450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7

General

Target

450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
Size

2.0MB
MD5

9a8acb498a1f1672e18481ccf6db6cc0
SHA1

6640c8ab4abbfe48fb2f67af919120fdb952a3b5
SHA256

450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7
SHA512

2059b3482171f93bce8ae3243b178ce36517aa7804e5161e57aeb5dc7fe3764ed311b9e5e51a10edaf5c3c643db98ee97cced324a9fd9cabf08c1d1566e31860
SSDEEP

24576:nUf5sknxaPeDJXXVr6fqkWj9FYnvHmerRW6RGieK8PEMoXsQnBXrP3I2IvrrP3b9:nUA0J1HiHg6RUFEMusQn5r422rTm2l

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4344	instdrv.exe
4320	instdrv.exe
2040	instdrv.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\instdrv.bat	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
File opened for modification	C:\Windows\SysWOW64\Fixzr.sys	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
File created	C:\Windows\SysWOW64\instdrvu.bat	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
File created	C:\Windows\SysWOW64\instdrv.exe	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
File created	C:\Windows\SysWOW64\Fixzr.sys	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3528	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
3528	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1136	powercfg.exe
Token: SeCreatePagefilePrivilege	1136	powercfg.exe
Token: SeShutdownPrivilege	1136	powercfg.exe
Token: SeCreatePagefilePrivilege	1136	powercfg.exe
Token: SeDebugPrivilege	4344	instdrv.exe
Token: SeIncBasePriorityPrivilege	4344	instdrv.exe
Token: SeShutdownPrivilege	4108	powercfg.exe
Token: SeCreatePagefilePrivilege	4108	powercfg.exe
Token: SeShutdownPrivilege	4108	powercfg.exe
Token: SeCreatePagefilePrivilege	4108	powercfg.exe
Token: SeDebugPrivilege	4320	instdrv.exe
Token: SeIncBasePriorityPrivilege	4320	instdrv.exe
Token: SeDebugPrivilege	2040	instdrv.exe
Token: SeIncBasePriorityPrivilege	2040	instdrv.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4344	instdrv.exe
4320	instdrv.exe
2040	instdrv.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 3404	3528	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	90
PID 3528 wrote to memory of 3404	3528	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	90
PID 3528 wrote to memory of 3404	3528	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	90
PID 3404 wrote to memory of 1136	3404	cmd.exe	91
PID 3404 wrote to memory of 1136	3404	cmd.exe	91
PID 3404 wrote to memory of 1136	3404	cmd.exe	91
PID 3404 wrote to memory of 4344	3404	cmd.exe	92
PID 3404 wrote to memory of 4344	3404	cmd.exe	92
PID 3404 wrote to memory of 4344	3404	cmd.exe	92
PID 3528 wrote to memory of 4196	3528	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	99
PID 3528 wrote to memory of 4196	3528	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	99
PID 3528 wrote to memory of 4196	3528	450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe	99
PID 4196 wrote to memory of 4108	4196	cmd.exe	100
PID 4196 wrote to memory of 4108	4196	cmd.exe	100
PID 4196 wrote to memory of 4108	4196	cmd.exe	100
PID 4196 wrote to memory of 4320	4196	cmd.exe	101
PID 4196 wrote to memory of 4320	4196	cmd.exe	101
PID 4196 wrote to memory of 4320	4196	cmd.exe	101
PID 4196 wrote to memory of 2040	4196	cmd.exe	102
PID 4196 wrote to memory of 2040	4196	cmd.exe	102
PID 4196 wrote to memory of 2040	4196	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe
"C:\Users\Admin\AppData\Local\Temp\450e875131486a694c9872649b1de6a0fea4304547e8c2238fafea7b2af86fb7.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\instdrv.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /h off
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\SysWOW64\instdrv.exe
    instdrv /i /s C:\Windows\SysWOW64\Fixzr.sys
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\instdrvu.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\SysWOW64\powercfg.exe
    powercfg /h off
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4108
- - C:\Windows\SysWOW64\instdrv.exe
    instdrv /i /s C:\Windows\SysWOW64\Fixzr.sys
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4320
- - C:\Windows\SysWOW64\instdrv.exe
    instdrv /u /s C:\Windows\SysWOW64\Fixzr.sys
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\instdrv.bat

Filesize
97B

MD5
89223060e1b20a55e2e2988ed8658bc6

SHA1
29577e1b75720d95f1c0efe64add4860dcb7ca93

SHA256
db85e58bde73a2e354c257fc197e1d1111482001365def78eef2fca37957f2cf

SHA512
51d0e0cf4ec221449a6bb6d53984d76bbaf60e803d51844140d4d9e016277efddcfce37965e3c09f7e3e984d8b922ab6c633202ef6b91883501877e05bf73589

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
C:\Windows\SysWOW64\instdrv.exe

Filesize
32KB

MD5
6f356e16020902a77d57fa44ff21c387

SHA1
ee9e2816170e9441690ebee28324f43046056712

SHA256
e0ba184fcf57a48769036984aff2c9700600bfb1a202d58d5a0464b97c66c03a

SHA512
37a48963d4f2696b8e2c79300cac097e302affa47668b3c64c7a91a7253bc1e84bb491c547ac45a3c18974266b1fa219ae1247b7f78ba36f3493f9f0aefad425

Download Submit
C:\Windows\SysWOW64\instdrvu.bat

Filesize
142B

MD5
f694d0e23614578947d809432f72eaec

SHA1
b0b30734d46b38678d4155e8da15292d5b41b144

SHA256
49ac26b271bb4009267b04db826896b09f8000d725f85751ed5ed40f20d4b8ee

SHA512
a24cee8daf95147cb18629d8bdc0a52d13b762d166ccd14e598d76d8259184cd5ecb11570d0ba1dd90699f1f1d11de6d44de213c3e5b8969684514e6e8121bed

Download Submit
memory/3528-2-0x0000000003070000-0x0000000003077000-memory.dmp

Filesize
28KB

Download
memory/3528-14-0x0000000003080000-0x0000000003087000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing