550c8febda9347ecb4930781c5909cc57fe9192b50e4622685e1227cade8a889

Resubmissions

15/09/2024, 07:30

240915-jbvgaasfkp 7

15/09/2024, 07:12

240915-h1stbasbnr 7

Analysis

max time kernel
34s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 07:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RTK_NIC_DRIVER_INSTALLER.sfx.exe
Size

334KB
MD5

2dd4d927b1ea21517c70729a7ea40e44
SHA1

f69fdca602dcf51da7db669f1125ac1cf6e7ff4b
SHA256

550c8febda9347ecb4930781c5909cc57fe9192b50e4622685e1227cade8a889
SHA512

55b8daeda3514717778eed18d934f14d757647ba5f6a13cd0a9a1ed20c75a26f552826b95b73a23d6649a1db358d646f013b271a3f4934d2fc0bcfe5bcf0d8f8
SSDEEP

6144:0vlAkAsl3DR2+Mq9zntr0ljJ/F5eERC34XL6pnMxso5lhg0tD5bs9XFflzk:/k5L2FqPUjJdTRycL6p4sggO5s9XNlA

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RTK_NIC_DRIVER_INSTALLER.sfx.exe

Executes dropped EXE 1 IoCs

pid	Process
1148	setup.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c3bc8a22-c138-5146-874c-ea98cbf6f134}\SETBFA6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c3bc8a22-c138-5146-874c-ea98cbf6f134}\rtu64w8.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c3bc8a22-c138-5146-874c-ea98cbf6f134}\rtu64w8.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c3bc8a22-c138-5146-874c-ea98cbf6f134}\SETBFB8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{c3bc8a22-c138-5146-874c-ea98cbf6f134}\SETBFB8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rtu64w8.inf_amd64_5d30bfc6da4e5225\rtu64w8.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rtu64w8.inf_amd64_5d30bfc6da4e5225\rtu64w8.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{c3bc8a22-c138-5146-874c-ea98cbf6f134}\SETBFA6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c3bc8a22-c138-5146-874c-ea98cbf6f134}\SETBFA7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c3bc8a22-c138-5146-874c-ea98cbf6f134}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{c3bc8a22-c138-5146-874c-ea98cbf6f134}\rtu64w8.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{c3bc8a22-c138-5146-874c-ea98cbf6f134}\SETBFA7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rtu64w8.inf_amd64_5d30bfc6da4e5225\rtu64w8.cat	DrvInst.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\INF\oem2.PNF	setup.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	setup.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem0.PNF	setup.exe
File created	C:\Windows\INF\oem1.PNF	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RTK_NIC_DRIVER_INSTALLER.sfx.exe

Checks SCSI registry key(s) 3 TTPs 28 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	4776	svchost.exe
Token: SeSecurityPrivilege	4776	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1148	1468	RTK_NIC_DRIVER_INSTALLER.sfx.exe	86
PID 1468 wrote to memory of 1148	1468	RTK_NIC_DRIVER_INSTALLER.sfx.exe	86
PID 1468 wrote to memory of 1148	1468	RTK_NIC_DRIVER_INSTALLER.sfx.exe	86
PID 4776 wrote to memory of 3684	4776	svchost.exe	90
PID 4776 wrote to memory of 3684	4776	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER.sfx.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER\setup.exe" -s
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{de734189-150b-044e-8cca-b54a4c508e83}\rtu64w8.inf" "9" "42147faa3" "000000000000013C" "WinSta0\Default" "0000000000000158" "208" "C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER\WIN8\64"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER\Setup.exe

Filesize
63KB

MD5
781bacae7dc16a05806c4d2342cf12d7

SHA1
18b99d5bbacf7c6e37810bc77e15b3b1bac4632f

SHA256
d18400034d01af924bcb165f45a133a34b5417a6654c69f9804cd612c891ecb6

SHA512
600b75b5ada8f942bb034cccb6a9fb66d7559660400bb2d64407846f55ada949fe745cab1935d6e1f80be67fffb2f808181fee6b063b89032c902e8830ba2013

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTK_NIC_DRIVER_INSTALLER\WIN8\64\rtu64w8.inf

Filesize
13KB

MD5
b514413ca338d19804d88d1c865e451c

SHA1
9bbbcf9217a323bbc0f39a8979df66d80cfef88e

SHA256
f326c98721c3f92e7d3f4f3f4a2a1540145322c4cfbfe032a011fafc1f90b344

SHA512
2447fa81499061416d31095950bd29ed0901c99a2fdbb346162ab8ba807c1437a597e76015cda4a72e5a0c9d9500fb88e9481876fd1c5f24b5b0babcdc93e998

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTK_NI~1\WIN8\64\rtu64w8.sys

Filesize
88KB

MD5
80c2dd6cfb7dd7e28025d78b29971a9e

SHA1
31981884404c9985acbc75391cdff842bef57a0f

SHA256
c18f481118d23d5b1dc81661ec7d74d16516a31aca372e4923fe25296b2f3675

SHA512
ea89696ca1e2b400b11d2028139652474ef425f8ca045cb62e81290324ab9076b395a0fe23f927511e6b598690b8ac73d305f7581c4d4b815fd27884090154d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{de734189-150b-044e-8cca-b54a4c508e83}\rtu64w8.cat

Filesize
9KB

MD5
92361c504d863e8c1383ddf0ca54f9a5

SHA1
0c6b37322602fe1ad34827e0cdac4798949e7b6b

SHA256
bf61fc720459bf7aba7df5c85a2a18d13ded297339a7d8f9ba8329cfde32c54d

SHA512
ef6113813a40f32374d80b7efa3c4b527d5990281531d29a8a1bfd9ffae831110a20477f252008a1bbe9f5d55b4bb9df0f5f5f37b2aeacfe1bc57285c148ab25

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads