Overview
overview
5Static
static
3driver/vis...v2.dll
windows7-x64
1driver/vis...v2.dll
windows10-2004-x64
1driver/vis...v2.sys
windows7-x64
1driver/vis...v2.sys
windows10-2004-x64
1driver/vis...ll.bat
windows7-x64
1driver/vis...ll.bat
windows10-2004-x64
1driver/vis...nt.bat
windows7-x64
1driver/vis...nt.bat
windows10-2004-x64
1driver/vis...rv.exe
windows7-x64
1driver/vis...rv.exe
windows10-2004-x64
1driver/vis...ll.bat
windows7-x64
1driver/vis...ll.bat
windows10-2004-x64
1driver/vis...nt.bat
windows7-x64
1driver/vis...nt.bat
windows10-2004-x64
1driver/vis...v2.dll
windows7-x64
1driver/vis...v2.dll
windows10-2004-x64
1driver/vis...v2.sys
windows7-x64
1driver/vis...v2.sys
windows10-2004-x64
1driver/vis...ll.bat
windows7-x64
5driver/vis...ll.bat
windows10-2004-x64
5driver/vis...nt.bat
windows7-x64
1driver/vis...nt.bat
windows10-2004-x64
1driver/vis...rv.exe
windows7-x64
1driver/vis...rv.exe
windows10-2004-x64
1driver/vis...ll.bat
windows7-x64
1driver/vis...ll.bat
windows10-2004-x64
1driver/vis...nt.bat
windows7-x64
1driver/vis...nt.bat
windows10-2004-x64
1driver/w2K...v2.dll
windows7-x64
1driver/w2K...v2.dll
windows10-2004-x64
1driver/w2K...v2.dll
windows7-x64
1driver/w2K...v2.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2024, 09:30
Static task
static1
Behavioral task
behavioral1
Sample
driver/vista/driver/mv2.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
driver/vista/driver/mv2.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
driver/vista/driver/mv2.sys
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
driver/vista/driver/mv2.sys
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
driver/vista/install.bat
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral6
Sample
driver/vista/install.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
driver/vista/install_silent.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
driver/vista/install_silent.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
driver/vista/setupdrv.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
driver/vista/setupdrv.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
driver/vista/uninstall.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
driver/vista/uninstall.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
driver/vista/uninstall_silent.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
driver/vista/uninstall_silent.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
driver/vista64/driver/mv2.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral16
Sample
driver/vista64/driver/mv2.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
driver/vista64/driver/mv2.sys
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
driver/vista64/driver/mv2.sys
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
driver/vista64/install.bat
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral20
Sample
driver/vista64/install.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
driver/vista64/install_silent.bat
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral22
Sample
driver/vista64/install_silent.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
driver/vista64/setupdrv.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
driver/vista64/setupdrv.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
driver/vista64/uninstall.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
driver/vista64/uninstall.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
driver/vista64/uninstall_silent.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
driver/vista64/uninstall_silent.bat
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
driver/w2K/driver/mv2.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
driver/w2K/driver/mv2.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
driver/w2K/driver/mv2.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
driver/w2K/driver/mv2.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
driver/vista64/install.bat
-
Size
16B
-
MD5
903b157dca56861c845179d4d1c5e930
-
SHA1
e6b5ed1511f1f14f0436ca474ff457cb340e7c60
-
SHA256
8402e0c9189fa6ef6ef8e955606c5a20f880f1106ea5f81304e42a0864f078f8
-
SHA512
53f5be22fd9b12ff9d084a65be63bfa7a9b5489a5d95263343ee0db3ce749b1b6d0999ac3cc34b23a4a970f3f02dd7ed1199269c12c8b59313ff58b225774006
Malware Config
Signatures
-
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\SET36D1.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\SET36D1.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\mv2.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\SET36CF.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\SET36CF.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\SET36D0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\mv2.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\SET36D2.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\mv2.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\SET36D0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\mv2.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\SET36D2.tmp DrvInst.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\INF\c_display.PNF setupdrv.exe File opened for modification C:\Windows\INF\setupapi.dev.log setupdrv.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 setupdrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 setupdrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom setupdrv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags setupdrv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags setupdrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 setupdrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom setupdrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 setupdrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeAuditPrivilege 1696 svchost.exe Token: SeSecurityPrivilege 1696 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2544 wrote to memory of 1952 2544 cmd.exe 90 PID 2544 wrote to memory of 1952 2544 cmd.exe 90 PID 1696 wrote to memory of 1104 1696 svchost.exe 92 PID 1696 wrote to memory of 1104 1696 svchost.exe 92 PID 1104 wrote to memory of 1472 1104 DrvInst.exe 93 PID 1104 wrote to memory of 1472 1104 DrvInst.exe 93
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\driver\vista64\install.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\driver\vista64\setupdrv.exesetupdrv install2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1952
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{46d85740-f5cf-f44b-9230-9214ee181ee4}\mv2.inf" "9" "434737feb" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\users\admin\appdata\local\temp\driver\vista64\driver"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{ebeea493-d11a-3741-95b0-7b6e2c2e8c42} Global\{689d07b0-dfba-a741-a782-dda358f75250} C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\mv2.inf C:\Windows\System32\DriverStore\Temp\{06f6f463-9d05-304e-af40-cad244019711}\mv2.cat3⤵PID:1472
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51b4f828fc21aa28c3ce863a31c1f9d48
SHA196b8e2ed63f54beb4e087712ada7520c2379c5c4
SHA256e7f85212d7708402910830576b0bd84873c24a1339cfd3ebbe5a2939127438d4
SHA5129cf0e701adcbbe05652f623a34849910c657fa9536513835d18fd184faad47b62c28437237a78494b8e31f5e27c0bddcd9d4cb5c5b4bedc56ef0842553ab3064
-
Filesize
8KB
MD5716a1b21d16beae0405cc08d35d137cd
SHA1a013a0d39efd59a831edfe5194dd182af25109aa
SHA256e3170e44d159d924bd7884c4e0fd6b590ffd93b0ce2c1eebd0d68606039f7df5
SHA512bf6664be664c1675b1038afe91d108a0d0f487f158cf6d0b183ab5ac5cf10836270c71687b69a220bd7ef8383bd2aa1cc9715edcedd4fde1735c7af50ac103f8
-
Filesize
9KB
MD584972e8fa5a2363e42d90f92f1ab3f26
SHA1eed45042eff0459391053879ffa458493fdbfdd3
SHA256a70a4575a97fb62cfef3bc36329dbd0cf9be72e09eb997df1f565fc792727dc2
SHA5123fcc839aa3b3254f794e88ad3254b45d5238cb287d86613669fa80bfbb9de11a8a851ad3bc08c9e3d752b67e38c29896aa0450510328159ef3fd10c76dbd6e80
-
Filesize
26KB
MD5f895283a62f0456f91094fe43d45f531
SHA1325422ed844669d0af155d68a801e1c513a95e79
SHA25660dbf8caf518ac5bc5c4881368bcbc2f80f34fa0dac02a0c39ad04156e622737
SHA512af619973b793ee1c169cc212389f77d8e42cf162ea95b2bdd8603b3484894c8c762f55e7d54b9bb89770896ce0ec6dedbf7876c309bf6d1789643d536f60b33c
-
Filesize
12KB
MD5a906b08944ef1bec17ae306e9fdb35d0
SHA1e22adb1a14254165099af8940fbf6cc14bf2c276
SHA256898b7d602a2b422c97d8773d72f978c828f9b7ba7582f3236601b0ef4c9834e5
SHA51222d9368c144e130d7b647293bb95a4ef5ada01c169e60f2fbd84e0d576cf85b50aa4f06a62e74313d2a58cf0cb0c92d43812c7072d33c9525c6c3245ec1ad1eb