b5b23f72ca2b97b42bc66040ffcfcddb8e5cf0e164464a5631ef2dd8f017985b

Resubmissions

12-02-2024 20:06

240212-yvjapabd8w 7

Analysis

max time kernel
38s
max time network
19s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driver-magician-6-0.exe
Size

5.9MB
MD5

17fc5c203f4e8b3e3b7a463fd939f57a
SHA1

12ec48b63e89cb78fb47571e9c27b0a4e562bc82
SHA256

b5b23f72ca2b97b42bc66040ffcfcddb8e5cf0e164464a5631ef2dd8f017985b
SHA512

3ebfd9444dac6becfafcdf060bf543e2ab6765c2f9e6b78b7877fc21afea3e2e8ca6f21045baaa8f66ae0571ab688b4efcb177fb0dbc6c5839ceb4c9452a3de3
SSDEEP

98304:FkLyusBFthivcrmEtw2r9mfuNy/wSuoAcu3lumwIICdSvOFg4XYq:GyusBnUvcyEO2hmf2K/AGmwIIESvOFgm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

driver-magician-6-0.tmpDriver Magician.exe

pid process

2880 driver-magician-6-0.tmp
2024 Driver Magician.exe

pid	process
2880	driver-magician-6-0.tmp
2024	Driver Magician.exe

Loads dropped DLL 14 IoCs

Processes:

driver-magician-6-0.exedriver-magician-6-0.tmpregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeDriver Magician.exe

pid	process
2096	driver-magician-6-0.exe
2880	driver-magician-6-0.tmp
2880	driver-magician-6-0.tmp
2880	driver-magician-6-0.tmp
1608	regsvr32.exe
560	regsvr32.exe
2896	regsvr32.exe
1740	regsvr32.exe
1956	regsvr32.exe
2880	driver-magician-6-0.tmp
2024	Driver Magician.exe
2024	Driver Magician.exe
2024	Driver Magician.exe
2024	Driver Magician.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

Processes:

driver-magician-6-0.tmp

description	ioc	process
File created	C:\Windows\SysWOW64\is-O9GQ3.tmp	driver-magician-6-0.tmp
File created	C:\Windows\SysWOW64\is-1JLHD.tmp	driver-magician-6-0.tmp
File created	C:\Windows\SysWOW64\is-I5NA6.tmp	driver-magician-6-0.tmp
File created	C:\Windows\SysWOW64\is-18QRD.tmp	driver-magician-6-0.tmp
File created	C:\Windows\SysWOW64\is-U1PRP.tmp	driver-magician-6-0.tmp
File opened for modification	C:\Windows\SysWOW64\XCEEDZIP.DLL	driver-magician-6-0.tmp
File opened for modification	C:\Windows\SysWOW64\XceedCry.dll	driver-magician-6-0.tmp
File created	C:\Windows\SysWOW64\is-FOOT9.tmp	driver-magician-6-0.tmp

Drops file in Program Files directory 33 IoCs

Processes:

driver-magician-6-0.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Driver Magician\Help.chm	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-V0VST.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-QRSVH.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-VCSQ7.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-FM1MU.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-D8FDF.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-79FH6.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-0V9G4.tmp	driver-magician-6-0.tmp
File opened for modification	C:\Program Files (x86)\Driver Magician\Driver Magician.exe	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-VM14B.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-HP41R.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-CD10P.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-754GJ.tmp	driver-magician-6-0.tmp
File opened for modification	C:\Program Files (x86)\Driver Magician\AutoIntall.dll	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-L9O5P.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-VNOD3.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-SLVAR.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-EE6S4.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\unins000.dat	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-33E63.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-92GH6.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-EOMKL.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-JRBE9.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-582OB.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-9HRF1.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-OS0ER.tmp	driver-magician-6-0.tmp
File opened for modification	C:\Program Files (x86)\Driver Magician\unins000.dat	driver-magician-6-0.tmp
File opened for modification	C:\Program Files (x86)\Driver Magician\DutchHelp.chm	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-7D857.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-ST9FR.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-R7F46.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\Language\is-9FRFJ.tmp	driver-magician-6-0.tmp
File created	C:\Program Files (x86)\Driver Magician\is-8GTE6.tmp	driver-magician-6-0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{24B224E0-9545-4A2F-ABD5-86AA8A849385}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{627C8B79-918A-4C5C-9E19-20F66BF30B86}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{F91CAF91-225B-43A7-BB9E-472F991FC402}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{7DC6F291-BF55-4E50-B619-EF672D9DCC58}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{996BF5E0-8044-4650-ADEB-0B013914E99C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}"	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{676B9842-AE6D-46A8-BC77-CEE7D5CE9ED7}\TypeLib\Version = "f.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E5012C11-D6F7-4A60-BC80-6B4D58112A97}\TypeLib\Version = "f.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{501C18D1-5C4B-40AD-916B-5F7D03A172FC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{452D1A71-D746-4642-A385-16F249BB6A62}\ProgID\ = "Codejock.ColorPicker.15.0.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63C40CBE-DE43-4B56-BCEB-E14B825CF245}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FFA1CBE6-4B44-4BEE-A7A8-8F5954390D95}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{472644B1-DFF0-4E26-AA07-8E6A8A2FBC68}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XceedSoftware.XceedCompression\CLSID\ = "{4C836512-BB70-11D2-A5A7-00105A9C91C6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{262438B0-034B-4EFA-A7D8-94E409B7F8F1}\TypeLib\ = "{A8E5842E-102B-4289-9D57-3B3F5B5E15D3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD23520C-D0DC-4E43-8B92-55946D1A8DFE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2807140-9E73-4596-8EBC-431BDAD8378F}\ = "ListViewSubItems"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5EB30058-7F70-434B-9679-BEAB0B8EC24A}\TypeLib\ = "{A8E5842E-102B-4289-9D57-3B3F5B5E15D3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Codejock.SuiteControlsGlobalSettings.15.0.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{719F2456-91BE-41E3-99D4-9F8779E0CC96}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\ = "Microsoft StatusBar Control 6.0 (SP6)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3271080-C57A-4520-8066-337AD212D7E0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B169540-E640-4DC4-AB7A-F9A8653DCCA1}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FFA1CBE6-4B44-4BEE-A7A8-8F5954390D95}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7EC04D5B-19A8-45EE-BCB0-6FE0067F9468}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\ = "IProgressBar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD460BB5-0812-4ABB-A880-0ACA321C45AA}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6B66937-CF42-4D20-AA31-4A441110286D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{252313A9-ADC2-4EB4-A900-8EDD4ED3A5EE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F0597324-1EAC-41B0-B805-DB4D12DF9E39}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A56F6C0F-BCC7-48A0-B69E-6DD726B9B309}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F87BE9B-8784-4B18-976D-F889C1F8B1E9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A850265F-5F2E-46DB-ACF2-A9D4CF071D8A}\TypeLib\Version = "f.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{394723D1-9A8A-4D0C-8B12-14861055B0E0}\ProgID\ = "Codejock.PushButton.15.0.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F066CCAD-163A-4617-BA3C-BA4A4F80320C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B169540-E640-4DC4-AB7A-F9A8653DCCA1}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE36-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWow64\\Mscomctl.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EC716DE-9CE6-4D40-B6C5-3B9425FBB55A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{14AD72F3-2797-45D9-B88D-A14E501CDB71}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C8A3DC00-8593-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CC6FD600-EE1D-11D4-801A-0060082AE372}\TypeLib\Version = "5.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A02A65C1-50E4-4E5D-B9D0-625D5DEBC671}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00E032CB-FBBC-40DB-846D-05B2CE330888}\ = "_DScrollBarEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{981E24C0-DF46-446A-974B-9351D7BA750A}\MiscStatus\1\ = "132241"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XceedSoftware.XceedCompression\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA63CAC-9913-4A13-9212-E97BB70C05C9}\VersionIndependentProgID\ = "Xceed.RijndaelEncryptionMethod"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B1DF796D-D274-417F-9252-4A5836D0A0C9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.RijndaelEncryptionMethod.1\CLSID\ = "{BBA63CAC-9913-4A13-9212-E97BB70C05C9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0379F6F-AB5E-4C8E-97A7-E02F99ACDA71}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5557BE9B-8784-4B18-976D-F889C1F8B1E9}\TypeLib\Version = "f.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Codejock.ComboBox.15.0.1\CLSID\ = "{4048817E-E033-4F20-B5FE-E5D901D6F575}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA6B5922-F0DE-4460-B40A-108EDBB5BE37}\TypeLib\Version = "f.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6CF5F10-5E4F-4944-A197-404F68CEE0F8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC796ACC-5FFB-4A6C-8A0B-80CBF7820D53}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

driver-magician-6-0.tmp

pid process

2880 driver-magician-6-0.tmp
2880 driver-magician-6-0.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Driver Magician.exe

pid process

2024 Driver Magician.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Driver Magician.exe

description pid process

Token: SeRestorePrivilege 2024 Driver Magician.exe
Token: SeBackupPrivilege 2024 Driver Magician.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

driver-magician-6-0.tmp

pid process

2880 driver-magician-6-0.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Driver Magician.exe

pid process

2024 Driver Magician.exe
2024 Driver Magician.exe

pid	process
2880	driver-magician-6-0.tmp
2880	driver-magician-6-0.tmp

pid	process
2024	Driver Magician.exe

description	pid	process
Token: SeRestorePrivilege	2024	Driver Magician.exe
Token: SeBackupPrivilege	2024	Driver Magician.exe

pid	process
2880	driver-magician-6-0.tmp

pid	process
2024	Driver Magician.exe
2024	Driver Magician.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

driver-magician-6-0.exedriver-magician-6-0.tmp

description	pid	process	target process
PID 2096 wrote to memory of 2880	2096	driver-magician-6-0.exe	driver-magician-6-0.tmp
PID 2096 wrote to memory of 2880	2096	driver-magician-6-0.exe	driver-magician-6-0.tmp
PID 2096 wrote to memory of 2880	2096	driver-magician-6-0.exe	driver-magician-6-0.tmp
PID 2096 wrote to memory of 2880	2096	driver-magician-6-0.exe	driver-magician-6-0.tmp
PID 2096 wrote to memory of 2880	2096	driver-magician-6-0.exe	driver-magician-6-0.tmp
PID 2096 wrote to memory of 2880	2096	driver-magician-6-0.exe	driver-magician-6-0.tmp
PID 2096 wrote to memory of 2880	2096	driver-magician-6-0.exe	driver-magician-6-0.tmp
PID 2880 wrote to memory of 1608	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1608	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1608	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1608	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1608	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1608	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1608	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 560	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 560	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 560	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 560	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 560	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 560	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 560	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1992	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1992	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1992	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1992	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1992	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1992	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1992	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 2896	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 2896	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 2896	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 2896	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 2896	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 2896	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 2896	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1740	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1740	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1740	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1740	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1740	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1740	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1740	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1956	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1956	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1956	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1956	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1956	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1956	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 1956	2880	driver-magician-6-0.tmp	regsvr32.exe
PID 2880 wrote to memory of 2024	2880	driver-magician-6-0.tmp	Driver Magician.exe
PID 2880 wrote to memory of 2024	2880	driver-magician-6-0.tmp	Driver Magician.exe
PID 2880 wrote to memory of 2024	2880	driver-magician-6-0.tmp	Driver Magician.exe
PID 2880 wrote to memory of 2024	2880	driver-magician-6-0.tmp	Driver Magician.exe
PID 2880 wrote to memory of 2024	2880	driver-magician-6-0.tmp	Driver Magician.exe
PID 2880 wrote to memory of 2024	2880	driver-magician-6-0.tmp	Driver Magician.exe
PID 2880 wrote to memory of 2024	2880	driver-magician-6-0.tmp	Driver Magician.exe

C:\Users\Admin\AppData\Local\Temp\driver-magician-6-0.exe
"C:\Users\Admin\AppData\Local\Temp\driver-magician-6-0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Local\Temp\is-KDV7N.tmp\driver-magician-6-0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KDV7N.tmp\driver-magician-6-0.tmp" /SL5="$40150,5248154,781312,C:\Users\Admin\AppData\Local\Temp\driver-magician-6-0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\Comdlg32.ocx"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1608

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\Msinet.ocx"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:560

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\Mscomctl.ocx"
3⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1992

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\XCEEDZIP.DLL"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2896

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\XceedCry.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1740

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\Codejock.Controls.v15.0.1.ocx"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1956

C:\Program Files (x86)\Driver Magician\Driver Magician.exe
"C:\Program Files (x86)\Driver Magician\Driver Magician.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2024

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Driver Magician\Driver Magician.exe
Filesize
448KB

MD5
89ac36ebd6b726bb9698ccc3202aba52

SHA1
2f7bab61ababbd7b497a61d26b55a7b5a214dd57

SHA256
52600238201d3186934d4d0a054bf91fe11da85364d77969ea0f06236f1dd57e

SHA512
5c8d0d014c041149d963395773e6ad5e6b5fd4477e4f4e8c2e1ca7386b930e094dd652a2eabc0f9a5e54c50cd846b7daceddbbe59ab57d00a5ad666035fdd8b4

Download Submit
C:\Program Files (x86)\Driver Magician\Language\Spanish.ini
Filesize
17KB

MD5
00912856c5d29b59ffb6c01d00a4b3c5

SHA1
ad8b10b1538112ffb0c628b3b4637ccaa3d9939a

SHA256
a40f5b66a10ead481d95441505af8b62fe525cf31a1504abeb39cfbd7ea689e1

SHA512
0634609451525843c9587ae940d6df17f755a759e770886315384616451c858002b2c6acad890e005aed413a72f3b9e64dd1177f46f791d76f69ad4adb887178

Download Submit
C:\Windows\SysWOW64\Codejock.Controls.v15.0.1.ocx
Filesize
1.8MB

MD5
6a021b290d913525f2f7225462172690

SHA1
501aeabe86439825fb99e9560bc2d00ac7442dcf

SHA256
7dd57f8763664a593c8bf2a0a86d9d70e8efe427e1474223642b5d541b51642e

SHA512
260d4f63b7a1a45aa49868ce12b2bd8464dc285e99413eafe559cd51995b421c5af22399b7a1987e172bcbc9f32d29fa3e3df3843bc587f8f2a3b1e5809c7a98

Download Submit
C:\Windows\SysWOW64\Comdlg32.ocx
Filesize
149KB

MD5
ab412429f1e5fb9708a8cdea07479099

SHA1
eb49323be4384a0e7e36053f186b305636e82887

SHA256
e32d8bbe8e6985726742b496520fa47827f3b428648fa1bc34ecffdd9bdac240

SHA512
f3348dbc3b05d14482250d7c399c00533598973f8e9168b4082ee5cbb81089dfaefcfda5a6a3c9f05b4445d655051b7a5170c57ee32d7a783dc35a75fee41aa9

Download Submit
C:\Windows\SysWOW64\Msinet.ocx
Filesize
129KB

MD5
90a39346e9b67f132ef133725c487ff6

SHA1
9cd22933f628465c863bed7895d99395acaa5d2a

SHA256
e55627932120be87c7950383a75a5712b0ff2c00b8d18169195ad35bc2502fc2

SHA512
0337817b9194a10b946d7381a84a2aeefd21445986afef1b9ae5a52921e598cdb0d1a576bdf8391f1ebf8be74950883a6f50ad1f61ff08678782c6b05a18adbf

Download Submit
C:\Windows\SysWOW64\XCEEDZIP.DLL
Filesize
445KB

MD5
044beba65ba31e1ca1ffc8cbbef78f3e

SHA1
55731a6c5043ad4e43735ee8434767953e562f71

SHA256
ccfd6be91993d92e95ed4552b9a0d62660eb675248175621286cf4133d5140f2

SHA512
802f7aef54e7965b83a12baf343bc8a4a84021aab918bb3bfa02d1f7447da7360e52313036559203620affdb30bc2f05582d04eabf796777aff1100f8d5f427c

Download Submit
C:\Windows\SysWOW64\XceedCry.dll
Filesize
513KB

MD5
47086109df33378a73e15e25ee6a2d20

SHA1
731bcf4fcd068444289acb8ddcbb714bc2dbe606

SHA256
879bfa7d940e97363410ff148b40386cf961abe612d3ac197019f4d53513f243

SHA512
8ccb39dcca7de589a61f27fcb8727115919f75882b1e43ac3be5f7d9b0eb5ea211eeb74dd27bf91ac31a3a2c46599ca9bc9f5e515c0b7065674ed61b42dfd35d

Download Submit
\Program Files (x86)\Driver Magician\Driver Magician.exe
Filesize
1.7MB

MD5
d01facc1ded1238c84dd4caaa377367c

SHA1
3c2b2001722c35bec4d8fdbb470ec6492bdba90a

SHA256
d4bfebc784e6519e1a05b4b36f90c2cf0f0ff7963206ef29a48baea4579878d1

SHA512
e7515603a584b5a4f6543de6173f34639c0e01c3486e1288af54cc83dfea0e2065801d07350d508a45578c703c9940436ee5b59977ead7782e029d5a8d807359

Download Submit
\Program Files (x86)\Driver Magician\unins000.exe
Filesize
2.8MB

MD5
0bfe8125ff9363724a9389bea5fdb97a

SHA1
74f6666445b0057058ce258a9db63219013e8f05

SHA256
6e74281021e5b08e24ee766ae27fc29744688ec3ff0abba9c015d99f1e4fedfd

SHA512
544959cdaaac4a94fc85e75a548081c11208bcb88d94b1520e2f02033132e8456d740021dece6f84b0f02384b6b77001fb9f8d23749a3b02398acb021e1076a2

Download Submit
\Users\Admin\AppData\Local\Temp\is-KDV7N.tmp\driver-magician-6-0.tmp
Filesize
3.0MB

MD5
0e02525d17fac66dbcc6a0015193cddc

SHA1
ef45af9e44ebd24f045a6c0dfcab237d597e8b98

SHA256
7807003ff76c839400f8c386d1f9b00b236534a5cb376a4cdf0b0316e3ef5e20

SHA512
988236d11b3685ae36f2f68d47df25c8d8aa1f02fd15042a0832b03741e8a9564062b77d7ab46441d3ac856791fc038457f504b2c2134a9e263e220ed50db1b0

Download Submit
memory/2096-10-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2096-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2096-125-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2880-8-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2880-111-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/2880-11-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/2880-124-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads