ae5b66322e5a7c26ad21ccc556bdc1618796166565d2939142c5aa3d76c38ace

Analysis

max time kernel
1556s
max time network
1563s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 14:58

Target

vddinstall.bat
Size

420B
MD5

ee1bfb5ccbb3949e3258155e141a68a5
SHA1

b79dd1e75e3e7acd8d21d7b17c86673a6c6383d9
SHA256

1e7c35eb6c296f96aee5ae4bbbd40395e8019bde95ef9bef91260dd8ef03c6d1
SHA512

b37d680f5dab52536926c718eb1b4c1f0e78552c061756f998e3a3ccb2dc4fbea15dd1a4b181646a68a2987a22ce225c185c2ef2bb1d10a70c780ada8cf9f9aa

Score

5^/10

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{04c12136-4572-550e-86a8-e8687173300a}\SET7169.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04c12136-4572-550e-86a8-e8687173300a}\SET7189.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04c12136-4572-550e-86a8-e8687173300a}\mm.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04c12136-4572-550e-86a8-e8687173300a}\SET71B9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04c12136-4572-550e-86a8-e8687173300a}\SET7169.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04c12136-4572-550e-86a8-e8687173300a}\mm.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04c12136-4572-550e-86a8-e8687173300a}\SET7189.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04c12136-4572-550e-86a8-e8687173300a}\SET71B9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04c12136-4572-550e-86a8-e8687173300a}\mm.inf	DrvInst.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	nefconw.exe
File opened for modification	C:\Windows\setupact.log	nefconw.exe
File opened for modification	C:\Windows\setuperr.log	nefconw.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	nefconw.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2568	rundll32.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2696	1540	cmd.exe	29
PID 1540 wrote to memory of 2696	1540	cmd.exe	29
PID 1540 wrote to memory of 2696	1540	cmd.exe	29
PID 1540 wrote to memory of 2148	1540	cmd.exe	30
PID 1540 wrote to memory of 2148	1540	cmd.exe	30
PID 1540 wrote to memory of 2148	1540	cmd.exe	30
PID 1540 wrote to memory of 2940	1540	cmd.exe	31
PID 1540 wrote to memory of 2940	1540	cmd.exe	31
PID 1540 wrote to memory of 2940	1540	cmd.exe	31
PID 2624 wrote to memory of 2568	2624	DrvInst.exe	33
PID 2624 wrote to memory of 2568	2624	DrvInst.exe	33
PID 2624 wrote to memory of 2568	2624	DrvInst.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\vddinstall.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\nefconw.exe
  .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318"
  2⤵
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\nefconw.exe
  .\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA
  2⤵
  - Drops file in Windows directory
  PID:2148
- C:\Users\Admin\AppData\Local\Temp\nefconw.exe
  .\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

C:\Users\Admin\AppData\Local\Temp\{18E4B~1\mm.dll

Filesize
169KB

MD5
f09967cc8cc9bf03612ddecb6bf86daa

SHA1
166f8e3000b6a1e2b13b46e85b7559b9837b9aa7

SHA256
96db6ae2f950b56e52be3e68f92893afa94645eae09fea2abd5dd1985758150a

SHA512
190d2edea81c42a2d7a5bc69cb98f03368e702a5fcb3fc1dcd4e9c387687bab542e4b0e5de67292e8b8a7efed7fd9e30d1efdd35bcdfea28417de71db0e13864

Download Submit
C:\Users\Admin\AppData\Local\Temp\{18e4b176-12dc-701d-24ee-e20f9f50e611}\mm.cat

Filesize
11KB

MD5
1fe1fc7cc73fb17e995d65835d51ca94

SHA1
249acf0a3a362b2163127bd76f6d4d6aa463297d

SHA256
136e64ac07dce5a3b4935d5a9c5cfe03983c0b3065f46a30a45536d5b1681d5c

SHA512
31fe1bdcb5f243a6eecc40006fc70793bc5aea9d95ffe449117cb67366f0f120c393716ffe93b65a73c8b2dfe02917f1d0dcf4ca62aa302fe685513b8cc80bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{18e4b176-12dc-701d-24ee-e20f9f50e611}\mm.inf

Filesize
4KB

MD5
d8030afe09a2f984be00389b31f7039b

SHA1
ab7a55fa6641cc31b0b7e70c8680bbbd553fc8a1

SHA256
34da9ff45c13577631f67e33d11b8a26e3d22ca685d00c388b6122a795800588

SHA512
0787e9e95369686b20bcbddb9ff984111c4ed53a064fc8f198691db5c124dfbe1b1f4d434dbfd81482545b723c01325ed9bcc626f461191b3ae4095222df10a6

Download Submit