02d3b89a95b85e771778e723adf7d9bba0509047d00f43fc2e9f26188c88a16a

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UnBan Guide/step 6/Cleaner.bat
Size

6KB
MD5

86ba1c1072f4aa443fff2127ef7673be
SHA1

85faeff420ac5d2e98167801ffd2615a620f3b3b
SHA256

c84c9d99dfa2c138c91a70601ffb7dd31c8274f8f6099fbcb7468d72b0af77a7
SHA512

a43de29d3020fa3a601031a7ec3ba438725bb55f2b3170adab7599d5b609358df8f04a0c75ac0dc1a6079c6ce694428e8c41f29db6fe3efd22e48075d2e4c8c6
SSDEEP

96:TBXULDHRRpTd2ZVEERnRlJRhceRCJEykGwkaRMRbmzR51+BRIARS1XMrI:TBkHHjHmVtNNJYJEyZwlyVmzkBjUN

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{57a6bfa0-342e-71e8-9384-d5124bbf542f}\SET22CC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{57a6bfa0-342e-71e8-9384-d5124bbf542f}\SET22CC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{57a6bfa0-342e-71e8-9384-d5124bbf542f}\SET22CD.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{57a6bfa0-342e-71e8-9384-d5124bbf542f}\SET22CD.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{57a6bfa0-342e-71e8-9384-d5124bbf542f}\segwindrv.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{57a6bfa0-342e-71e8-9384-d5124bbf542f}\segwindrvx64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{57a6bfa0-342e-71e8-9384-d5124bbf542f}\SET22DE.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{57a6bfa0-342e-71e8-9384-d5124bbf542f}\SET22DE.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{57a6bfa0-342e-71e8-9384-d5124bbf542f}\segwindrv.inf	DrvInst.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	H2OSDE-Wx64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	H2OSDE-Wx64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1144	rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeSystemEnvironmentPrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	2096	H2OSDE-Wx64.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1660	DrvInst.exe
Token: SeRestorePrivilege	1144	rundll32.exe
Token: SeRestorePrivilege	1144	rundll32.exe
Token: SeRestorePrivilege	1144	rundll32.exe
Token: SeRestorePrivilege	1144	rundll32.exe
Token: SeRestorePrivilege	1144	rundll32.exe
Token: SeRestorePrivilege	1144	rundll32.exe
Token: SeRestorePrivilege	1144	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2964	1980	cmd.exe	29
PID 1980 wrote to memory of 2964	1980	cmd.exe	29
PID 1980 wrote to memory of 2964	1980	cmd.exe	29
PID 1980 wrote to memory of 2944	1980	cmd.exe	30
PID 1980 wrote to memory of 2944	1980	cmd.exe	30
PID 1980 wrote to memory of 2944	1980	cmd.exe	30
PID 1980 wrote to memory of 2096	1980	cmd.exe	31
PID 1980 wrote to memory of 2096	1980	cmd.exe	31
PID 1980 wrote to memory of 2096	1980	cmd.exe	31
PID 1980 wrote to memory of 2952	1980	cmd.exe	32
PID 1980 wrote to memory of 2952	1980	cmd.exe	32
PID 1980 wrote to memory of 2952	1980	cmd.exe	32
PID 1660 wrote to memory of 1144	1660	DrvInst.exe	34
PID 1660 wrote to memory of 1144	1660	DrvInst.exe	34
PID 1660 wrote to memory of 1144	1660	DrvInst.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\Cleaner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\AMIDEWINx64.EXE
  AMIDEWINx64.exe /SU
  2⤵
  PID:2964
- C:\Windows\system32\find.exe
  find /i "Error"
  2⤵
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\UnBan Guide\step 6\H2OSDE-Wx64.exe
  H2OSDE-Wx64.exe -SU 28149
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\system32\find.exe
  find /i "readonly"
  2⤵
  PID:2952

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6416c39c-1db4-6df9-270c-66531824af28}\segwindrv.inf" "9" "69f798bf3" "00000000000003EC" "WinSta0\Default" "000000000000059C" "208" "c:\users\admin\appdata\local\temp\unban guide\step 6"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{65c11b3d-ed80-69ac-8b99-84117754ac7d} Global\{3edc9b07-548e-5c46-698d-b169fb33ad44} C:\Windows\System32\DriverStore\Temp\{57a6bfa0-342e-71e8-9384-d5124bbf542f}\segwindrv.inf C:\Windows\System32\DriverStore\Temp\{57a6bfa0-342e-71e8-9384-d5124bbf542f}\segwindrv.cat
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab21D5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar21E7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6416C~1\segwindrvx64.sys

Filesize
103KB

MD5
e46dfe45c1714f4920d3fd2546f2f630

SHA1
28cdb0b48c1d88d71421ec9e40ce52836ab79956

SHA256
b44f4384f95cc9d3f86f0c27fc0abba9a291a7cc24483f41e70c1234bc61edc6

SHA512
97480d19e22ebef836e61f33d5540c41a08a9edc71af97a59fef71b3d60abd9ab78b32896ee0812cae1780da08f875e3cb32c048edf4fcae523fa04e23d2246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6416c39c-1db4-6df9-270c-66531824af28}\segwindrv.cat

Filesize
10KB

MD5
43d3603cf918445cbd1d7253b49bf527

SHA1
fabfaee55f2c4e6ca508d735b297bdb738ab1c7d

SHA256
e830efe7786b0fb9dd84eb647614fa1795ec5caa605d44d9a13f0fdbd0f4d6b5

SHA512
183b8498e4c86966050be324a027fc0a7f8179bb77d032ec97cf64ab91dac72c8e7fcdda36c733c2815973b72c91cee19d3263376a7e3b955c616f548690186e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6416c39c-1db4-6df9-270c-66531824af28}\segwindrv.inf

Filesize
4KB

MD5
843fb7475608ce359da7cbd48fa3ab1d

SHA1
ae16643aa1756b34391e4c615958343ecb17b153

SHA256
e1449864c7403b9cd3d828c6fc9710fe1fbb3f35c7b6522a5dcbcf97685f40d7

SHA512
9db610ebff1ab1e24147abadf10f978eab95358f2b0806d17fb8df6e53723b0523dd26d0207430d029f5b6826a02c3a5d73ff01d8f6e28d53e82c230075f2b34

Download Submit
C:\Windows\Temp\Cab22EE.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar2300.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit