f12a285cd494045e1ea9cd014305b9a063fe7fb44aaae60c5307a7e588503a23

Analysis

max time kernel
91s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-11-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpyShelterSetup.exe
Size

14.3MB
MD5

ac81dcc50798a6ff218989e710a8faf5
SHA1

cdcbb8bc348bbcbc08ba6ab11bc07c4dd6044108
SHA256

f12a285cd494045e1ea9cd014305b9a063fe7fb44aaae60c5307a7e588503a23
SHA512

58761ee04d57e977a8c5a92a9ca084afda773166f8190938da4ebd54991c7e3588f76055a1b8661bc74e080d3774449078657353608a4b4490d95cac84a179ab
SSDEEP

393216:XcgnMV1brGe3pT32/0pBdmI4vOwXMmMv:XJMV1nlprbFyvOwXlM

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SpyShelter.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SpyShelter.sys	DrvInst.exe

Loads dropped DLL 8 IoCs

pid	Process
908	SpyShelterSetup.exe
908	SpyShelterSetup.exe
908	SpyShelterSetup.exe
908	SpyShelterSetup.exe
908	SpyShelterSetup.exe
908	SpyShelterSetup.exe
908	SpyShelterSetup.exe
908	SpyShelterSetup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\SpyShelter = "\"C:\\Program Files\\SpyShelter\\SpyShelter.exe\" --minimize"	SpyShelterSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spyshelter.inf_amd64_ac4ec743cca9aee8\SpyShelter.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spyshelter.inf_amd64_ac4ec743cca9aee8\SpyShelter.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spyshelter.inf_amd64_ac4ec743cca9aee8\SpyShelter.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9106785f-5ff2-1a41-bc9f-49efec40b03d}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9106785f-5ff2-1a41-bc9f-49efec40b03d}\SpyShelter.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9106785f-5ff2-1a41-bc9f-49efec40b03d}\SpyShelter.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9106785f-5ff2-1a41-bc9f-49efec40b03d}\SpyShelter.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9106785f-5ff2-1a41-bc9f-49efec40b03d}\SETDEE7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9106785f-5ff2-1a41-bc9f-49efec40b03d}\SETDEE8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9106785f-5ff2-1a41-bc9f-49efec40b03d}\SETDEE8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\spyshelter.inf_amd64_ac4ec743cca9aee8\SpyShelter.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9106785f-5ff2-1a41-bc9f-49efec40b03d}\SETDED7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9106785f-5ff2-1a41-bc9f-49efec40b03d}\SETDED7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9106785f-5ff2-1a41-bc9f-49efec40b03d}\SETDEE7.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\rules_page\file_private_deny.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\shaders\ink_sparkle.frag	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\SpyShelter.exe	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\checked_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\page_buttons\protection_off_selected_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\protection_page\fi_file.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\protection_page\mode_easy.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\rules_page\file.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\vcruntime140.dll	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\FontManifest.json	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\fonts\NotoSansMono-Light.ttf	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\default_app_icon.png	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\protection_page\mode_custom.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\page_buttons\rules_selected_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\windows_single_instance_plugin.dll	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\fonts\Roboto-Bold.ttf	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\sps_app_icon_with_shadow.png	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\page_buttons\protection_off_normal_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\protection_page\mode_do_not_disturb.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\chevron_left.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\terminate_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\update.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\page_buttons\default_normal_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\rules_page\injection.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\rules_page\registry.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\url_launcher_windows_plugin.dll	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\app_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\copy_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\page_buttons\protection_on_normal_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\protection_page\free_mode.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\protection_page\mode_all_off.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\close_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\folder_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\events_page\fi_eye.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\icudtl.dat	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\license\FREE.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\fi_user.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\switcher_check_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\settings\power.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\dialogs\activation\radar_animation_day.json	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\settings.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\small_close_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\page_buttons\frame.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\protection_page\fi_private_file.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\SpyShelter.inf	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\radio_button_point.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\settings\command_line.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\taskbar\attention_overlay_icon.ico	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\activity_page\terminal_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\sps\sps.exe	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\clock.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\quarantine.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\protection_page\popup_illustration.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\license\PRO.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\bell-off.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main_menu\site.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\page_buttons\activity_selected_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\page_buttons\alerts_normal_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\fonts\MaterialIcons-Regular.otf	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\license.txt	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\bell.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\main\dropdown_arrow_icon.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\protection_page\fi_registry.svg	SpyShelterSetup.exe
File created	C:\Program Files\SpyShelter\data\flutter_assets\assets\images\views\rules_page\dot.svg	SpyShelterSetup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	RUNDLL32.EXE
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	pnputil.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1828	sc.exe
756	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpyShelterSetup.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeAuditPrivilege	1376	svchost.exe
Token: SeSecurityPrivilege	1376	svchost.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeBackupPrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeBackupPrivilege	2852	DrvInst.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 4392	908	SpyShelterSetup.exe	81
PID 908 wrote to memory of 4392	908	SpyShelterSetup.exe	81
PID 1376 wrote to memory of 2300	1376	svchost.exe	84
PID 1376 wrote to memory of 2300	1376	svchost.exe	84
PID 1376 wrote to memory of 2592	1376	svchost.exe	85
PID 1376 wrote to memory of 2592	1376	svchost.exe	85
PID 908 wrote to memory of 1828	908	SpyShelterSetup.exe	86
PID 908 wrote to memory of 1828	908	SpyShelterSetup.exe	86
PID 908 wrote to memory of 2288	908	SpyShelterSetup.exe	88
PID 908 wrote to memory of 2288	908	SpyShelterSetup.exe	88
PID 1376 wrote to memory of 2852	1376	svchost.exe	89
PID 1376 wrote to memory of 2852	1376	svchost.exe	89
PID 2288 wrote to memory of 3200	2288	RUNDLL32.EXE	90
PID 2288 wrote to memory of 3200	2288	RUNDLL32.EXE	90
PID 3200 wrote to memory of 3872	3200	runonce.exe	91
PID 3200 wrote to memory of 3872	3200	runonce.exe	91
PID 908 wrote to memory of 756	908	SpyShelterSetup.exe	93
PID 908 wrote to memory of 756	908	SpyShelterSetup.exe	93

C:\Users\Admin\AppData\Local\Temp\SpyShelterSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SpyShelterSetup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\SYSTEM32\pnputil.exe
  "pnputil.exe" /add-driver "C:\Program Files\SpyShelter\spyshelter.inf" /install
  2⤵
  - Drops file in Windows directory
  PID:4392
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" start SpyShelter
  2⤵
  - Launches sc.exe
  PID:1828
- C:\Windows\SYSTEM32\RUNDLL32.EXE
  "RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 .\SpyShelter.inf
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\system32\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\System32\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:3872
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" start SpyShelter
  2⤵
  - Launches sc.exe
  PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{20d11b9c-64b1-2541-a599-3d224ea89c50}\SpyShelter.inf" "9" "41f2c91b7" "0000000000000154" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\SpyShelter"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2300
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\spyshelter.inf_amd64_ac4ec743cca9aee8\spyshelter.inf" "0" "41f2c91b7" "000000000000016C" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\spyshelter.inf_amd64_ac4ec743cca9aee8\spyshelter.inf" "0" "46ff959c3" "0000000000000180" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\SPYSHE~1\SPYSHE~1.CAT

Filesize
11KB

MD5
0a68e1e5c5e371fb8e0fd2ab936d80e8

SHA1
c7a5e257251ac4c9b4c88a8d48d097bf9a4c3d94

SHA256
64e2c96df1a8b8420fc120b17c761216f865bbe3ed0e2600cdebb6e25f51c7ca

SHA512
e02a3ead4fcad63254232a38c940e83ff853c84f82f69071a2893d9441009581ac0e59e186341bd10654e09dafc907e91d1674637780cc862be9afadf5550b8e

Download Submit
C:\PROGRA~1\SPYSHE~1\SPYSHE~1.SYS

Filesize
96KB

MD5
8601c8f4941e9c7139ee451cfdb2478f

SHA1
a214490aa4e8de7972ffbc8b5f7de25536d0ab61

SHA256
564aa9812e2502831e59f7e64aed821dcb4bdd2aa257d0ecdc71299402d69d8f

SHA512
aa6f0eac350d12769b0ba95187ff31ecc1b249625a82d80f410660047c15a5bc61593b68e292c7de50fd9a559af43082c4c62988251ac88f597bb6048c385fc1

Download Submit
C:\Program Files\SpyShelter\SpyShelter.inf

Filesize
2KB

MD5
b1d9f84b18adef5fb8d563ea37240873

SHA1
87b4f9e5e60a4f3f470a80ed4c31d6de389e4ea2

SHA256
be1b7575b8822ccb1dc6e42348b2b5fd691582e56a9ca4a8e11222694fc160c1

SHA512
f3b46a2c1c94c4cfdeb2bbd4985da7c93dc3deb5acc68bdcf34d3ceb650bbd0654f61626e9ec618e6a3cf528966480098f815db2a958569159a5f9436b312417

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\System.dll

Filesize
22KB

MD5
662740bb61022c673dca1f539692a881

SHA1
3c3a6db52874ab31d85da05af8bc5a3e64367033

SHA256
7a1f5593fd4090a0cc5028bcd8e4e2b4a1b017f2b98ba8c3f39e5ea38721a77c

SHA512
ebfc19bafe09b2480217c02f202e5de46d8c541dc71c32a821f5caf415e9569b40e7b355a5639cd7f9c52605ca1fcbd48cd7184bc2fa55353eef579db1e4f9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\header_96.bmp

Filesize
25KB

MD5
8370132d1eae38f175d348f800610403

SHA1
117e8b2ac12a68ff8203303657910f1789612c7e

SHA256
567a0a41ccf8f7b81717a2685d3c75ddeb5020b56d40d25de513954958101c03

SHA512
b2697f7a3d471741519908898ab1da337f0312dc73cc385530d7cb3d9de2601ebee8082476d66917a266a1dd5104221987433a7cbec2e0bb3dc92c0c5c29a297

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\modern-wizard.bmp

Filesize
150KB

MD5
923578ed58a7f2b7c93c02374023bc99

SHA1
86fb492636c7508bf5766b427f6a2603ec058a79

SHA256
9e28df3373bacc36a903e02b8af302a9f34667142c80bb613a3b279a4e7532ca

SHA512
f026f8d523d7c14c1f8723f356878868fcc3f8eb277497dddb546908871556433cfd38d20e74907b8a51676bd3a3ab6393a0ec458c1657db28a1b29c5f04e7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\nsDialogs.dll

Filesize
19KB

MD5
31e9d33a51ec14b061b13a07357d5597

SHA1
a0c457597b90dc7d1166430c9583e75d25bd0087

SHA256
d90e03598b0cd62da697e0eabea712e4d277ac179cfacad5b9ca0c753368dcd9

SHA512
bf2bb86a27a5e8cf5d3ce19bda7d121fd6025f97f0ea626b986cb304db5e1ec203b9106ef023ba608f10f4d8a348cf24de92d117c70a8a7686b09950d042bc30

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\nsExec.dll

Filesize
17KB

MD5
0c220b7d0d37229177cdf8fc3ccc836b

SHA1
d5b6a594c679b5acb5893fb8c9b9c95d123ce31c

SHA256
52056666c77215c7aea1bc8e0f7d13b1077bddc9dafb5944d9a01121b665bfea

SHA512
ae8cede92694e140185b58c39c68e3f5796c13354adf0626c31409f62015ab7bd03716a0ee4eb71b8b8d037bc2abe143f0b079f1535db811d1b6e260c8408e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\sps.dll

Filesize
95KB

MD5
f14021caecb24dc2f24854174ed1a58a

SHA1
50e9520c001eefbc68ba06e99c9f039ff20afd7b

SHA256
47ffacc6c155105138f6409765558a927b3cabc6c5c9cef587e22ffcc46102f2

SHA512
4153dd2f8b318d4dae2c32e7a11e6b3298419bf4d2f40cad88e055e87222783d697b00ba780187a33e39d8eb77564abc3e7f1e921483c9ad2ec5d679195344ac

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads