Overview
overview
8Static
static
7ac8zt2/di.exe
windows7-x64
5ac8zt2/di.exe
windows10-2004-x64
5ac8zt2/driverpp.sys
windows7-x64
1ac8zt2/driverpp.sys
windows10-2004-x64
1ac8zt2/iedrives.dll
windows7-x64
6ac8zt2/iedrives.dll
windows10-2004-x64
6ac8zt2/install.bat
windows7-x64
5ac8zt2/install.bat
windows10-2004-x64
5ac8zt2/install2.bat
windows7-x64
8ac8zt2/install2.bat
windows10-2004-x64
8ac8zt2/msdrv.exe
windows7-x64
5ac8zt2/msdrv.exe
windows10-2004-x64
5ac8zt2/msdrvctrl.exe
windows7-x64
8ac8zt2/msdrvctrl.exe
windows10-2004-x64
8ac8zt2/start-soft.bat
windows7-x64
1ac8zt2/start-soft.bat
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 13:58
Behavioral task
behavioral1
Sample
ac8zt2/di.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ac8zt2/di.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
ac8zt2/driverpp.sys
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
ac8zt2/driverpp.sys
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
ac8zt2/iedrives.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
ac8zt2/iedrives.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
ac8zt2/install.bat
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
ac8zt2/install.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
ac8zt2/install2.bat
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
ac8zt2/install2.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
ac8zt2/msdrv.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
ac8zt2/msdrv.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
ac8zt2/msdrvctrl.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
ac8zt2/msdrvctrl.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
ac8zt2/start-soft.bat
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
ac8zt2/start-soft.bat
Resource
win10v2004-20240910-en
General
-
Target
ac8zt2/install2.bat
-
Size
93B
-
MD5
e9b8f17fbc7e4edb879c3c73eb31e3ee
-
SHA1
de810ec64d3e442ce4d86d28caec2382377bcd64
-
SHA256
dbaf0ecc389a3c92ada1e141898653055a09f83f6d6937b76964249982b1c77f
-
SHA512
a7322311a9012603eac6e6b036a5f2d7bbd264793ddb93f3313d086764850c4885fb4b2240987ba9d1e137fb9dfa366b1d0ecd6423ccea3561f312298a3c4c77
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msdrvctrl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdrvctrl = "C:\\Windows\\msdrvctrl.exe" msdrvctrl.exe -
Executes dropped EXE 1 IoCs
pid Process 2736 msdrvctrl.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\system32\msdrives\driverpp.sys cmd.exe File created C:\Windows\system32\msdrives\iedrives.dll cmd.exe File opened for modification C:\Windows\system32\msdrives\iedrives.dll cmd.exe File created C:\Windows\system32\msdrives\msdrv.EXE cmd.exe File opened for modification C:\Windows\system32\msdrives\msdrv.EXE cmd.exe File created C:\Windows\system32\msdrives\msdrvctrl.exe cmd.exe File opened for modification C:\Windows\system32\msdrives\msdrvctrl.exe cmd.exe File created C:\Windows\system32\msdrives\driverpp.sys cmd.exe -
resource yara_rule behavioral9/memory/2888-8-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral9/memory/2888-10-0x0000000000400000-0x000000000040F000-memory.dmp upx behavioral9/files/0x000500000001998a-13.dat upx behavioral9/memory/2736-16-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral9/memory/2736-18-0x0000000000400000-0x0000000000417000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdrvctrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 2888 di.exe 2736 msdrvctrl.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2628 wrote to memory of 2888 2628 cmd.exe 32 PID 2628 wrote to memory of 2888 2628 cmd.exe 32 PID 2628 wrote to memory of 2888 2628 cmd.exe 32 PID 2628 wrote to memory of 2888 2628 cmd.exe 32 PID 2628 wrote to memory of 2736 2628 cmd.exe 33 PID 2628 wrote to memory of 2736 2628 cmd.exe 33 PID 2628 wrote to memory of 2736 2628 cmd.exe 33 PID 2628 wrote to memory of 2736 2628 cmd.exe 33 PID 2736 wrote to memory of 2804 2736 msdrvctrl.exe 34 PID 2736 wrote to memory of 2804 2736 msdrvctrl.exe 34 PID 2736 wrote to memory of 2804 2736 msdrvctrl.exe 34 PID 2736 wrote to memory of 2804 2736 msdrvctrl.exe 34 PID 2736 wrote to memory of 2804 2736 msdrvctrl.exe 34 PID 2736 wrote to memory of 2804 2736 msdrvctrl.exe 34 PID 2736 wrote to memory of 2804 2736 msdrvctrl.exe 34 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msdrvctrl.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install2.bat"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\ac8zt2\di.exedi.exe C:\Windows\system32\msdrives\driverpp.sys2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2888
-
-
C:\Windows\system32\msdrives\msdrvctrl.exeC:\Windows\system32\msdrives\msdrvctrl.exe2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2736 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s "C:\Windows\iedrives.dll"3⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD514f19d9a7e8b0deff5f0c55e22c5c8dc
SHA1a2bc1ea2ca8faac7642afe85cc3dfd5bd6a86089
SHA25622b3255c710f79056dd3fca6775a9e069f855bda5d51d7edd823637e433f72a9
SHA5124622c6fdc511988b03c76b487f8e497b8044c2345044450fb5665c49a843c3806290ee4e0d1e974169502384e411f27258ad107a618ec28fbae234b8c470f1f8