4a8628752da375b1cd440f173dbf750fad9506c31238f5e60ac8b5d41a49ccd4

Analysis

max time kernel
71s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 14:49

Target

driver.sys
Size

3KB
MD5

4961ad28f366ddb4faec6b50dd93d332
SHA1

de2b49487c3e611ca924af9d9ed9faca13064896
SHA256

4a8628752da375b1cd440f173dbf750fad9506c31238f5e60ac8b5d41a49ccd4
SHA512

f23e92ebd15a5e8768c5dc5761cf3181ab5b95d3f05cd072e6b9cb8ae45bc0e1fcc7874d91443a86ef363b678a864b2cfc67e0f9703f0d2e55895bd84c8d2000

Score

8^/10

evasion execution

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\services.msc	mmc.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1472	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4428	mmc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4428	mmc.exe
Token: SeIncBasePriorityPrivilege	4428	mmc.exe
Token: 33	4428	mmc.exe
Token: SeIncBasePriorityPrivilege	4428	mmc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 1472	4140	cmd.exe	101
PID 4140 wrote to memory of 1472	4140	cmd.exe	101
PID 4140 wrote to memory of 4428	4140	cmd.exe	102
PID 4140 wrote to memory of 4428	4140	cmd.exe	102

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\driver.sys
1⤵
PID:1604
- C:\Users\Admin\AppData\Local\Temp\driver.sys
  C:\Users\Admin\AppData\Local\Temp\driver.sys
  2⤵
  PID:3496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\system32\sc.exe
  sc stop driver
  2⤵
  - Launches sc.exe
  PID:1472
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4428