b28507f5d646bff668608fd5815137dc2317f2536bfd9dcbb4c412506b31856c

General

Target

Driver_x32.exe
Size

1.9MB
MD5

d3601e19000f0745812b600b57e10ab1
SHA1

b63e17df4e73234390f610769d013456c5e07131
SHA256

4b8390a4dcc7a6fee0e6f336f1f968863f324ca56ec597089d63ef10e9a1f9de
SHA512

ce8740d0ab032a80ea0f1e44162d6a2eba646adc77caaa4c5906ca6038df10e0f461259fa86282d22ebc1a1522114d78194362a9a1556180dc9a0603bae86335
SSDEEP

49152:etO4J7W69DooDY0W5y9wM216qN+I/8gUKMMWmeqtKicIPWC:p4u0W5y9wM216qPUj4eqt0ID

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 18 IoCs

Processes:

Driver_x32.tmpdpinst.exeDriver_x32.exe

description	ioc	Process
File created	C:\Windows\TempInst\is-GFUN6.tmp\is-U01DS.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-GFUN6.tmp\is-V7U3T.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-GFUN6.tmp\source\is-CI77G.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-GFUN6.tmp\source\is-BJATJ.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-GFUN6.tmp\is-O6CC9.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-GFUN6.tmp\_isetup\_setup64.tmp	Driver_x32.tmp
File opened for modification	C:\Windows\TempInst\is-GFUN6.tmp\dpinst.exe	Driver_x32.tmp
File opened for modification	C:\Windows\TempInst\is-GFUN6.tmp\source\AutoModeDetect.exe	Driver_x32.tmp
File opened for modification	C:\Windows\TempInst\is-GFUN6.tmp\source\AutoQuiet.dll	Driver_x32.tmp
File opened for modification	C:\Windows\TempInst\is-GFUN6.tmp\source\GameDetect.dll	Driver_x32.tmp
File opened for modification	C:\Windows\DPINST.LOG	dpinst.exe
File created	C:\Windows\TempInst\is-AKV3D.tmp\Driver_x32.tmp	Driver_x32.exe
File opened for modification	C:\Windows\TempInst\is-GFUN6.tmp\source\LNBITSSvc.exe	Driver_x32.tmp
File created	C:\Windows\TempInst\is-GFUN6.tmp\source\is-3PIH4.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-GFUN6.tmp\source\is-57R4P.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-GFUN6.tmp\is-T51BR.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-GFUN6.tmp\source\is-M3RHK.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-GFUN6.tmp\source\is-AMGNK.tmp	Driver_x32.tmp

Executes dropped EXE 3 IoCs

Processes:

Driver_x32.tmpdpinst.exe

pid	Process
2192	Driver_x32.tmp
2692	dpinst.exe
1212

Loads dropped DLL 5 IoCs

Processes:

Driver_x32.exeDriver_x32.tmp

pid	Process
2556	Driver_x32.exe
2192	Driver_x32.tmp
840
840
1212

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Driver_x32.exeDriver_x32.tmp

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver_x32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver_x32.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Driver_x32.tmp

pid	Process
2192	Driver_x32.tmp
2192	Driver_x32.tmp

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

dpinst.exe

description	pid	Process
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe
Token: SeRestorePrivilege	2692	dpinst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Driver_x32.tmp

pid	Process
2192	Driver_x32.tmp

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Driver_x32.exeDriver_x32.tmp

description	pid	Process	procid_target
PID 2556 wrote to memory of 2192	2556	Driver_x32.exe	29
PID 2556 wrote to memory of 2192	2556	Driver_x32.exe	29
PID 2556 wrote to memory of 2192	2556	Driver_x32.exe	29
PID 2556 wrote to memory of 2192	2556	Driver_x32.exe	29
PID 2556 wrote to memory of 2192	2556	Driver_x32.exe	29
PID 2556 wrote to memory of 2192	2556	Driver_x32.exe	29
PID 2556 wrote to memory of 2192	2556	Driver_x32.exe	29
PID 2192 wrote to memory of 2692	2192	Driver_x32.tmp	30
PID 2192 wrote to memory of 2692	2192	Driver_x32.tmp	30
PID 2192 wrote to memory of 2692	2192	Driver_x32.tmp	30
PID 2192 wrote to memory of 2692	2192	Driver_x32.tmp	30
PID 2192 wrote to memory of 2692	2192	Driver_x32.tmp	30
PID 2192 wrote to memory of 2692	2192	Driver_x32.tmp	30
PID 2192 wrote to memory of 2692	2192	Driver_x32.tmp	30

C:\Users\Admin\AppData\Local\Temp\Driver_x32.exe
"C:\Users\Admin\AppData\Local\Temp\Driver_x32.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\TempInst\is-AKV3D.tmp\Driver_x32.tmp
  "C:\Windows\TempInst\is-AKV3D.tmp\Driver_x32.tmp" /SL5="$401AC,1199506,180224,C:\Users\Admin\AppData\Local\Temp\Driver_x32.exe"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\TempInst\is-GFUN6.tmp\dpinst.exe
    "C:\Windows\TempInst\is-GFUN6.tmp\dpinst.exe" /sh /path C:\Windows\TempInst\is-GFUN6.tmp
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TempInst\is-GFUN6.tmp\DpinstWaterMark.bmp

Filesize
474KB

MD5
7de1936b4091f44001a7fb2f7d28b62b

SHA1
62e350e43e78a206291c4576b2ff6feb9169a717

SHA256
8ef17b69c1ca0f41b43ba4ff7a6da27a282d10a34042fe5a92612c4a6ae7979e

SHA512
453ed73e732eb7ad3bed3722ebec9d47d3f5a64c59ac4b2c6533c3995d502be1a46566e8090623281a60c7277de842ce7a1036e7b2aaff69b4430e9d0fead1e9

Download Submit
C:\Windows\TempInst\is-GFUN6.tmp\dpinst.exe

Filesize
1.0MB

MD5
fb098a9c1fa02d66cc3205de1e119331

SHA1
f3c8d771b9d80efc233a1919a4ac07d99cba5c81

SHA256
1ead8ec73312803550475c09d924dd94f080b836bd8ac57a342b49c4c17f23e7

SHA512
3bea359d2debbcb33fadb4f99b2f46e7d7db0a0432360f15138dd79e8295bf4a37e8dcf0de7b61d04ea1761b6d6cc1f28854bd7afa42b155cf0ed20885fb4f19

Download Submit
C:\Windows\TempInst\is-GFUN6.tmp\dpinst.xml

Filesize
34KB

MD5
9f1082cb36095ae496a383ae3645567c

SHA1
062d853fc1cd0b88b5c7af7bd021e304866300c7

SHA256
aad2b695e6bd5a8ff57d90fb0a81b68bea29ee3982dfc2ba20aba3b04fb24e58

SHA512
f9f45366d95e3681f3c268c600e4017b7be3a716fc16839e57f66405bcd257f8917db9a56050054d3df5d890b229b000c445c48bc93a1743d63c32a304f06ff8

Download Submit
\??\c:\windows\tempinst\is-gfun6.tmp\source\LNBITS.cat

Filesize
11KB

MD5
151ffe7d4f3123f3b891aefd85d03b31

SHA1
e86547e8922721aa99e0244e37f3b1b0b19ae1b5

SHA256
40ab3292ba5fd65c72ebfa85d421f97561d62c435226d59e54c94806e9d6b548

SHA512
8478ce3222eebf4fe6fc57fb9fea50e145b58a6318908c6efb2e91626c46ccd3aa80b73b09b181a401a7e6dab04b46cf3680d424300a97a3f6df1de77fae639e

Download Submit
\??\c:\windows\tempinst\is-gfun6.tmp\source\lnbits.inf

Filesize
1KB

MD5
ce7ae956beaa1c799681999279696127

SHA1
36c14575e2ff107f8ad2404df5358b92e05e3dfc

SHA256
e5a2ecf2ef93946f18c2397d08e01d0beaa5c789609b11d4322832269f25227d

SHA512
ad52856410ac18c7d2fd81f8540db38a6262c345449a1992f761d8f27e2a646c37a2cb69f387303614c04a929bbc5deadd5a032cfb816c9245bc1304edb433bf

Download Submit
\Windows\TempInst\is-AKV3D.tmp\Driver_x32.tmp

Filesize
2.8MB

MD5
fbb28e3a19a6c3b65a3839887e9922d9

SHA1
402bf8e1c36554655052fb5e1b45273d854f9b29

SHA256
14cef8f9c08985d1f3d7ff8b6160fb36c659c0e132b3999a9e8696646269c358

SHA512
42f71dba4daf1a7713ba5cc12e01a071832e7a22079f31093b16b7b345214044774476bebe9bd83a03f8798cd01de5feb218ccb53aed2ecef817eb240421922e

Download Submit
memory/2192-11-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2192-19-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2192-8-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2192-54-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2192-59-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2192-66-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/2556-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2556-2-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2556-68-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads