b1707825c0f2fde7bfdbb5f4a4cef4002a935b2c9edfa93f512127f430cfbdd0

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240221-es
resource tags

arch:x64arch:x86image:win7-20240221-eslocale:es-esos:windows7-x64systemwindows
submitted
04/05/2024, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MonectRuntimeCheck.exe
Size

121KB
MD5

855868707c8daba66438545fba07b490
SHA1

cb28feed2dc91fbb47dd3da4527ac7fb00a04f25
SHA256

7a3846a11ebe48d769c2983931fad9c71a924b2f0d892a478aeff528e108883e
SHA512

df3cd7a00eb562412b204cbb8e06cb31917b665f01cb9f521a8ba66ede8440b208f705da17159048e34327ca00d0c1b926bd1a78c0543c272203cb749c55dca3
SSDEEP

768:kLnW4UkQyOM9aV1+qXUpv9Sbh9SbPvNnr2u+vTS+ST6nkM:k7hUFyOyaV1+f9C4vNrxk/me

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\SET3B4F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\vjoy.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\SET3B4C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\SET3B4E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\vJoy.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\SET3B4F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\SET3B5F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\SET3B5F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\vjoy.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\WdfCoInstaller01009.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\SET3B4D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\SET3B4E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\hidkmdf.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\SET3B4C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\SET3B4D.tmp	DrvInst.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	driververifyx64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	driververifyx64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\LanguageList = 650073002d0045005300000065007300000065006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2696	rundll32.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	288	driververifyx64.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2668	DrvInst.exe
Token: SeRestorePrivilege	2696	rundll32.exe
Token: SeRestorePrivilege	2696	rundll32.exe
Token: SeRestorePrivilege	2696	rundll32.exe
Token: SeRestorePrivilege	2696	rundll32.exe
Token: SeRestorePrivilege	2696	rundll32.exe
Token: SeRestorePrivilege	2696	rundll32.exe
Token: SeRestorePrivilege	2696	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 288	2340	MonectRuntimeCheck.exe	29
PID 2340 wrote to memory of 288	2340	MonectRuntimeCheck.exe	29
PID 2340 wrote to memory of 288	2340	MonectRuntimeCheck.exe	29
PID 2668 wrote to memory of 2696	2668	DrvInst.exe	32
PID 2668 wrote to memory of 2696	2668	DrvInst.exe	32
PID 2668 wrote to memory of 2696	2668	DrvInst.exe	32

C:\Users\Admin\AppData\Local\Temp\MonectRuntimeCheck.exe
"C:\Users\Admin\AppData\Local\Temp\MonectRuntimeCheck.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\driververifyx64.exe
  "C:\Users\Admin\AppData\Local\Temp\driververifyx64.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:288

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0471e0b1-48bf-38ed-1feb-325c325a8b25}\vjoy.inf" "9" "6170f47b7" "00000000000002A0" "WinSta0\Default" "0000000000000584" "208" "c:\users\admin\appdata\local\temp\driver\legacy\vjoy"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{7e23f74a-6e63-6577-960b-e0481c0f5e2c} Global\{0dfddc83-82a9-473f-22b1-a83d1be07642} C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\vjoy.inf C:\Windows\System32\DriverStore\Temp\{52d95ab4-ac20-686f-748b-0d6934cd4e5b}\vJoy.cat
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab3A54.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3A67.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0471E~1\WdfCoInstaller01009.dll

Filesize
1.6MB

MD5
4da5da193e0e4f86f6f8fd43ef25329a

SHA1
68a44d37ff535a2c454f2440e1429833a1c6d810

SHA256
18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

SHA512
b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0471E~1\hidkmdf.sys

Filesize
10KB

MD5
de50a50fd52a2bacb72f159aea6e3a38

SHA1
2bad3a7e7516e9fc68e2ab4c5d9a7ac60a576154

SHA256
8fe4cac56e0ed66e5fc60f1468e1911196cadac49f0e350cfe7820c7ec7fcd7e

SHA512
c7542cf3b45d1d0ccbe87b5c220ecac6c4e9a8c1c171d5ce95f5bf76c1a3ffb576226486ed498ee12eedad9b1beed1d17a0f14d922df21287a70f69354c6a924

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0471E~1\vjoy.sys

Filesize
56KB

MD5
cb09581d30179ef1d9cac51717afa04f

SHA1
e3f54c575bb3daed87bccff8a207c7e9634ad7f0

SHA256
58e5cafbb5c3cc69c23ad85c3093b247208e3e5c43fe09aa06a6b7ec40fc3d1b

SHA512
a961e9ece89adb83d4c81c601aa3d91c39b277b9a27233d9894caf46cd5b92c6cdc55aaa689e55408303607bac3012296b67bd1dbdb8d71c10d1ac9ec3178e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0471e0b1-48bf-38ed-1feb-325c325a8b25}\vJoy.cat

Filesize
9KB

MD5
8ade7a899a6d5f2d34b9a0e32e8e881c

SHA1
01e7961bc2ba41bd8794da2b2d2e967172cfd739

SHA256
09f859c2ac093ff4fab365ecead64c47c763230b091918be5abcc040579126ec

SHA512
b1ef251b258bf2fc7cb10d2f8ad64c60d01a7da81df31fb362998b62c5f423a202ee067ba6d4f69b8935292a55a91d1d0199b4a08cd0e7f15a96420f6ea9c6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0471e0b1-48bf-38ed-1feb-325c325a8b25}\vjoy.inf

Filesize
10KB

MD5
460c34649150136c91c1e4b9d48b12cc

SHA1
4d57ae74eb2422b6b33d6214f25674fa243537fe

SHA256
3a4990e6462dbea0d925a64fc07a0c107e3e04b77755b9f6ff8222e92c617078

SHA512
1a85af0aeac1014acbc97941e1e2a23ecabc005ab38dfbb5667adbbe822c913526a34bee69f39102cc4bd3a39dc3f0d63e0be4d35934979699f06c204f7e832c

Download Submit
C:\Windows\Temp\Cab3BCA.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar3BED.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit