351b5948fc7f05d1d6ecf2c46ccc82ad540859d9130be307e6bf22b41da1a766

Analysis

max time kernel
143s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows-outbyte-driver-updater.exe
Size

21.4MB
MD5

bfbb46c049e5d57500c3f5cdb1ba7f45
SHA1

c58483fb9fe53e411c03be9d2d7b73bbe48793e4
SHA256

351b5948fc7f05d1d6ecf2c46ccc82ad540859d9130be307e6bf22b41da1a766
SHA512

b38198bb6a0b608c9d743bd481aa30fb7ab5df7f6d505002ae218cac716db4d673f3de37809f3fa2ee6d5c175ce72540edbbb6d2d6c25f81b1b69e280e3a2882
SSDEEP

393216:xsT6+lrfqHjdxzVBVrij/jWMBncv83coV8GA8dvQa6dYN2yxOpgL+/zxazZ:xs++yxpajjaUZVb/d4a6dYN2yn+N2

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Installer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Windows-outbyte-driver-updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Installer.exe

Executes dropped EXE 1 IoCs

pid	Process
4796	Installer.exe

Loads dropped DLL 22 IoCs

pid	Process
3112	Windows-outbyte-driver-updater.exe
3112	Windows-outbyte-driver-updater.exe
3112	Windows-outbyte-driver-updater.exe
3112	Windows-outbyte-driver-updater.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe
4796	Installer.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows-outbyte-driver-updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{015267BB-C2E8-FA83-6D54-DA30274DB9C4}\Version\Assembly = 360dfefb6609f66dea9cff0506707202360dfefb6609f66dea9cff050670720288ad8cbb5ed3f66b83a8a2cdf194269c890bb34aebd806e41a50d3bd9c0b4765219909f09e75dec0927ff4e8152284cd219909f09e75dec0927ff4e8152284cd59b5414605bae21e9735786eb516d3f8de1283c2aff9bf99d33ed2740c86bbd2f8157495fe950fa4a01046bb55f00dad0f20aa1b1adfe602954529934d03147d	Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{015267BB-C2E8-FA83-6D54-DA30274DB9C4}\Version	Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{015267BB-C2E8-FA83-6D54-DA30274DB9C4}	Installer.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	Installer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4796	Installer.exe
4796	Installer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 4796	3112	Windows-outbyte-driver-updater.exe	91
PID 3112 wrote to memory of 4796	3112	Windows-outbyte-driver-updater.exe	91
PID 3112 wrote to memory of 4796	3112	Windows-outbyte-driver-updater.exe	91

C:\Users\Admin\AppData\Local\Temp\Windows-outbyte-driver-updater.exe
"C:\Users\Admin\AppData\Local\Temp\Windows-outbyte-driver-updater.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\Installer.exe" /spid:3112 /splha:37659456
  2⤵
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\AxComponentsRTL.bpl

Filesize
2.0MB

MD5
c3a7d193162a47ee3e83dc39aba8c5f1

SHA1
badd1de3c7c75ddd5d63bf7a77de468722c65f8f

SHA256
78849fb6dd5b547ee9b968cdd1a47dfd6808a34338667979b198742f3f2be761

SHA512
1317d7c4442d6b2ef4d1d0713c8f41b067e7cf8d28d08077b0760b36b7cf0aa8886620324a786386aab903ecaa034058cfc7a7bd7238dd9f30cf03df6e630bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\AxComponentsVCL.bpl

Filesize
8.8MB

MD5
20de92a935d8d45d012ab9198e9cc7d8

SHA1
65fe4e87a9f180db8638452bfe1a61f854bbfce3

SHA256
a0572c9047256bc8c509a9602907975e3bebebc35926d7ba8540e92cc1430d35

SHA512
cc6c7ec1304011813d41c1d23537d33e84741ff8fb1c115552be9d89d60c1530f5c7787fbeddb31ad5a88a8f81dd7374b2808fae98d0c97dce07a245e17e7603

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\CommonForms.Site.dll

Filesize
340KB

MD5
2ca11db4d0c2a737187c002f731e014a

SHA1
dc4adc97c6364b8048da0e10e5c533c7b54b1ed1

SHA256
7230f57df4b2b8b91e10dc66efcfc3096306d29a5513b0eab96024f4ee465cd4

SHA512
1de2277df5c0e86faad95c8e6dd31bfb62efbd7410ef6629b5d850e41a3a124c279c2633b16c30126197f0036240eab66cf9cf36e120c3b0984a2fd7e17d5381

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\Data\main.ini

Filesize
1KB

MD5
1222fe3b63384757b322d6504c37d444

SHA1
e2ea1911982e8de26757b863f4a65463ea0fde42

SHA256
7853bde1900a821b07e2060fe04902c38de9597dd763c0cea75fec7f83cd11e6

SHA512
8f86e6d1835d012541bbc28042cb6774de705698a2ce4340b20f92b7c3077027a9b8a45c4030ef84e951204fd941cbb7e0cc94f8dc7de0c770bdeaa8b4b1d4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\DriverUpdater.exe

Filesize
7.8MB

MD5
8a520f86384958fb76e084f556056b50

SHA1
b2935226f66af0ea849e449869496f89fd2efe37

SHA256
1f31162d1f0e346b1da0af8d11826893dfdca8465e6c98236dd03946884d3487

SHA512
9f373ce32a58b5ae9abfb7b1e8ac447e3b8be1c403748e6992af7b00eb7a200220462413c3cbfefd4a8bfbd54f4f60f96f7a04e4ed9e87d36460e80e18b340b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\GoogleAnalyticsHelperIV.dll

Filesize
266KB

MD5
73b390d24b06f5b17dd4c183e5fc2aa0

SHA1
478982b5cb05dda43226b61f8b96a0feb6b8b394

SHA256
76d7ef3511f3cc5aec32cdcf29b59a7138e193c850b774bfcace8128b75194de

SHA512
97d666c29be04e8a9adf64c9d5586822f3601291ce8ab53e792b0e8c8929d24636957e71a3ba42809a023935818ba3ba8811b66d4ca516ec132a588d39f8ac08

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\Installer.exe

Filesize
2.7MB

MD5
2f1908b8473bf08aff928a95ee9adf2d

SHA1
fad3a05535afc1903aafe25043e01151e1ca1203

SHA256
a9c97f9bdde97f6a761cae877e4d90b9e07253c5fe6e683708423e1cb90a535c

SHA512
ac7e8f14340ed8a1cc4993a72964424b566e13062dc83bebaed8c4836db4c7e116e78270f65b62716d51be7d8182512310c1406b6d572edebcfbfc8c5051e29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\InstallerUtils.dll

Filesize
933KB

MD5
95d95fe50bee00f87946a2cd1d43fb66

SHA1
e56d2fc1566a59f5a557dd89aae2041a23047c09

SHA256
adc52e27a490b387c9dfbf9562d309c7a588c5732cfe3a90b45268a5eca94c5e

SHA512
fca84ac09d5db8d5b3633257e529f292f61c0e8b549ae9c5766192c157b57c829f55158311434e4ba8fc81929d5c82bb9bbe1de74e44c0015b01fa3cb35001d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\Lang\enu.lng

Filesize
266KB

MD5
9455ecd37be8ee2d3949a4a34ede2dd0

SHA1
6f5c773f713929f7a54dffc000954e32b98c7761

SHA256
074673c79fc8606b5a87cb5a52f4a91218831dc53b8e63a3d8e4edb41357d2de

SHA512
2e1cb3017502983c02b823608d2984f1a8bcac86b0181da7a2240c0c80746f8839d8fef43b33d7db522b3a07f1caddf69c1b5f62193e14ec59da349b242a9cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\Localizer.dll

Filesize
192KB

MD5
858416cce9c98c40050de9aa06af2022

SHA1
4948d0ccc91eaad1abf5bbf5be7023b4fed6f97b

SHA256
e88c68ece877c2c0b2d8c41efd40d3c8ab1f2957ea8e11493a373744c13e0573

SHA512
d576f53227ca18ba8bdfb567052eadeb9ce353351b80ccdab35838c804bc61f429e439aad5f559e60699996ddaa72c3d01990558f57b52d0dc34d9ed5cc29c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\OxComponentsRTL.bpl

Filesize
1.2MB

MD5
eaa639d3b6fe692beb942c27d7d2724b

SHA1
b51aeb650f5db4c82229ad23921dcbe41a5c1340

SHA256
654d5c7c5d256ce188b821f598be9cbcdfe61d6414b6d1fbcb62d1483d8c8ab9

SHA512
6df81bdd6ef6122e492f098efde8af2e0e1bd39ffb43e602d6300e20da21a9b22f6b7f5b4c146d582177a7677f67b4d2eec714685fafde24c46214e963e1c59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\SetupHelper.dll

Filesize
3.2MB

MD5
7a29a34755754b7541afcd5bf1801341

SHA1
24c6a94bcc4efba674f3252d0a38a556374e9a9d

SHA256
139470e7e2ffe39daf8bb722cfee05bea1e7cecf6fd6ccff31431a897de9d1c1

SHA512
1fe7bf3739630d7293b67b89b97a60ad048bcc5f3686b892debce4b6e368888c04de5282d33e87db36310afbef6bbcfd1d743b39858a6e432fe92fd1771811c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\rtl250.bpl

Filesize
10.1MB

MD5
481b636bd54e231810c7d2c045d70168

SHA1
ce6fefc5525ad08eba947f1781a248141a846f77

SHA256
4722ef802ce0f9971ee37d56cb821800c11048c4bf72d81b6702ca7690ab531b

SHA512
c1d4490e63394f438adbd055868a254f2cd0ab5bdd8f32f92d2d1050c01b91a0764b9391335fe9d4a73fb766cc0a12edfc2b96597d4fdade5898ddfcb841f2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\vcl250.bpl

Filesize
3.9MB

MD5
841026051b1d109df5808266ca610c6e

SHA1
a1523033bb2ba78d1ad58736d1300b074f62cc25

SHA256
2dbaa8b91e2e9fbb1e9a9afafa192386c30c2cbc87da9af77a763e11122a1e17

SHA512
eae1594a758f0f4defce13582a455041ddb0abe8442fa7ddc2afe139a2aae939a4767b1ca936c7b6eaf6777847d453ca3c1af254fd59611b3bbc8d9a30077d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-16484233.tmp\vclimg250.bpl

Filesize
365KB

MD5
eb89b73cd72b9077ca542b0d2582f20e

SHA1
7244f3facd7c2f061a9adb2085d4f7f05551732a

SHA256
1c2c45a932484bc94850911e27942e461709dc5ff7747020267d984e4e404aa2

SHA512
2e2d184cea520675072610a6fdc26d0b6d683d286b9ff7766b179a473fa15b4c8cffa3865fe8ef434e88695ac122aaaff84516f2aea3d07ad7a78bd9d0f2643f

Download Submit
memory/3112-114-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3112-11-0x0000000002F80000-0x0000000003070000-memory.dmp

Filesize
960KB

Download
memory/3112-5-0x0000000002450000-0x0000000002793000-memory.dmp

Filesize
3.3MB

Download
memory/4796-79-0x0000000007010000-0x0000000007030000-memory.dmp

Filesize
128KB

Download
memory/4796-121-0x0000000000CC0000-0x0000000000DF6000-memory.dmp

Filesize
1.2MB

Download
memory/4796-91-0x0000000007040000-0x0000000007085000-memory.dmp

Filesize
276KB

Download
memory/4796-57-0x0000000000E00000-0x00000000016D7000-memory.dmp

Filesize
8.8MB

Download
memory/4796-95-0x00000000070D0000-0x0000000007102000-memory.dmp

Filesize
200KB

Download
memory/4796-60-0x00000000016E0000-0x000000000173A000-memory.dmp

Filesize
360KB

Download
memory/4796-100-0x0000000007A10000-0x0000000007D53000-memory.dmp

Filesize
3.3MB

Download
memory/4796-55-0x0000000000CC0000-0x0000000000DF6000-memory.dmp

Filesize
1.2MB

Download
memory/4796-120-0x0000000050A80000-0x0000000050E72000-memory.dmp

Filesize
3.9MB

Download
memory/4796-61-0x0000000001740000-0x0000000002166000-memory.dmp

Filesize
10.1MB

Download
memory/4796-126-0x00000000070D0000-0x0000000007102000-memory.dmp

Filesize
200KB

Download
memory/4796-127-0x0000000007A10000-0x0000000007D53000-memory.dmp

Filesize
3.3MB

Download
memory/4796-125-0x0000000007040000-0x0000000007085000-memory.dmp

Filesize
276KB

Download
memory/4796-124-0x00000000016E0000-0x000000000173A000-memory.dmp

Filesize
360KB

Download
memory/4796-122-0x0000000000E00000-0x00000000016D7000-memory.dmp

Filesize
8.8MB

Download
memory/4796-118-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download
memory/4796-119-0x0000000050000000-0x00000000501FF000-memory.dmp

Filesize
2.0MB

Download
memory/4796-123-0x0000000001740000-0x0000000002166000-memory.dmp

Filesize
10.1MB

Download
memory/4796-151-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download