71398a67621234332cbcf0ac7e49b550243aa183d8595c5e230681e3cf5e37f3

General

Target

driverpack-solution-online-1.0.0.0-installer.exe
Size

13.9MB
MD5

b4b346a375ddefe993d70c822124f187
SHA1

a35d11d9d318c43495a545d7b9e01d2acce44496
SHA256

71398a67621234332cbcf0ac7e49b550243aa183d8595c5e230681e3cf5e37f3
SHA512

56ff22882ce2105455d655febf45d2c223e7ff9c51fa7ad54e8e84b09d576f728893ddb14e40dbfbebabf61a5e278854087289b8b665aeae7b30f629f7056557
SSDEEP

393216:ZSMISEscrcEUYglqv/ZRvCkTI6v378jxY4rsKF:pZEscrc5q5NCkT78ji4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1268	7za.exe
4444	driverpacksolution.exe
4168	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1948	4168	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverpack-solution-online-1.0.0.0-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverpacksolution.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
948	driverpack-solution-online-1.0.0.0-installer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1268	948	driverpack-solution-online-1.0.0.0-installer.exe	80
PID 948 wrote to memory of 1268	948	driverpack-solution-online-1.0.0.0-installer.exe	80
PID 948 wrote to memory of 1268	948	driverpack-solution-online-1.0.0.0-installer.exe	80
PID 948 wrote to memory of 2896	948	driverpack-solution-online-1.0.0.0-installer.exe	82
PID 948 wrote to memory of 2896	948	driverpack-solution-online-1.0.0.0-installer.exe	82
PID 948 wrote to memory of 2896	948	driverpack-solution-online-1.0.0.0-installer.exe	82
PID 2896 wrote to memory of 4444	2896	wscript.exe	83
PID 2896 wrote to memory of 4444	2896	wscript.exe	83
PID 2896 wrote to memory of 4444	2896	wscript.exe	83
PID 4444 wrote to memory of 4168	4444	driverpacksolution.exe	84
PID 4444 wrote to memory of 4168	4444	driverpacksolution.exe	84
PID 4444 wrote to memory of 4168	4444	driverpacksolution.exe	84

C:\Users\Admin\AppData\Local\Temp\driverpack-solution-online-1.0.0.0-installer.exe
"C:\Users\Admin\AppData\Local\Temp\driverpack-solution-online-1.0.0.0-installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\DRPSu15\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\DRPSu15\7za.exe" x -pdrp -y drp.7z
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1268
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\DRPSu15\bin\tools\start.vbs" "C:\Users\Admin\AppData\Local\Temp\DRPSu15\driverpacksolution.exe" 0 false
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\DRPSu15\driverpacksolution.exe
    "C:\Users\Admin\AppData\Local\Temp\DRPSu15\driverpacksolution.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\DRPSu15\bin\Tools\mshta.exe
      "C:\Users\Admin\AppData\Local\Temp\DRPSu15\bin\Tools\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\DRPSu15\bin\Tools\run.hta"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1348
        5⤵
        Program crash
        
        PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4168 -ip 4168
1⤵
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DRPSu15\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRPSu15\bin\Tools\load8.gif

Filesize
31KB

MD5
8a061ef740fa2801ab4bf78cb123d9be

SHA1
72f997c5ee3e15f9a847bda9efcb935f13620a19

SHA256
ee0cc89ef293b559b64fcb35b469dcb144180ff048b0b6eb14f326847a544903

SHA512
fadac9c2090c6c77c4f8efef87875e108127dfceae804dd498956bbb77f98a54bb925888199458cd2bcdb650c7607a34737d54b94b34ae256a625b66c4b411ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRPSu15\bin\Tools\mshta.exe

Filesize
28KB

MD5
733c18a23ee25cb2cf6ef65acd8db866

SHA1
0da53ae914161ce8b1854377412f863af9c262da

SHA256
e9908d76bb779162702ca2b4dc57469c8dcbae7fc03a031b1ecd9343e42457f4

SHA512
d41086d757c43e939316d3ebd29389ecfa6416a5ce6141c3fa1aa2b53523a790aa7b5dd5cb7df71629202ad5e8725c62d241f5de54c3dc0468cba860e9d2ca4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRPSu15\bin\Tools\run.hta

Filesize
910B

MD5
e265ef5f47016949de785020981de4ac

SHA1
b2547b2773fd3fc9f689bccce8ed4b0103ee94aa

SHA256
85727a382d033a41a4f3156bd8a2e14af4a5f36077c139fecafaaa8e456b353c

SHA512
e33bec823a144d1766f88aee304802f52a42244b49929d4012b26e2deb15f1d471af0af4f2313a66d6f045f60232040ea18c0e07bcf82ab92c0f07d4e9e7610f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRPSu15\bin\tools\Icon.ico

Filesize
207KB

MD5
7548ae8b4806f7a2a958e4f152f09ddc

SHA1
fba7703a0922bf4f7b3224a188faad92310ec2a3

SHA256
2579f9b7b88e1ca9b5f5755a399cdd5b7dc73bdea33d71917be2687d986805be

SHA512
5628cfd27cc87ea1442d2531dcbc7b665e065c9fa69acb13f05c66120cfb56208f4fcdf0770dfb065d5b4af33d9bbccb7569eaec22e6889e99e590a6734fd6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRPSu15\bin\tools\start.vbs

Filesize
236B

MD5
292d468ba121fb890b42b51033bc3401

SHA1
822ef89bd0325859ab30d48dbbbbf47aaaa88778

SHA256
3ea6f636c4f96572f672ba8d598edf4993e6e3de214f8ae260fcd4748375b53d

SHA512
9e05f29410020d671815ec49a43d1e35d86c5093ae8bc9c851002aeaf66901f745e34594d41318af2d372fde6e2208249124372bcd9e8bc78ddf2846f95a3581

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRPSu15\driverpacksolution.exe

Filesize
234KB

MD5
1cb44ab4f6029e6d116718ad010073b4

SHA1
f289230b251edc2f6b5e397030d16180a3ae8755

SHA256
892f84294b6f73421e73e0eded895b8b9f4a95cf1b0ec01eaa820f3b47144cc6

SHA512
1844db5de6476a44c2648fcd93e59ee389662f671fd5a03ccf488c376376f63fd1a1ad039320930b877ffd044d7118bd3b7943f650de8a62b4c7d75ca8ec4a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRPSu15\drp.7z

Filesize
13.2MB

MD5
f1c43a70903b021ec30bd60cc6d91f63

SHA1
bb220b2551b7337cfa693518397e6150b831b0ea

SHA256
18bdab70cd0e00d3c2e69bf216adfd008cfbcaa270140d088406598b3c532b03

SHA512
f3fd67fd3f65f2e999cd6e9cb52b895c98a588f29ed501f4b54e91017ad8987b76404aedfe1bd9b29f91c14466869811e16285a1f7380bbef8bf27a723e3c3f9

Download Submit
memory/4444-660-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing