450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
14-11-2023 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
Size

2.0MB
MD5

9a8acb498a1f1672e18481ccf6db6cc0
SHA1

6640c8ab4abbfe48fb2f67af919120fdb952a3b5
SHA256

450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7
SHA512

2059b3482171f93bce8ae3243b178ce36517aa7804e5161e57aeb5dc7fe3764ed311b9e5e51a10edaf5c3c643db98ee97cced324a9fd9cabf08c1d1566e31860
SSDEEP

24576:nUf5sknxaPeDJXXVr6fqkWj9FYnvHmerRW6RGieK8PEMoXsQnBXrP3I2IvrrP3b9:nUA0J1HiHg6RUFEMusQn5r422rTm2l

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2276	instdrv.exe
2596	instdrv.exe
1088	instdrv.exe

Loads dropped DLL 4 IoCs

pid	Process
2792	cmd.exe
2792	cmd.exe
2560	cmd.exe
2560	cmd.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\instdrv.exe	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
File created	C:\Windows\SysWOW64\Fixzr.sys	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
File created	C:\Windows\SysWOW64\instdrv.bat	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
File opened for modification	C:\Windows\SysWOW64\Fixzr.sys	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
File created	C:\Windows\SysWOW64\instdrvu.bat	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1600	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2752	powercfg.exe
Token: SeShutdownPrivilege	2752	powercfg.exe
Token: SeShutdownPrivilege	2752	powercfg.exe
Token: SeShutdownPrivilege	2752	powercfg.exe
Token: SeShutdownPrivilege	2752	powercfg.exe
Token: SeCreatePagefilePrivilege	2752	powercfg.exe
Token: SeDebugPrivilege	2276	instdrv.exe
Token: SeIncBasePriorityPrivilege	2276	instdrv.exe
Token: SeShutdownPrivilege	2584	powercfg.exe
Token: SeShutdownPrivilege	2584	powercfg.exe
Token: SeShutdownPrivilege	2584	powercfg.exe
Token: SeShutdownPrivilege	2584	powercfg.exe
Token: SeShutdownPrivilege	2584	powercfg.exe
Token: SeCreatePagefilePrivilege	2584	powercfg.exe
Token: SeDebugPrivilege	2596	instdrv.exe
Token: SeIncBasePriorityPrivilege	2596	instdrv.exe
Token: SeDebugPrivilege	1088	instdrv.exe
Token: SeIncBasePriorityPrivilege	1088	instdrv.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2276	instdrv.exe
2596	instdrv.exe
1088	instdrv.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2792	1600	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	30
PID 1600 wrote to memory of 2792	1600	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	30
PID 1600 wrote to memory of 2792	1600	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	30
PID 1600 wrote to memory of 2792	1600	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	30
PID 2792 wrote to memory of 2752	2792	cmd.exe	31
PID 2792 wrote to memory of 2752	2792	cmd.exe	31
PID 2792 wrote to memory of 2752	2792	cmd.exe	31
PID 2792 wrote to memory of 2752	2792	cmd.exe	31
PID 2792 wrote to memory of 2276	2792	cmd.exe	32
PID 2792 wrote to memory of 2276	2792	cmd.exe	32
PID 2792 wrote to memory of 2276	2792	cmd.exe	32
PID 2792 wrote to memory of 2276	2792	cmd.exe	32
PID 1600 wrote to memory of 2560	1600	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	33
PID 1600 wrote to memory of 2560	1600	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	33
PID 1600 wrote to memory of 2560	1600	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	33
PID 1600 wrote to memory of 2560	1600	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	33
PID 2560 wrote to memory of 2584	2560	cmd.exe	34
PID 2560 wrote to memory of 2584	2560	cmd.exe	34
PID 2560 wrote to memory of 2584	2560	cmd.exe	34
PID 2560 wrote to memory of 2584	2560	cmd.exe	34
PID 2560 wrote to memory of 2596	2560	cmd.exe	35
PID 2560 wrote to memory of 2596	2560	cmd.exe	35
PID 2560 wrote to memory of 2596	2560	cmd.exe	35
PID 2560 wrote to memory of 2596	2560	cmd.exe	35
PID 2560 wrote to memory of 1088	2560	cmd.exe	36
PID 2560 wrote to memory of 1088	2560	cmd.exe	36
PID 2560 wrote to memory of 1088	2560	cmd.exe	36
PID 2560 wrote to memory of 1088	2560	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
"C:\Users\Admin\AppData\Local\Temp\450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\instdrv.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /h off
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\SysWOW64\instdrv.exe
    instdrv /i /s C:\Windows\SysWOW64\Fixzr.sys
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\SysWOW64\instdrvu.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /h off
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\SysWOW64\instdrv.exe
    instdrv /i /s C:\Windows\SysWOW64\Fixzr.sys
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2596
- - C:\Windows\SysWOW64\instdrv.exe
    instdrv /u /s C:\Windows\SysWOW64\Fixzr.sys
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\instdrv.bat

Filesize
97B

MD5
89223060e1b20a55e2e2988ed8658bc6

SHA1
29577e1b75720d95f1c0efe64add4860dcb7ca93

SHA256
db85e58bde73a2e354c257fc197e1d1111482001365def78eef2fca37957f2cf

SHA512
51d0e0cf4ec221449a6bb6d53984d76bbaf60e803d51844140d4d9e016277efddcfce37965e3c09f7e3e984d8b922ab6c633202ef6b91883501877e05bf73589

Download Submit
C:\Windows\SysWOW64\instdrv.bat

Filesize
97B

MD5
89223060e1b20a55e2e2988ed8658bc6

SHA1
29577e1b75720d95f1c0efe64add4860dcb7ca93

SHA256
db85e58bde73a2e354c257fc197e1d1111482001365def78eef2fca37957f2cf

SHA512
51d0e0cf4ec221449a6bb6d53984d76bbaf60e803d51844140d4d9e016277efddcfce37965e3c09f7e3e984d8b922ab6c633202ef6b91883501877e05bf73589

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
C:\Windows\SysWOW64\instdrvu.bat

Filesize
142B

MD5
f694d0e23614578947d809432f72eaec

SHA1
b0b30734d46b38678d4155e8da15292d5b41b144

SHA256
49ac26b271bb4009267b04db826896b09f8000d725f85751ed5ed40f20d4b8ee

SHA512
a24cee8daf95147cb18629d8bdc0a52d13b762d166ccd14e598d76d8259184cd5ecb11570d0ba1dd90699f1f1d11de6d44de213c3e5b8969684514e6e8121bed

Download Submit
C:\Windows\SysWOW64\instdrvu.bat

Filesize
142B

MD5
f694d0e23614578947d809432f72eaec

SHA1
b0b30734d46b38678d4155e8da15292d5b41b144

SHA256
49ac26b271bb4009267b04db826896b09f8000d725f85751ed5ed40f20d4b8ee

SHA512
a24cee8daf95147cb18629d8bdc0a52d13b762d166ccd14e598d76d8259184cd5ecb11570d0ba1dd90699f1f1d11de6d44de213c3e5b8969684514e6e8121bed

Download Submit
\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
memory/1600-20-0x00000000023B0000-0x00000000023B7000-memory.dmp

Filesize
28KB

Download
memory/1600-2-0x00000000009F0000-0x00000000009F7000-memory.dmp

Filesize
28KB

Download