Overview

overview

8

Static

static

3

Onn Setup2...08.exe

windows10-2004-x64

8

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...in.dll

windows10-2004-x64

1

$PLUGINSDI...zU.dll

windows10-2004-x64

3

CommFunc.dll

windows10-2004-x64

1

DLL3S_UsbA...32.dll

windows10-2004-x64

3

DLL3S_UsbA...64.dll

windows10-2004-x64

1

DLL3S_UsbA...32.dll

windows10-2004-x64

3

DLL3S_UsbA...64.dll

windows10-2004-x64

1

Driver/CommFunc.dll

windows10-2004-x64

1

Driver/DIFxAPI.dll

windows10-2004-x64

1

Driver/DIFxCmd.exe

windows10-2004-x64

1

Driver/HHT...tr.sys

windows10-2004-x64

1

Driver/Mou...vi.sys

windows10-2004-x64

1

Driver/devcon.exe

windows10-2004-x64

1

Driver/x64...PI.dll

windows10-2004-x64

1

Driver/x64...md.exe

windows10-2004-x64

1

Driver/x64...ve.bat

windows10-2004-x64

1

Driver/x64...up.bat

windows10-2004-x64

5

Driver/x64/HHTHid.sys

windows10-2004-x64

1

Driver/x64...tr.sys

windows10-2004-x64

1

Driver/x64...vi.sys

windows10-2004-x64

1

Driver/x64...id.exe

windows10-2004-x64

8

Driver/x64...vi.sys

windows10-2004-x64

1

Driver/x64...vi.sys

windows10-2004-x64

1

Driver/x64/devcon.exe

windows10-2004-x64

1

DrvInDll.dll

windows10-2004-x64

1

DuiLib.dll

windows10-2004-x64

3

HidServ.dll

windows10-2004-x64

1

HookDLL.dll

windows10-2004-x64

1

KbDaemon.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    84s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 22:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Driver/x64/Driver_Setup.bat

  • Size

    98B

  • MD5

    4726fc771e4a61c8ce6faba6cdbc2f5c

  • SHA1

    72bb59cdbbd161809292a72b32664562b71fd2eb

  • SHA256

    0c14524dacbdb3818a3a4af3829a51d5d3472f2376e2be7d5532e858a727c5f2

  • SHA512

    981ba283345b67ed6adb7d2b77ae0de9fb1d8855934c0dac0b680109b8dfb619622127276244356468c1539077be5abf872c7e28e52f38fce0c3afbc775e3bf5

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 51 IoCs
  • Drops file in Windows directory 13 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Driver\x64\Driver_Setup.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Users\Admin\AppData\Local\Temp\Driver\x64\DIFxCmd.exe
      DIFxCmd.exe /i HidFiltr_Evi.inf
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      PID:432
    • C:\Users\Admin\AppData\Local\Temp\Driver\x64\DIFxCmd.exe
      DIFxCmd.exe /i MouFiltr_Evi.inf
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      PID:2636
    • C:\Users\Admin\AppData\Local\Temp\Driver\x64\DIFxCmd.exe
      DIFxCmd.exe /i KbFiltr_Evi.inf
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      PID:4292
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1310b129-cd83-3c49-9170-6afa091132dd}\HidFiltr_Evi.inf" "9" "4b4ded797" "0000000000000144" "WinSta0\Default" "0000000000000164" "208" "C:\Users\Admin\AppData\Local\Temp\Driver\x64"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:3492
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6488b1f5-c966-544b-b5f3-3494a468a0e6}\MouFiltr_Evi.inf" "9" "4d55dba47" "0000000000000168" "WinSta0\Default" "0000000000000140" "208" "C:\Users\Admin\AppData\Local\Temp\Driver\x64"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:2628
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{92f28fc6-b67f-8441-a264-98adcaee3407}\KbFiltr_Evi.inf" "9" "4a084871f" "0000000000000174" "WinSta0\Default" "0000000000000140" "208" "C:\Users\Admin\AppData\Local\Temp\Driver\x64"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:4604

Network

  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    249.138.73.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    249.138.73.23.in-addr.arpa
    IN PTR
    Response
    249.138.73.23.in-addr.arpa
    IN PTR
    a23-73-138-249deploystaticakamaitechnologiescom
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
No results found
  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    249.138.73.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    249.138.73.23.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\{1310B~1\HidFiltr_Evi.cat
    Filesize

    133KB

    MD5

    3fd12f21641b350b5aedc7a1eec064a3

    SHA1

    5cd8d6bf85dfacbde058ebbd61b4268384143789

    SHA256

    e8bce60aca743a6f9c2dbd68f81ccbc35ad42b4c9dcc4266d02cbad5fb95f5a7

    SHA512

    15974fb126be3cbef72475204a51f1e8c3f24ca1f4aa96954717d002b4dfdce5062950bdb0037b9a1398b6db81c5dfe27312e870cc2f7a1a4561ad48d3181967

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{1310B~1\HidFiltr_Evi.sys
    Filesize

    29KB

    MD5

    111d4505d71a92ddc2997ef6fbf6269f

    SHA1

    bdf2f64d0e66c89913e986fbf978cf372b1104af

    SHA256

    5d7627ffde70ba97437fd413b3c0be8fe5e46eab944c376245be0664ef4e83e8

    SHA512

    5e3b9db65d12db1635edc9dbf019606379e3ca870b68a0155a0d3a0a80e56115079a3f1252aa2d53536071ec20e868d7cdb88d0033aa064b7b0ebf2f1f4887d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{1310b129-cd83-3c49-9170-6afa091132dd}\HidFiltr_Evi.inf
    Filesize

    68KB

    MD5

    3e5219476830f1bd4d5c0c948455a07c

    SHA1

    f40f690fc27f8bfecbdac88c1aea0dce584aa9ab

    SHA256

    d418e9b18967e453a80f6ce24fcf325e5293a115de1b858c321af6ce22ba992b

    SHA512

    cba272dff50cfd61515ef149edeaf059128da402e5fb9a4226108c0f9fa6bcf95807fd8049d3fb76546bc3de1101873b5e408d1202a6ca163bfd7ff35c5ec464

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{6488B~1\MouFiltr_Evi.cat
    Filesize

    133KB

    MD5

    0410e772fddd48f59cced079f16fca1a

    SHA1

    17e68438a69b42335004cdc4b7471b88b0e6d543

    SHA256

    8cee47ac39b3cef22f5c10cc72ff65b95a85ddd10a6fcbb1b4d16351533fe072

    SHA512

    9295f834b302599a4e773f04eed7d7b60fa804b610d7cd4cf2922a95f17882d922bb91e76081c7a474b37571487a3629f521b0f29d71e03e866ec51140064dea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{6488B~1\MouFiltr_Evi.sys
    Filesize

    29KB

    MD5

    f9d3df95649ae65bda9b22fcc73cca5e

    SHA1

    ea46d5e138568080fa7c80b7471a7984e7033096

    SHA256

    9859bbe498b969a0602b64d2eeee300f645713fc3dc5c1ca75954ed6b315a61d

    SHA512

    7a2b48ca7a51a34eee66f6c35dd2b80004c65ca92d80c4fb436ca330aa23a0e95f7fdd4b8b2b2f358326ed4c53b1d8c34ae19425b89b9599275f14e5226b2b91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{6488b1f5-c966-544b-b5f3-3494a468a0e6}\MouFiltr_Evi.inf
    Filesize

    68KB

    MD5

    57d901a3384015d5982ef6eead53cf83

    SHA1

    7e74ff150a0d5b8f664592b016b9f9ef272ff46e

    SHA256

    6e5820a365c85679ce4e88744730567227996668f72ddab2cf2ded14bccc0363

    SHA512

    c5455e85da250d01a3179c044b8fbabda96f5c5d84ef274b073de16fdd9668f99ad3cef85ab32d1a3a8a072d08a27474ba2f42bdb4ada6a8b63519f1c9e8cd7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{92F28~1\KbFiltr_Evi.cat
    Filesize

    133KB

    MD5

    d7b37f9f4301597ac6f9b3dde63a8f03

    SHA1

    c8d023422d36f1bf34b24b4cf31199d950c16eb9

    SHA256

    d07c9e54b6e28f6f2937a52810b852a13150a1ab1cc75c7ed14c43229377fd1a

    SHA512

    f62db02d4b893caf6b0d03448416041534b661f9cb124d01a55aeb6742a9351048af8cd810600a3e7b16b021fa21fd0c84961d2a46c4a68a4c7bfe3627e8286f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{92f28fc6-b67f-8441-a264-98adcaee3407}\KbFiltr_Evi.inf
    Filesize

    75KB

    MD5

    caf1b865266d946acba513f84f375ff3

    SHA1

    a4d59bb9f8983c722c98e80b66f8fed1eb38f4fe

    SHA256

    689e0cc0da0584cfd2b3634fc94ad5bca2c1db8f5b951a497e9a26566528c274

    SHA512

    29849776240421dc5895c044dcf1ff00dc6efaa5b8a7faef1ebf3cd963dbf9bd7037ba820cd639a86dffb3b56166f0e07362622b0e6d0b7a9615b6500a339db3

    Download Submit

  • C:\Windows\System32\CatRoot2\dberr.txt
    Filesize

    19KB

    MD5

    01ef0c5864789adae3663ec5d72f7dc3

    SHA1

    f8f9723d476e46148813c5ce649aa48a198ba95a

    SHA256

    94929d9b53c21fb78b7603b1f80aa18b6356826f8440ef907fa2378c91d9688c

    SHA512

    469ce581bd1d7ab38eef6fae689a4155d5f94b1251b4521ae0efad839c99d48a0105aaf1d20bee587e46817f48b9f9fc7555924e70b38dd9042699956dc59021

    Download Submit

  • C:\Windows\System32\CatRoot2\dberr.txt
    Filesize

    19KB

    MD5

    220cd067a2d83d641a12a7ca922016ef

    SHA1

    0be4780bf64fc37ab6b4e881f0422033b585906b

    SHA256

    fbc39e05d4d1fab2d5c059a0d97f57d8bb9d7d6eda43512274c955360cabd7e2

    SHA512

    67a410ebe53820ecb3abcdb5c42ad59e933a31973fb7e08d8cc1e3b3f118152f70702e33973aa264325b06aade46b6fcb7d001ba773aeed29045140b01b71fe1

    Download Submit

  • C:\Windows\System32\CatRoot2\dberr.txt
    Filesize

    19KB

    MD5

    be7cb990deb7f9958e26fa936df0dd2b

    SHA1

    790d77738acfbc6dc914b5bca27ebcfcb217ed0f

    SHA256

    c2acc9044867d9dc334847c8bb04b32998dfebc80461014ca96a212b6ed56d8f

    SHA512

    3c4da553849da45d6e763753bbad8e8d34c9bd6b1a883c088b5256f5c173976eb1b608b80408bdb62659bc28fafb7f2ad5f6040e49b5d455b72fdfba12518e24

    Download Submit

  • C:\Windows\System32\CatRoot2\dberr.txt
    Filesize

    19KB

    MD5

    7c76b94eaaf122e575f240df0e747259

    SHA1

    5cdd6cd38326a331418d114db7b5fd0a6f32ae3c

    SHA256

    dc61b90cf68162e425610e5314408542ad2cda17f1a10373f19984b4adf9d7a1

    SHA512

    b452a349e018488c1ef5d5158128bf6f956b033862a4ec1db2e7242832691b5fd22e4069b39635a7d0265f10f1f19bf01b3dccb18fdee8d25fba25560530f5fd

    Download Submit

  • C:\Windows\System32\DriverStore\Temp\{323df97b-08e9-574d-9b5d-f105a40b86ff}\SET7F34.tmp
    Filesize

    29KB

    MD5

    6c1fdd35b9f18313b67bf192353d914f

    SHA1

    3fe8995fca334473c867bb597eac5d6151ef1bdd

    SHA256

    f47d72ee968dae3ca2783fc2980f78bde3594cd4b95e1d6790668e40560d251c

    SHA512

    5c27c597783d84faaf77c7e44e41891df8039fb27e0a42be36c62d5d8f5190d9e289151a8304b5d739e9c0dd7d66358495c38a4787249f8b385b791c822865ec

    Download Submit

  • C:\Windows\System32\catroot2\dberr.txt
    Filesize

    19KB

    MD5

    1ce90b725c5812e182d3aa7618a138f2

    SHA1

    0e8c01d8c4e803c6fd7e579d299a54025ed333d7

    SHA256

    e643543746402ec22bf3a3389ab61dd7e9f6caddb965a7674508fcddc5f8d111

    SHA512

    1c224b0d366e988bcc6baa3dfecd2f611457819a20588b32b0a346275435aab2774fa330c21f6a5c8fee7b1c8fae2792db39d56c6ea5aed87dbffb9ec6f6ee55

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.