67001c8f5a37c1ccd2d1750f21e28d372a8639c330aafbae111a5956c942b71a

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

driver/vista64/install.bat
Size

16B
MD5

903b157dca56861c845179d4d1c5e930
SHA1

e6b5ed1511f1f14f0436ca474ff457cb340e7c60
SHA256

8402e0c9189fa6ef6ef8e955606c5a20f880f1106ea5f81304e42a0864f078f8
SHA512

53f5be22fd9b12ff9d084a65be63bfa7a9b5489a5d95263343ee0db3ce749b1b6d0999ac3cc34b23a4a970f3f02dd7ed1199269c12c8b59313ff58b225774006

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\SET1EA8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\mv2.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\SET1EA9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\mv2.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\SET1EBA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\SET1EBA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\mv2.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\SET1EA8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\SET1EA9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\SET1EB9.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\SET1EB9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\mv2.inf	DrvInst.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	setupdrv.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setupdrv.exe
File opened for modification	C:\Windows\setupact.log	setupdrv.exe
File opened for modification	C:\Windows\setuperr.log	setupdrv.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1848	rundll32.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2620	setupdrv.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	2916	DrvInst.exe
Token: SeRestorePrivilege	1848	rundll32.exe
Token: SeRestorePrivilege	1848	rundll32.exe
Token: SeRestorePrivilege	1848	rundll32.exe
Token: SeRestorePrivilege	1848	rundll32.exe
Token: SeRestorePrivilege	1848	rundll32.exe
Token: SeRestorePrivilege	1848	rundll32.exe
Token: SeRestorePrivilege	1848	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2620	2960	cmd.exe	29
PID 2960 wrote to memory of 2620	2960	cmd.exe	29
PID 2960 wrote to memory of 2620	2960	cmd.exe	29
PID 2916 wrote to memory of 1848	2916	DrvInst.exe	31
PID 2916 wrote to memory of 1848	2916	DrvInst.exe	31
PID 2916 wrote to memory of 1848	2916	DrvInst.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\driver\vista64\install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\driver\vista64\setupdrv.exe
  setupdrv install
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{55a4164a-0d63-332e-1466-a342c6683c21}\mv2.inf" "9" "634737feb" "000000000000031C" "WinSta0\Default" "00000000000003F0" "208" "c:\users\admin\appdata\local\temp\driver\vista64\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{1c12a637-7d17-6dcf-d82c-015a5824fa70} Global\{1db75dbc-f088-6125-884d-0c31a906d552} C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\mv2.inf C:\Windows\System32\DriverStore\Temp\{0e697184-bd57-4669-df61-9a079fa8a629}\mv2.cat
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{55A41~1\mv2.dll

Filesize
26KB

MD5
f895283a62f0456f91094fe43d45f531

SHA1
325422ed844669d0af155d68a801e1c513a95e79

SHA256
60dbf8caf518ac5bc5c4881368bcbc2f80f34fa0dac02a0c39ad04156e622737

SHA512
af619973b793ee1c169cc212389f77d8e42cf162ea95b2bdd8603b3484894c8c762f55e7d54b9bb89770896ce0ec6dedbf7876c309bf6d1789643d536f60b33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55A41~1\mv2.sys

Filesize
12KB

MD5
a906b08944ef1bec17ae306e9fdb35d0

SHA1
e22adb1a14254165099af8940fbf6cc14bf2c276

SHA256
898b7d602a2b422c97d8773d72f978c828f9b7ba7582f3236601b0ef4c9834e5

SHA512
22d9368c144e130d7b647293bb95a4ef5ada01c169e60f2fbd84e0d576cf85b50aa4f06a62e74313d2a58cf0cb0c92d43812c7072d33c9525c6c3245ec1ad1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55a4164a-0d63-332e-1466-a342c6683c21}\mv2.cat

Filesize
9KB

MD5
84972e8fa5a2363e42d90f92f1ab3f26

SHA1
eed45042eff0459391053879ffa458493fdbfdd3

SHA256
a70a4575a97fb62cfef3bc36329dbd0cf9be72e09eb997df1f565fc792727dc2

SHA512
3fcc839aa3b3254f794e88ad3254b45d5238cb287d86613669fa80bfbb9de11a8a851ad3bc08c9e3d752b67e38c29896aa0450510328159ef3fd10c76dbd6e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\{55a4164a-0d63-332e-1466-a342c6683c21}\mv2.inf

Filesize
2KB

MD5
1b4f828fc21aa28c3ce863a31c1f9d48

SHA1
96b8e2ed63f54beb4e087712ada7520c2379c5c4

SHA256
e7f85212d7708402910830576b0bd84873c24a1339cfd3ebbe5a2939127438d4

SHA512
9cf0e701adcbbe05652f623a34849910c657fa9536513835d18fd184faad47b62c28437237a78494b8e31f5e27c0bddcd9d4cb5c5b4bedc56ef0842553ab3064

Download Submit
C:\Windows\Temp\Cab1ED8.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar1EEB.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
memory/1848-93-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1848-94-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download