| File name: | Driver_Auto_Installer_EXE_v5.1632.00.zip |
| Full analysis: | https://app.any.run/tasks/d917f20d-73fb-4281-ae68-f3101387c6ed |
| Verdict: | Malicious activity |
| Analysis date: | May 18, 2024, 13:38:19 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | 5749DDA631289B63FF5A246C19FAE4A1 |
| SHA1: | D7AEF04718ECC616239A8F92FED7D1A3E279A5A2 |
| SHA256: | 160A760FD7B6EDE492384663DDA63CCA5CAC43BA85A998B2EF4A5AB5CF42709F |
| SSDEEP: | 98304:/KoBZ/b66a6dfJ5bUoeJVOQqnp6suuaGDHZ4Zb0QFbC/+vh5mpN6+rHCpQNy0C8q:FaE8Lyv1n3SAKgyejbqN8UGOsIr |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3980)
- DriverInstall.exe (PID: 1024)
- DriverInstall.exe (PID: 1680)
- DriverInstall.tmp (PID: 1112)
- install32.exe (PID: 1628)
- drvinst.exe (PID: 1236)
- drvinst.exe (PID: 284)
- mtk_etw_log.exe (PID: 2644)
Create files in the Startup directory
- DriverInstall.tmp (PID: 1112)
Creates a writable file in the system directory
- drvinst.exe (PID: 1236)
- drvinst.exe (PID: 284)
- drvinst.exe (PID: 2064)
- drvinst.exe (PID: 1796)
- drvinst.exe (PID: 1852)
- drvinst.exe (PID: 2364)
- drvinst.exe (PID: 2324)
SUSPICIOUS
Executable content was dropped or overwritten
- DriverInstall.exe (PID: 1024)
- DriverInstall.exe (PID: 1680)
- DriverInstall.tmp (PID: 1112)
- install32.exe (PID: 1628)
- drvinst.exe (PID: 1236)
- drvinst.exe (PID: 284)
- mtk_etw_log.exe (PID: 2644)
Reads the Windows owner or organization settings
- DriverInstall.tmp (PID: 1112)
Process drops legitimate windows executable
- DriverInstall.tmp (PID: 1112)
- install32.exe (PID: 1628)
- drvinst.exe (PID: 284)
Drops a system driver (possible attempt to evade defenses)
- install32.exe (PID: 1628)
- drvinst.exe (PID: 1236)
- DriverInstall.tmp (PID: 1112)
Creates files in the driver directory
- drvinst.exe (PID: 1236)
- drvinst.exe (PID: 284)
- drvinst.exe (PID: 2064)
- drvinst.exe (PID: 1796)
- drvinst.exe (PID: 1852)
- drvinst.exe (PID: 2364)
- drvinst.exe (PID: 2324)
Checks Windows Trust Settings
- drvinst.exe (PID: 284)
- drvinst.exe (PID: 2064)
- drvinst.exe (PID: 1236)
- drvinst.exe (PID: 1796)
- drvinst.exe (PID: 1852)
Executes as Windows Service
- VSSVC.exe (PID: 736)
Malware-specific behavior (creating "System.dll" in Temp)
- mtk_etw_log.exe (PID: 2644)
Starts application with an unusual extension
- mtk_etw_log.exe (PID: 2644)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3980)
Checks supported languages
- DriverInstall.exe (PID: 1024)
- DriverInstall.tmp (PID: 928)
- DriverInstall.exe (PID: 1680)
- DriverInstall.tmp (PID: 1112)
- install32.exe (PID: 1628)
- drvinst.exe (PID: 1236)
- drvinst.exe (PID: 284)
- drvinst.exe (PID: 2064)
- drvinst.exe (PID: 1852)
- drvinst.exe (PID: 2364)
- drvinst.exe (PID: 1796)
- drvinst.exe (PID: 2324)
Manual execution by a user
- DriverInstall.exe (PID: 1024)
Reads the computer name
- DriverInstall.tmp (PID: 928)
- DriverInstall.tmp (PID: 1112)
- install32.exe (PID: 1628)
- drvinst.exe (PID: 1236)
- drvinst.exe (PID: 284)
- drvinst.exe (PID: 2064)
- drvinst.exe (PID: 1796)
- drvinst.exe (PID: 1852)
- drvinst.exe (PID: 2364)
- drvinst.exe (PID: 2324)
Create files in a temporary directory
- DriverInstall.exe (PID: 1680)
- DriverInstall.exe (PID: 1024)
- install32.exe (PID: 1628)
Creates files in the program directory
- DriverInstall.tmp (PID: 1112)
Creates a software uninstall entry
- DriverInstall.tmp (PID: 1112)
Reads the machine GUID from the registry
- drvinst.exe (PID: 1236)
- install32.exe (PID: 1628)
- drvinst.exe (PID: 284)
- drvinst.exe (PID: 2064)
- drvinst.exe (PID: 1796)
- drvinst.exe (PID: 1852)
- drvinst.exe (PID: 2364)
- drvinst.exe (PID: 2324)
Reads the software policy settings
- drvinst.exe (PID: 284)
- drvinst.exe (PID: 1236)
- drvinst.exe (PID: 1796)
- drvinst.exe (PID: 1852)
- drvinst.exe (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xpi | | | Mozilla Firefox browser extension (66.6) |
|---|---|---|
| .zip | | | ZIP compressed archive (33.3) |
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2016:08:04 10:01:24 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | Driver_Auto_Installer_SP_Drivers_20160804/ |
Total processes
59
Monitored processes
19
Malicious processes
13
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 284 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{4e381476-b00a-7987-4992-c47ed176dd6d}\android_winusb.inf" "0" "6a7143947" "000005D4" "WinSta0\Default" "00000584" "208" "C:\Program Files\MediaTek\SP Driver\drv\Android" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 736 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 928 | "C:\Users\admin\AppData\Local\Temp\is-JDUOD.tmp\DriverInstall.tmp" /SL5="$101A2,9055663,57856,C:\Users\admin\Desktop\Driver_Auto_Installer_SP_Drivers_20160804\DriverInstall.exe" | C:\Users\admin\AppData\Local\Temp\is-JDUOD.tmp\DriverInstall.tmp | — | DriverInstall.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 1024 | "C:\Users\admin\Desktop\Driver_Auto_Installer_SP_Drivers_20160804\DriverInstall.exe" | C:\Users\admin\Desktop\Driver_Auto_Installer_SP_Drivers_20160804\DriverInstall.exe | explorer.exe | ||||||||||||
User: admin Company: MediaTek.Inc. Integrity Level: MEDIUM Description: MediaTek SP Driver Setup Exit code: 0 Version: 5.16.32.04 Modules
| |||||||||||||||
| 1112 | "C:\Users\admin\AppData\Local\Temp\is-I0887.tmp\DriverInstall.tmp" /SL5="$201B4,9055663,57856,C:\Users\admin\Desktop\Driver_Auto_Installer_SP_Drivers_20160804\DriverInstall.exe" /SPAWNWND=$101B2 /NOTIFYWND=$101A2 | C:\Users\admin\AppData\Local\Temp\is-I0887.tmp\DriverInstall.tmp | DriverInstall.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 1236 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{15c848f5-db18-05c7-c2b3-0207aa719544}\cdc-acm.inf" "0" "6e2207443" "00000330" "WinSta0\Default" "000005D4" "208" "C:\Program Files\MediaTek\SP Driver\drv\CDC" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1628 | "C:\Program Files\MediaTek\SP Driver\install\install32.exe" -m | C:\Program Files\MediaTek\SP Driver\install\install32.exe | DriverInstall.tmp | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1680 | "C:\Users\admin\Desktop\Driver_Auto_Installer_SP_Drivers_20160804\DriverInstall.exe" /SPAWNWND=$101B2 /NOTIFYWND=$101A2 | C:\Users\admin\Desktop\Driver_Auto_Installer_SP_Drivers_20160804\DriverInstall.exe | DriverInstall.tmp | ||||||||||||
User: admin Company: MediaTek.Inc. Integrity Level: HIGH Description: MediaTek SP Driver Setup Exit code: 0 Version: 5.16.32.04 Modules
| |||||||||||||||
| 1796 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{22c4db36-01c6-2d7e-b8ce-3a0fa029c970}\mtkmbimv_x64.inf" "0" "6c10f6163" "00000064" "WinSta0\Default" "00000330" "208" "C:\Program Files\MediaTek\SP Driver\drv\mbim" | C:\Windows\System32\drvinst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1852 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{4d23dfd1-4307-137a-d7d1-ba4fabcb5d6b}\mtkmbimx_x64.inf" "0" "62f7e2a13" "00000330" "WinSta0\Default" "000005D4" "208" "C:\Program Files\MediaTek\SP Driver\drv\mbim" | C:\Windows\System32\drvinst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
22 802
Read events
22 389
Write events
410
Delete events
3
Modification events
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Driver_Auto_Installer_EXE_v5.1632.00.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
52
Suspicious files
109
Text files
12
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1112 | DriverInstall.tmp | C:\Program Files\MediaTek\SP Driver\is-UCOGP.tmp | executable | |
MD5:4475269E8F6E70A19E5DA80A8AE2E841 | SHA256:A161D131C0D8906E29FC409B57A16C8DAE4D4732028541F97E5EC16CF8341C64 | |||
| 1112 | DriverInstall.tmp | C:\Program Files\MediaTek\SP Driver\Manual\is-5K99S.tmp | text | |
MD5:3E1FA562CA665BBD07120FBA098AE041 | SHA256:3CBEBCC7794B4FD76935764A7EE9DB67AEBF9DBDE3B01CC07920C0041D8C0289 | |||
| 1024 | DriverInstall.exe | C:\Users\admin\AppData\Local\Temp\is-JDUOD.tmp\DriverInstall.tmp | executable | |
MD5:832DAB307E54AA08F4B6CDD9B9720361 | SHA256:CC783A04CCBCA4EDD06564F8EC88FE5A15F1E3BB26CEC7DE5E090313520D98F3 | |||
| 3980 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3980.32353\Driver_Auto_Installer_SP_Drivers_20160804\DriverInstall.exe | executable | |
MD5:2864E74DDBEE0511DC655A73D2B96F2E | SHA256:D9F2B3469BF9FEB804C30767ECFFB9A63E21C79CD3DD1B11A1D04080B130B8C8 | |||
| 1112 | DriverInstall.tmp | C:\Program Files\MediaTek\SP Driver\unins000.exe | executable | |
MD5:4475269E8F6E70A19E5DA80A8AE2E841 | SHA256:A161D131C0D8906E29FC409B57A16C8DAE4D4732028541F97E5EC16CF8341C64 | |||
| 1112 | DriverInstall.tmp | C:\Program Files\MediaTek\SP Driver\drv\wpdmtp.inf | binary | |
MD5:4DC3CD2A09557ABCA0A072C0B6D74D40 | SHA256:C39C9DD8644262D0741969C6D69780BF4DCC1147DB8E6799D34AB687ECF15003 | |||
| 1112 | DriverInstall.tmp | C:\Program Files\MediaTek\SP Driver\drv\Android\is-VONBJ.tmp | cat | |
MD5:DB315E99AEE1A4EF3207CACF40215DC2 | SHA256:F9ADF64DCADA6D46F6947661C456C112ABBC4CF84D4D06826E866B13863675F6 | |||
| 1112 | DriverInstall.tmp | C:\Program Files\MediaTek\SP Driver\drv\is-OLTT7.tmp | binary | |
MD5:4DC3CD2A09557ABCA0A072C0B6D74D40 | SHA256:C39C9DD8644262D0741969C6D69780BF4DCC1147DB8E6799D34AB687ECF15003 | |||
| 1112 | DriverInstall.tmp | C:\Program Files\MediaTek\SP Driver\drv\Android\androidwinusba64.cat | cat | |
MD5:DB315E99AEE1A4EF3207CACF40215DC2 | SHA256:F9ADF64DCADA6D46F6947661C456C112ABBC4CF84D4D06826E866B13863675F6 | |||
| 1112 | DriverInstall.tmp | C:\Program Files\MediaTek\SP Driver\drv\tetherxp.inf | txt | |
MD5:09D8F3463500DE1A90F00766C2FC62FC | SHA256:D1FEE1B1B80C509378BA308CFACB44F5700621228480AC39461399C5063CE9EE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |