6c35e5fb73c34864a3bab36e17e10f448e3700d5e28085f410c41ebf2b9d18e6

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RTK_NIC_DRIVER_INSTALLER.sfx.exe
Size

783KB
MD5

c866190749fd84d8cdbf6f57b26c35bc
SHA1

967d93fc22ea7581e48862e1fa38d63a504e8c25
SHA256

6c35e5fb73c34864a3bab36e17e10f448e3700d5e28085f410c41ebf2b9d18e6
SHA512

0675594b8fb34778f06d693c72186afc6a570694af13d4a3de35aa11efbf224428e8455179385bc39dbe8942f14d42135101e0af448bc526dee451aac207af16
SSDEEP

24576:/2yQPUjJdz3j9ZrmTvU23z2Jjjght7cuWOoC:/ptNNj9ZrmTvR2JXgrouoC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2472	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
992	RTK_NIC_DRIVER_INSTALLER.sfx.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtux64w7.inf_amd64_neutral_6e2cd82b29bcec94\rtux64w7.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\SET229F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\rtux64w7.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\SET229F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\SET229E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\rtux64w7.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\SET22A0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\rtux64w7.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\RtNicProp64.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	setup.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\SET229E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\SET22A0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rtux64w7.inf_amd64_neutral_6e2cd82b29bcec94\rtux64w7.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\SET22B0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5b963fc4-3432-6270-3fc2-a871ba55b020}\SET22B0.tmp	DrvInst.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\INF\oem1.PNF	setup.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	setup.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\INF\oem0.PNF	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2472	setup.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 2472	992	RTK_NIC_DRIVER_INSTALLER.sfx.exe	28
PID 992 wrote to memory of 2472	992	RTK_NIC_DRIVER_INSTALLER.sfx.exe	28
PID 992 wrote to memory of 2472	992	RTK_NIC_DRIVER_INSTALLER.sfx.exe	28
PID 992 wrote to memory of 2472	992	RTK_NIC_DRIVER_INSTALLER.sfx.exe	28
PID 992 wrote to memory of 2472	992	RTK_NIC_DRIVER_INSTALLER.sfx.exe	28
PID 992 wrote to memory of 2472	992	RTK_NIC_DRIVER_INSTALLER.sfx.exe	28
PID 992 wrote to memory of 2472	992	RTK_NIC_DRIVER_INSTALLER.sfx.exe	28

C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER.sfx.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER\setup.exe" -s
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2472

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3c36a0a1-4a88-67e4-6a77-034b4d3a1d53}\rtux64w7.inf" "9" "60e7c9033" "0000000000000328" "WinSta0\Default" "0000000000000390" "208" "C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER\WIN7\64"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER\WIN7\64\rtux64w7.cat

Filesize
14KB

MD5
7c902305a7dc483ba14eaa798c30a024

SHA1
ce8de2a1b3c9d97e0091a85186261d343d82d34e

SHA256
070a06818121c3ac368440c82b862933abd74f03ded744a103d7176d032045ec

SHA512
3fd0ed04c18fe5ea01c01a71773c6e502b98b065d4fff3e220c76108a01b758cf0b893728c6d4c21f3449112ec1626245c90085e6705b7b9f02ddad950d0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER\WIN7\64\rtux64w7.inf

Filesize
405KB

MD5
97116412ffacfa50a558c6b261983e81

SHA1
10624a36c0fd8e90cc5a29f49bf6c605754f618b

SHA256
2b96352bd371b44bfa66370c15f82de6189d3d8e5aa8473c59bff55247316d42

SHA512
ea7a5ea0fcb287c7cedc85cf6c896239f1fe878ba48079425707550c9746978d383242cea17ddb32e69932c37a6a1c635e09ab58bb4201b9ec63d79e4f22d0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTK_NI~1\WIN7\64\RtNicProp64.dll

Filesize
82KB

MD5
cec28b7668bf68e1a8be2866aeb127e8

SHA1
336f0c9aca114d7314af3169bf69b26b0a20fcf7

SHA256
bad224588f27041d9bc190d5a93f9b5e602d1827b9dd01654a1865baa67a77a8

SHA512
bd3cbd7c6fd8e4e15e0965cf6b482cec434b10bf88d2c41ad624218ed973e34a8c333f57b8e4b91eedf73f4fbb958451d8bb76d580d76cdf8cdf0b85e850e4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTK_NI~1\WIN7\64\rtux64w7.sys

Filesize
334KB

MD5
975a07d98483261e7f00db23e066b5c8

SHA1
141396075b0bb32e91aa1d3beabf1477fae49bc2

SHA256
6d36840db3c0225711d9643b1ca31c3dcc7ee4abdf67b60d2f84d8208b188304

SHA512
5053e6a688b02b1ff4160db090d7a4e971c980b9ac5e02eab97f016793b15d88d7d67e7095385391c4ae011e314ae5bbfcd4fbd582e6c424a22a3e64362df648

Download Submit
\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER\Setup.exe

Filesize
102KB

MD5
094eee1e385e5482b694713e8e08e462

SHA1
293fc250db0edcd0f663042041e4dda124b7ace0

SHA256
ed54b2c849f36561a529a4db71e5a1877d766162d472aeb714fd1b1d569adc1d

SHA512
86870a7b1ac88fe9a7a9fb068934f96dd5ef4f933dd0aeeff5583e2ea04f6c3e31d63b27cd5a78ea02bd3052a092dd02271f126c8f2a0114b0a94c7ce13b18e5

Download Submit