af48efac2b7d97cc0b70559a0a2be8cfeae961306ed16f0c91706a3bef6d61fc

Analysis

max time kernel
61s
max time network
66s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drvupdate-amd64.exe
Size

12.5MB
MD5

d412865db372ff51f4237c496025639b
SHA1

9cd5409d3ecf569b61beac788215ff3711c0f6fc
SHA256

af48efac2b7d97cc0b70559a0a2be8cfeae961306ed16f0c91706a3bef6d61fc
SHA512

661532765f49d56ff41119217b29719837f9773c396ba6d9efa95d21dcfabd3d7c89c2e688b7da9b9a984d760bc505d980be3ba2ad14b1359423a891c34508b1
SSDEEP

393216:aqFZIAAa93h999999lvnMv+HmtFgWWgaxraJT4a:aPAN93h999999lMvmKgWKuTV

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1888	driver_setup.exe
1412	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2240	drvupdate-amd64.exe
2660	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	drvupdate-amd64.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	driver_setup.exe
File opened (read-only)	\??\K:	driver_setup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	driver_setup.exe
File opened (read-only)	\??\S:	driver_setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	driver_setup.exe
File opened (read-only)	\??\N:	driver_setup.exe
File opened (read-only)	\??\Y:	driver_setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	driver_setup.exe
File opened (read-only)	\??\U:	driver_setup.exe
File opened (read-only)	\??\X:	driver_setup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	driver_setup.exe
File opened (read-only)	\??\L:	driver_setup.exe
File opened (read-only)	\??\R:	driver_setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	driver_setup.exe
File opened (read-only)	\??\I:	driver_setup.exe
File opened (read-only)	\??\Q:	driver_setup.exe
File opened (read-only)	\??\T:	driver_setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	driver_setup.exe
File opened (read-only)	\??\W:	driver_setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	driver_setup.exe
File opened (read-only)	\??\O:	driver_setup.exe
File opened (read-only)	\??\P:	driver_setup.exe
File opened (read-only)	\??\Z:	driver_setup.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76f21c.msi	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2828	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2828	msiexec.exe
Token: SeTakeOwnershipPrivilege	2828	msiexec.exe
Token: SeSecurityPrivilege	2828	msiexec.exe
Token: SeCreateTokenPrivilege	1888	driver_setup.exe
Token: SeAssignPrimaryTokenPrivilege	1888	driver_setup.exe
Token: SeLockMemoryPrivilege	1888	driver_setup.exe
Token: SeIncreaseQuotaPrivilege	1888	driver_setup.exe
Token: SeMachineAccountPrivilege	1888	driver_setup.exe
Token: SeTcbPrivilege	1888	driver_setup.exe
Token: SeSecurityPrivilege	1888	driver_setup.exe
Token: SeTakeOwnershipPrivilege	1888	driver_setup.exe
Token: SeLoadDriverPrivilege	1888	driver_setup.exe
Token: SeSystemProfilePrivilege	1888	driver_setup.exe
Token: SeSystemtimePrivilege	1888	driver_setup.exe
Token: SeProfSingleProcessPrivilege	1888	driver_setup.exe
Token: SeIncBasePriorityPrivilege	1888	driver_setup.exe
Token: SeCreatePagefilePrivilege	1888	driver_setup.exe
Token: SeCreatePermanentPrivilege	1888	driver_setup.exe
Token: SeBackupPrivilege	1888	driver_setup.exe
Token: SeRestorePrivilege	1888	driver_setup.exe
Token: SeShutdownPrivilege	1888	driver_setup.exe
Token: SeDebugPrivilege	1888	driver_setup.exe
Token: SeAuditPrivilege	1888	driver_setup.exe
Token: SeSystemEnvironmentPrivilege	1888	driver_setup.exe
Token: SeChangeNotifyPrivilege	1888	driver_setup.exe
Token: SeRemoteShutdownPrivilege	1888	driver_setup.exe
Token: SeUndockPrivilege	1888	driver_setup.exe
Token: SeSyncAgentPrivilege	1888	driver_setup.exe
Token: SeEnableDelegationPrivilege	1888	driver_setup.exe
Token: SeManageVolumePrivilege	1888	driver_setup.exe
Token: SeImpersonatePrivilege	1888	driver_setup.exe
Token: SeCreateGlobalPrivilege	1888	driver_setup.exe
Token: SeShutdownPrivilege	1888	driver_setup.exe
Token: SeIncreaseQuotaPrivilege	1888	driver_setup.exe
Token: SeCreateTokenPrivilege	1888	driver_setup.exe
Token: SeAssignPrimaryTokenPrivilege	1888	driver_setup.exe
Token: SeLockMemoryPrivilege	1888	driver_setup.exe
Token: SeIncreaseQuotaPrivilege	1888	driver_setup.exe
Token: SeMachineAccountPrivilege	1888	driver_setup.exe
Token: SeTcbPrivilege	1888	driver_setup.exe
Token: SeSecurityPrivilege	1888	driver_setup.exe
Token: SeTakeOwnershipPrivilege	1888	driver_setup.exe
Token: SeLoadDriverPrivilege	1888	driver_setup.exe
Token: SeSystemProfilePrivilege	1888	driver_setup.exe
Token: SeSystemtimePrivilege	1888	driver_setup.exe
Token: SeProfSingleProcessPrivilege	1888	driver_setup.exe
Token: SeIncBasePriorityPrivilege	1888	driver_setup.exe
Token: SeCreatePagefilePrivilege	1888	driver_setup.exe
Token: SeCreatePermanentPrivilege	1888	driver_setup.exe
Token: SeBackupPrivilege	1888	driver_setup.exe
Token: SeRestorePrivilege	1888	driver_setup.exe
Token: SeShutdownPrivilege	1888	driver_setup.exe
Token: SeDebugPrivilege	1888	driver_setup.exe
Token: SeAuditPrivilege	1888	driver_setup.exe
Token: SeSystemEnvironmentPrivilege	1888	driver_setup.exe
Token: SeChangeNotifyPrivilege	1888	driver_setup.exe
Token: SeRemoteShutdownPrivilege	1888	driver_setup.exe
Token: SeUndockPrivilege	1888	driver_setup.exe
Token: SeSyncAgentPrivilege	1888	driver_setup.exe
Token: SeEnableDelegationPrivilege	1888	driver_setup.exe
Token: SeManageVolumePrivilege	1888	driver_setup.exe
Token: SeImpersonatePrivilege	1888	driver_setup.exe
Token: SeCreateGlobalPrivilege	1888	driver_setup.exe
Token: SeCreateTokenPrivilege	1888	driver_setup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1888	driver_setup.exe
1888	driver_setup.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1888	2240	drvupdate-amd64.exe	28
PID 2240 wrote to memory of 1888	2240	drvupdate-amd64.exe	28
PID 2240 wrote to memory of 1888	2240	drvupdate-amd64.exe	28
PID 2828 wrote to memory of 2660	2828	msiexec.exe	30
PID 2828 wrote to memory of 2660	2828	msiexec.exe	30
PID 2828 wrote to memory of 2660	2828	msiexec.exe	30
PID 2828 wrote to memory of 2660	2828	msiexec.exe	30
PID 2828 wrote to memory of 2660	2828	msiexec.exe	30

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\drvupdate-amd64.exe
"C:\Users\Admin\AppData\Local\Temp\drvupdate-amd64.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\driver_setup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\driver_setup.exe /i drvupdate-amd64.msi
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 312449CF1CFCB2A82E59D0057653B622 C
  2⤵
  - Loads dropped DLL
  PID:2660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2656

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004AC" "00000000000003B8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2848

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\drvupdate-amd64.msi

Filesize
13.4MB

MD5
f56b5dece86a36b21080ed1ad1f4ce61

SHA1
d767e43144125c32e8c1eb52010d0ceb8a839331

SHA256
adad5d14465e698d99b4468a1bb407544edc021b39a492c9c46f404289d1f03f

SHA512
76a06a4d9a564370501a41729f74fd4cad10a9db1990a41c0718b31dda2b2eb52abbe78a79fc0dade84b4d124e67a67132f89e5642b5fc6f3dbb0db9f6cd1a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9212.tmp

Filesize
31KB

MD5
ce13966ea37e92259fff5e8527df24fc

SHA1
8f0e7f47ab6ffdf024392e20116a8ce638c80ef1

SHA256
70eab588fc2b8243114f392506a1ad34035b40948662709bd6d8310f68c1d06e

SHA512
b76a1e0e6a1484e1b0cbd5d0865e4df8cbc7c4c5b9913cf99f7f7a3164019585adbf187b711e0444db89331cc12fdc860a78e1025be9c287aebc34693fd26860

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\driver_setup.exe

Filesize
59KB

MD5
1c9d8e8844535cd66165c26adcba2ca8

SHA1
79da07790f43325721f8c2ffa78b08693375c27b

SHA256
1e38c335d528fb87cfbb3b0aa5368a900a43d150b13b8bb6a20f5e95a65a2559

SHA512
589fb879b3467427c53b564abe074f0b404043002718b5c6959b0a8388a7153b432a3a24c14f0455e6bb53113409869ba9ab165739a20f68d85fab1a166d4ced

Download Submit