18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe
Size

526KB
MD5

3b7c973bca4c7034c009b9cd2b0140cd
SHA1

2c5de140bf2280e32fb5597d24146d73568121eb
SHA256

18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334
SHA512

441b2439e63b3a31f2e806f0e924977ae4119f8eb48de25367f61f74f5d03b8a0c8c2173899d6e12bbab0ace07720323eae9fb51ad469b5535f5d5d824cf2a98
SSDEEP

6144:lrhCmSiJnFtXJch8bZ0iDd+gFuC88bYVWTb4gU+b2HV70/2wPe1ep1B+wsiBzVXv:lYmSczXJWSMg188MMTWSrB+wbzVXZ7o

Score

9^/10

vmprotect

Malware Config

Signatures

Detects executables packed with VMProtect. 1 IoCs

Processes:

resource yara_rule

\??\c:\users\admin\appdata\local\temp\588XS2~1\DrvInE.sys INDICATOR_EXE_Packed_VMProtect
Executes dropped EXE 1 IoCs

Processes:

devcon.exe

pid process

2620 devcon.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2712 cmd.exe
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

\??\c:\users\admin\appdata\local\temp\588XS2~1\DrvInE.sys vmprotect

resource	yara_rule
\??\c:\users\admin\appdata\local\temp\588XS2~1\DrvInE.sys	INDICATOR_EXE_Packed_VMProtect

pid	process
2620	devcon.exe

pid	process
2712	cmd.exe

resource	yara_rule
\??\c:\users\admin\appdata\local\temp\588XS2~1\DrvInE.sys	vmprotect

Drops file in System32 directory 9 IoCs

Processes:

DrvInst.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\Temp\{28344ae9-31b6-6a3a-4a26-b9198764e711}\SET715B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28344ae9-31b6-6a3a-4a26-b9198764e711}\SET7149.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{28344ae9-31b6-6a3a-4a26-b9198764e711}\SET7149.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28344ae9-31b6-6a3a-4a26-b9198764e711}\DrvInE.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28344ae9-31b6-6a3a-4a26-b9198764e711}\SET715A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28344ae9-31b6-6a3a-4a26-b9198764e711}\SET715B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{28344ae9-31b6-6a3a-4a26-b9198764e711}\SET715A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28344ae9-31b6-6a3a-4a26-b9198764e711}\DrvInE.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{28344ae9-31b6-6a3a-4a26-b9198764e711}\drvine.inf	DrvInst.exe

Drops file in Windows directory 3 IoCs

Processes:

devcon.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 51 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

devcon.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	devcon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	devcon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

2156 rundll32.exe

pid	process
2156	rundll32.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

devcon.exeDrvInst.exerundll32.exe

description	pid	process
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	2620	devcon.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	2156	rundll32.exe
Token: SeRestorePrivilege	2156	rundll32.exe
Token: SeRestorePrivilege	2156	rundll32.exe
Token: SeRestorePrivilege	2156	rundll32.exe
Token: SeRestorePrivilege	2156	rundll32.exe
Token: SeRestorePrivilege	2156	rundll32.exe
Token: SeRestorePrivilege	2156	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.execmd.exeDrvInst.exe

description	pid	process	target process
PID 3048 wrote to memory of 2712	3048	18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe	cmd.exe
PID 3048 wrote to memory of 2712	3048	18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe	cmd.exe
PID 3048 wrote to memory of 2712	3048	18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe	cmd.exe
PID 3048 wrote to memory of 2712	3048	18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe	cmd.exe
PID 3048 wrote to memory of 2712	3048	18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe	cmd.exe
PID 3048 wrote to memory of 2712	3048	18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe	cmd.exe
PID 3048 wrote to memory of 2712	3048	18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe	cmd.exe
PID 2712 wrote to memory of 2620	2712	cmd.exe	devcon.exe
PID 2712 wrote to memory of 2620	2712	cmd.exe	devcon.exe
PID 2712 wrote to memory of 2620	2712	cmd.exe	devcon.exe
PID 2712 wrote to memory of 2620	2712	cmd.exe	devcon.exe
PID 556 wrote to memory of 2156	556	DrvInst.exe	rundll32.exe
PID 556 wrote to memory of 2156	556	DrvInst.exe	rundll32.exe
PID 556 wrote to memory of 2156	556	DrvInst.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe
"C:\Users\Admin\AppData\Local\Temp\18747c2191a87db21ca0b1f95cf19da30f47a3db58cb3fbc8e9afe4b6cd74334.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\588xs2z55U\Driver_Setup.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\588xs2z55U\devcon.exe
devcon install DrvInE.inf "{FD59161E-D5D4-4299-910F-511094CF4E96}\HID_DEVICE"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2e70c365-6ccf-05ab-8c3a-b95961694946}\drvine.inf" "9" "6e027734f" "00000000000003E8" "WinSta0\Default" "0000000000000328" "208" "c:\users\admin\appdata\local\temp\588xs2z55u"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{37028d6b-76bb-1351-d861-aa1480055339} Global\{2f1b7375-6de0-1390-0492-a834de3f6944} C:\Windows\System32\DriverStore\Temp\{28344ae9-31b6-6a3a-4a26-b9198764e711}\drvine.inf C:\Windows\System32\DriverStore\Temp\{28344ae9-31b6-6a3a-4a26-b9198764e711}\DrvInE.cat
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2156

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\588xs2z55U\Driver_Setup.bat
Filesize
79B

MD5
b05e53e28d3e66362cec2915710d7a55

SHA1
b6e8010ef364ea05dacca461a0481244e84c8bcf

SHA256
644975810d9c8ba1dc42c1cd821a3b140be0ffaa8ffdc4d927c7428349643755

SHA512
5f0966fbf3bfa32d985b2c72dcddc3f59f20a0fb6c023f2688c253d0b6ee79bae0fe1d55dba371c9cbe06663f5b9c0f53aabfaf9717fe7f1cf8e763bf2044f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\588xs2z55U\DrvInE.inf
Filesize
3KB

MD5
607506fffa21830f75c18ff69a112246

SHA1
26755161758b031b7e952c24fdd929b10120fd28

SHA256
b69c7a5e17eb9a76d5f9d2818d4db889631768949ee35f023e3ed6c8b2aa5fae

SHA512
dc452bf226c4721b4eb069a66bf7f20bdb725bceb7ae113f429915d233d04f67e6cdaa9caf49f69fbe763e0a1cc7c8ceeffa3ce6edfe2a3da23111f4dca596da

Download Submit
C:\Users\Admin\AppData\Local\Temp\588xs2z55U\devcon.exe
Filesize
87KB

MD5
41ba1bbdd9284e49701ee94a3f446c33

SHA1
6d5bd532a0f9a3bf7005edeb53b4aba2d30a0c99

SHA256
c65d9acba88d2c56422ec4aba235b0ae25bb3261bf400cd30efe11de0c4330e4

SHA512
dc55452698966b77c157a81eb458984b17e3e3a0d3ff885479f7c823b847eb739a07782f140ced12eac75fdddd7416f923c885a9d8e8b0a10010fc07bef3da45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6D75.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6DF4.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\Cab72C2.tmp
Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar72F4.tmp
Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\??\c:\users\admin\appdata\local\temp\588XS2~1\DrvInE.sys
Filesize
54KB

MD5
c415ee7d6a509d98636c9fa5faae5a60

SHA1
ab05530e623bd1780ccb1623138bde77655f19c9

SHA256
015af31cd5b19dc780cf36da0d21324d81bf46fdc8c73a850597c777f5f44857

SHA512
848cbc5ead4e2513d7e925a5d6739ccd2464eb53d04e1c0c12d12e4c59a8bd7c731c50d34756d922bb1bb1517f3528e7ba3b3b65fadbfb72cc584521e9631136

Download Submit
\??\c:\users\admin\appdata\local\temp\588xs2z55u\DrvInE.cat
Filesize
8KB

MD5
fba3d6050022c44b4d2d6dd81b62f356

SHA1
c5484dbb858ce2980f401560caf50b6f9a14b594

SHA256
ab01bd082889fc7688876b72ecd4e04f31d1d92b786497aa24b54388da12b73e

SHA512
42b4694995a22c38070b9035d1e92774ddf90626b42ce0b79b5d9f08397cef0f5302ea6dc26acadafa483be09a22f92e09ee8e68d5b49e38c9b4ee91129ced99

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads