Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
5Static
static
3Driver/2K_...er.sys
windows7-x64
1Driver/2K_...er.sys
windows10-2004-x64
1Driver/Vis...er.sys
windows7-x64
1Driver/Vis...er.sys
windows10-2004-x64
1Driver/Win...er.sys
windows7-x64
1Driver/Win...er.sys
windows10-2004-x64
1Driver/ins...er.exe
windows7-x64
5Driver/ins...er.exe
windows10-2004-x64
5Driver/ins...64.exe
windows7-x64
1Driver/ins...64.exe
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 04:36
Static task
static1
Behavioral task
behavioral1
Sample
Driver/2K_XP_COM/usbser.sys
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Driver/2K_XP_COM/usbser.sys
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Driver/Vista/usbser.sys
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Driver/Vista/usbser.sys
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
Driver/Win7/usbser.sys
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Driver/Win7/usbser.sys
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
Driver/install_driver.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
Driver/install_driver.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
Driver/installdrv64.exe
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Driver/installdrv64.exe
Resource
win10v2004-20231222-en
General
-
Target
Driver/install_driver.exe
-
Size
622KB
-
MD5
66519e67c90c3f2b86ee443e3b41415f
-
SHA1
a09a2fbf06fefe6dfd85fc4c69008ade42b432c9
-
SHA256
958d60178914ac74e36c4218279eec2b18760bab0ab97e7fed18005a691a4ba6
-
SHA512
5dce8fc0404b539862d16db51c35b0bb70d6db0877046a6903ba83ae65e11c185eab100e73e1bf7972d420723710e5d76af94c3ad3de50452b8034e678c7cac4
-
SSDEEP
12288:byfUVjJQKXxXjjAZkU5UUXiy8Xtd9AsyG5/tAp3fLO6EwgbA6:byU82bU/Xiy8ZFAp3fLOH
Malware Config
Signatures
-
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{1f259e9d-80b9-1566-d92f-014fa1eb0209}\SET344B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f259e9d-80b9-1566-d92f-014fa1eb0209}\usb2ser_Win764.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f259e9d-80b9-1566-d92f-014fa1eb0209}\SET344A.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{1f259e9d-80b9-1566-d92f-014fa1eb0209}\SET344A.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f259e9d-80b9-1566-d92f-014fa1eb0209}\usbser.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{1f259e9d-80b9-1566-d92f-014fa1eb0209}\SET344B.tmp DrvInst.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log installdrv64.exe File opened for modification C:\Windows\INF\setupapi.dev.log install_driver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2736 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2436 install_driver.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2736 rundll32.exe Token: SeRestorePrivilege 2736 rundll32.exe Token: SeRestorePrivilege 2736 rundll32.exe Token: SeRestorePrivilege 2736 rundll32.exe Token: SeRestorePrivilege 2736 rundll32.exe Token: SeRestorePrivilege 2736 rundll32.exe Token: SeRestorePrivilege 2736 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2436 install_driver.exe 2436 install_driver.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2436 wrote to memory of 3044 2436 install_driver.exe 29 PID 2436 wrote to memory of 3044 2436 install_driver.exe 29 PID 2436 wrote to memory of 3044 2436 install_driver.exe 29 PID 2436 wrote to memory of 3044 2436 install_driver.exe 29 PID 2820 wrote to memory of 2736 2820 DrvInst.exe 31 PID 2820 wrote to memory of 2736 2820 DrvInst.exe 31 PID 2820 wrote to memory of 2736 2820 DrvInst.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Driver\install_driver.exe"C:\Users\Admin\AppData\Local\Temp\Driver\install_driver.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\Driver\installdrv64.exeinstalldrv64.exe UpdateDriverForPlugAndPlayDevices USB\Vid_0e8d&Pid_0003 "C:\Users\Admin\AppData\Local\Temp\Driver\Win7\usb2ser_Win764.inf"2⤵
- Drops file in Windows directory
PID:3044
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{21e238fa-7a52-103c-2bfe-27316af9c919}\usb2ser_Win764.inf" "9" "6fdf53997" "00000000000003C8" "WinSta0\Default" "000000000000058C" "208" "C:\Users\Admin\AppData\Local\Temp\Driver\Win7"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{0e66504b-bc6f-19be-0bd3-483311f1a329} Global\{4422cd6b-e5bc-0e9d-bea8-fc6bf628e164} C:\Windows\System32\DriverStore\Temp\{1f259e9d-80b9-1566-d92f-014fa1eb0209}\usb2ser_Win764.inf2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD549106ee29074e6a3d3ac9e24c6d791d8
SHA154b690cfd6b81b556239bc6409c408d26d9fafc6
SHA256b96b19a92e720f284741f8a2dcb30a9423ad58ba8f795d4f2e30403ceef20099
SHA512e6737b08ee1bdfcce4b59a02fa53507f894c8bc285e71e4fe8130e0046ff098847a245b1299f3f6120fa8ec54a53bb531f999eb6043aaaf4e499b97a8ac87a69
-
Filesize
3KB
MD5bccc7e837e3c0105830295b7a772d40f
SHA1230e7173e5bd5631c78fd86d29602fe969805e9b
SHA256e3063428ed325a2c570677182ffb9df3c0821a706cd9f754ea5150aeaa98ac2e
SHA512eac0d13d56c83c9a1a492a79273a7952e00b2c631e77cd3a8895c496e8895d5f943521584aec10a8132ebb93f808539acf37ebf1da385ed336f8d3c9c7217122