67df53e50fef54326d9a6a7ad5381e3f18aad855e6fb69fbeaed731320d7c58d

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac8zt2/install2.bat
Size

93B
MD5

e9b8f17fbc7e4edb879c3c73eb31e3ee
SHA1

de810ec64d3e442ce4d86d28caec2382377bcd64
SHA256

dbaf0ecc389a3c92ada1e141898653055a09f83f6d6937b76964249982b1c77f
SHA512

a7322311a9012603eac6e6b036a5f2d7bbd264793ddb93f3313d086764850c4885fb4b2240987ba9d1e137fb9dfa366b1d0ecd6423ccea3561f312298a3c4c77

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msdrvctrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdrvctrl = "C:\\Windows\\msdrvctrl.exe"	msdrvctrl.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	msdrvctrl.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msdrives\msdrv.EXE	cmd.exe
File created	C:\Windows\system32\msdrives\msdrvctrl.exe	cmd.exe
File opened for modification	C:\Windows\system32\msdrives\msdrvctrl.exe	cmd.exe
File created	C:\Windows\system32\msdrives\driverpp.sys	cmd.exe
File opened for modification	C:\Windows\system32\msdrives\driverpp.sys	cmd.exe
File created	C:\Windows\system32\msdrives\iedrives.dll	cmd.exe
File opened for modification	C:\Windows\system32\msdrives\iedrives.dll	cmd.exe
File created	C:\Windows\system32\msdrives\msdrv.EXE	cmd.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral10/memory/4376-8-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral10/memory/4376-9-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral10/files/0x00070000000234f3-11.dat	upx
behavioral10/memory/3040-12-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral10/memory/3040-13-0x0000000000400000-0x0000000000417000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	di.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdrvctrl.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 4376	3548	cmd.exe	83
PID 3548 wrote to memory of 4376	3548	cmd.exe	83
PID 3548 wrote to memory of 4376	3548	cmd.exe	83
PID 3548 wrote to memory of 3040	3548	cmd.exe	84
PID 3548 wrote to memory of 3040	3548	cmd.exe	84
PID 3548 wrote to memory of 3040	3548	cmd.exe	84
PID 3040 wrote to memory of 1608	3040	msdrvctrl.exe	85
PID 3040 wrote to memory of 1608	3040	msdrvctrl.exe	85
PID 3040 wrote to memory of 1608	3040	msdrvctrl.exe	85

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	msdrvctrl.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install2.bat"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Local\Temp\ac8zt2\di.exe
  di.exe C:\Windows\system32\msdrives\driverpp.sys
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4376
- C:\Windows\system32\msdrives\msdrvctrl.exe
  C:\Windows\system32\msdrives\msdrvctrl.exe
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3040
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Windows\iedrives.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\msdrives\msdrvctrl.exe

Filesize
32KB

MD5
14f19d9a7e8b0deff5f0c55e22c5c8dc

SHA1
a2bc1ea2ca8faac7642afe85cc3dfd5bd6a86089

SHA256
22b3255c710f79056dd3fca6775a9e069f855bda5d51d7edd823637e433f72a9

SHA512
4622c6fdc511988b03c76b487f8e497b8044c2345044450fb5665c49a843c3806290ee4e0d1e974169502384e411f27258ad107a618ec28fbae234b8c470f1f8

Download Submit
memory/3040-12-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3040-13-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4376-8-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4376-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads