Local\Temp\{445d3a66-4af7-63d9-abb0-bf426dd07262}\tap0901.cat

Filesize
19KB

MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\SET9CDB.tmp

Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\SET9CDC.tmp

Filesize
19KB

MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\SET9CDD.tmp

Filesize
26KB

MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\oemvista.inf

Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\System32\DriverStore\Temp\{41d08f1a-6ed7-18c5-8cc8-f84abb7e2575}\tap0901.cat

Filesize
19KB

MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Windows\Temp\Cab9D3B.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar9D7C.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
memory/2808-175-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2808-176-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download