242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863

General

Target

242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exe
Size

65KB
MD5

688b199d022be55295285a08630bb720
SHA1

5c9c00f67bc21e4fdb9be6394da97cb3a36cdbf3
SHA256

242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863
SHA512

2553f34438789101d99b0e1e45032974e377db1b1e68c48f6a9b1ebee11145169565a46d55f1ff298c1f9882b735ca2d4c4983ca541c130da4ab47f0fd5e75f2
SSDEEP

1536:o3kmlSKYwpqiiJugU/cqaQ1RWn8hlzzRuFfxZEWQ8OGtdSoAAE:o0mlSKbpqXstapo5R6gPsXfE

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5112 netsh.exe

pid	process
5112	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exejoined_original_original.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	joined_original_original.exe

Executes dropped EXE 2 IoCs

Processes:

joined_original_original.exeDriverBooster.exe

pid process

5020 joined_original_original.exe
3132 DriverBooster.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5020	joined_original_original.exe
3132	DriverBooster.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DriverBooster.exenetsh.exe242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exejoined_original_original.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joined_original_original.exe

Modifies registry class 1 IoCs

Processes:

242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DriverBooster.exe

pid process

3132 DriverBooster.exe

pid	process
3132	DriverBooster.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

DriverBooster.exe

description	pid	process
Token: SeDebugPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe
Token: 33	3132	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	3132	DriverBooster.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exejoined_original_original.exeDriverBooster.exe

description	pid	process	target process
PID 216 wrote to memory of 5020	216	242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exe	joined_original_original.exe
PID 216 wrote to memory of 5020	216	242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exe	joined_original_original.exe
PID 216 wrote to memory of 5020	216	242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exe	joined_original_original.exe
PID 5020 wrote to memory of 3132	5020	joined_original_original.exe	DriverBooster.exe
PID 5020 wrote to memory of 3132	5020	joined_original_original.exe	DriverBooster.exe
PID 5020 wrote to memory of 3132	5020	joined_original_original.exe	DriverBooster.exe
PID 3132 wrote to memory of 5112	3132	DriverBooster.exe	netsh.exe
PID 3132 wrote to memory of 5112	3132	DriverBooster.exe	netsh.exe
PID 3132 wrote to memory of 5112	3132	DriverBooster.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exe
"C:\Users\Admin\AppData\Local\Temp\242c6c990e0db9483bd662f4d2bbf21f088701d53dc2fca2e9715cba06467863N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\joined_original_original.exe
  "C:\Users\Admin\AppData\Local\Temp\joined_original_original.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\DriverBooster.exe
    "C:\Users\Admin\AppData\Local\Temp\DriverBooster.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\DriverBooster.exe" "DriverBooster.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DriverBooster.exe

Filesize
93KB

MD5
24b51b807bed026c0120db66b77def8f

SHA1
f7e07f634df0793b19dcc12aa687f680b227fdbf

SHA256
592f7abc864de4c820532ed3324b204482efd72f5cf60d4674a4f18b9f1257a2

SHA512
efa6fd27ccfc92d29fb291f0b835291ca26ca6de7d801379a6e096fea93e5899167a7da57568a8e92775034bcae775fe28914293db17ac614daa7cdcad689a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\joined_original_original.exe

Filesize
67KB

MD5
4cb3a1439aa01a8497ab70c7cc558ae5

SHA1
adb8ce9d3329e96df5b605ef3328f4dbbdf5439c

SHA256
f1805a2f435fdddab6214f9983c1526c1c3bbdffb154f9584f5bb8751a67091c

SHA512
03741f0214d37893fb47b0e4c1168609f3d343267969ce992b1dd740f84e02cfa7b25b0860231e58bfe6f503b65d94280d35e3a526635554fc58af84b071b42c

Download Submit
memory/3132-69-0x0000000075392000-0x0000000075393000-memory.dmp

Filesize
4KB

Download
memory/3132-70-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/3132-71-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/3132-74-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download
memory/3132-73-0x0000000075392000-0x0000000075393000-memory.dmp

Filesize
4KB

Download
memory/3132-75-0x0000000075390000-0x0000000075941000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads