b28507f5d646bff668608fd5815137dc2317f2536bfd9dcbb4c412506b31856c

General

Target

Driver_x32.exe
Size

1.9MB
MD5

d3601e19000f0745812b600b57e10ab1
SHA1

b63e17df4e73234390f610769d013456c5e07131
SHA256

4b8390a4dcc7a6fee0e6f336f1f968863f324ca56ec597089d63ef10e9a1f9de
SHA512

ce8740d0ab032a80ea0f1e44162d6a2eba646adc77caaa4c5906ca6038df10e0f461259fa86282d22ebc1a1522114d78194362a9a1556180dc9a0603bae86335
SSDEEP

49152:etO4J7W69DooDY0W5y9wM216qN+I/8gUKMMWmeqtKicIPWC:p4u0W5y9wM216qPUj4eqt0ID

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\TempInst\is-UADGC.tmp\source\is-VLMOF.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-UADGC.tmp\_isetup\_setup64.tmp	Driver_x32.tmp
File opened for modification	C:\Windows\TempInst\is-UADGC.tmp\source\AutoModeDetect.exe	Driver_x32.tmp
File opened for modification	C:\Windows\TempInst\is-UADGC.tmp\source\GameDetect.dll	Driver_x32.tmp
File created	C:\Windows\TempInst\is-UADGC.tmp\source\is-N9UGA.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-UADGC.tmp\source\is-2UKG7.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-UADGC.tmp\source\is-I8LH0.tmp	Driver_x32.tmp
File opened for modification	C:\Windows\TempInst\is-UADGC.tmp\dpinst.exe	Driver_x32.tmp
File created	C:\Windows\TempInst\is-UADGC.tmp\is-A64RR.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-UADGC.tmp\source\is-AQJRV.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-UADGC.tmp\source\is-UGEIV.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-UADGC.tmp\is-RJTJV.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-59BRB.tmp\Driver_x32.tmp	Driver_x32.exe
File opened for modification	C:\Windows\TempInst\is-UADGC.tmp\source\LNBITSSvc.exe	Driver_x32.tmp
File created	C:\Windows\TempInst\is-UADGC.tmp\is-03AUV.tmp	Driver_x32.tmp
File created	C:\Windows\TempInst\is-UADGC.tmp\is-5JG5O.tmp	Driver_x32.tmp
File opened for modification	C:\Windows\DPINST.LOG	dpinst.exe
File opened for modification	C:\Windows\TempInst\is-UADGC.tmp\source\AutoQuiet.dll	Driver_x32.tmp

Executes dropped EXE 2 IoCs

pid	Process
3228	Driver_x32.tmp
2948	dpinst.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver_x32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver_x32.tmp

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dpinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	dpinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dpinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	dpinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	dpinst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dpinst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3228	Driver_x32.tmp
3228	Driver_x32.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3228	Driver_x32.tmp

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 3228	3512	Driver_x32.exe	86
PID 3512 wrote to memory of 3228	3512	Driver_x32.exe	86
PID 3512 wrote to memory of 3228	3512	Driver_x32.exe	86
PID 3228 wrote to memory of 2948	3228	Driver_x32.tmp	101
PID 3228 wrote to memory of 2948	3228	Driver_x32.tmp	101

C:\Users\Admin\AppData\Local\Temp\Driver_x32.exe
"C:\Users\Admin\AppData\Local\Temp\Driver_x32.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\TempInst\is-59BRB.tmp\Driver_x32.tmp
  "C:\Windows\TempInst\is-59BRB.tmp\Driver_x32.tmp" /SL5="$601C6,1199506,180224,C:\Users\Admin\AppData\Local\Temp\Driver_x32.exe"
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\TempInst\is-UADGC.tmp\dpinst.exe
    "C:\Windows\TempInst\is-UADGC.tmp\dpinst.exe" /sh /path C:\Windows\TempInst\is-UADGC.tmp
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TempInst\is-59BRB.tmp\Driver_x32.tmp

Filesize
2.8MB

MD5
fbb28e3a19a6c3b65a3839887e9922d9

SHA1
402bf8e1c36554655052fb5e1b45273d854f9b29

SHA256
14cef8f9c08985d1f3d7ff8b6160fb36c659c0e132b3999a9e8696646269c358

SHA512
42f71dba4daf1a7713ba5cc12e01a071832e7a22079f31093b16b7b345214044774476bebe9bd83a03f8798cd01de5feb218ccb53aed2ecef817eb240421922e

Download Submit
C:\Windows\TempInst\is-UADGC.tmp\DpinstWaterMark.bmp

Filesize
474KB

MD5
7de1936b4091f44001a7fb2f7d28b62b

SHA1
62e350e43e78a206291c4576b2ff6feb9169a717

SHA256
8ef17b69c1ca0f41b43ba4ff7a6da27a282d10a34042fe5a92612c4a6ae7979e

SHA512
453ed73e732eb7ad3bed3722ebec9d47d3f5a64c59ac4b2c6533c3995d502be1a46566e8090623281a60c7277de842ce7a1036e7b2aaff69b4430e9d0fead1e9

Download Submit
C:\Windows\TempInst\is-UADGC.tmp\dpinst.exe

Filesize
1.0MB

MD5
fb098a9c1fa02d66cc3205de1e119331

SHA1
f3c8d771b9d80efc233a1919a4ac07d99cba5c81

SHA256
1ead8ec73312803550475c09d924dd94f080b836bd8ac57a342b49c4c17f23e7

SHA512
3bea359d2debbcb33fadb4f99b2f46e7d7db0a0432360f15138dd79e8295bf4a37e8dcf0de7b61d04ea1761b6d6cc1f28854bd7afa42b155cf0ed20885fb4f19

Download Submit
C:\Windows\TempInst\is-UADGC.tmp\dpinst.xml

Filesize
34KB

MD5
9f1082cb36095ae496a383ae3645567c

SHA1
062d853fc1cd0b88b5c7af7bd021e304866300c7

SHA256
aad2b695e6bd5a8ff57d90fb0a81b68bea29ee3982dfc2ba20aba3b04fb24e58

SHA512
f9f45366d95e3681f3c268c600e4017b7be3a716fc16839e57f66405bcd257f8917db9a56050054d3df5d890b229b000c445c48bc93a1743d63c32a304f06ff8

Download Submit
\??\c:\windows\tempinst\is-uadgc.tmp\source\lnbits.inf

Filesize
1KB

MD5
ce7ae956beaa1c799681999279696127

SHA1
36c14575e2ff107f8ad2404df5358b92e05e3dfc

SHA256
e5a2ecf2ef93946f18c2397d08e01d0beaa5c789609b11d4322832269f25227d

SHA512
ad52856410ac18c7d2fd81f8540db38a6262c345449a1992f761d8f27e2a646c37a2cb69f387303614c04a929bbc5deadd5a032cfb816c9245bc1304edb433bf

Download Submit
memory/3228-10-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/3228-6-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/3228-51-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/3228-58-0x0000000000400000-0x00000000006D3000-memory.dmp

Filesize
2.8MB

Download
memory/3512-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3512-2-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/3512-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3512-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing