| File name: | USB-Driver-Install-1.0.3.0 (4).zip |
| Full analysis: | https://app.any.run/tasks/fb2b7a8e-dc96-41b1-b805-ab17dfa0ba73 |
| Verdict: | Malicious activity |
| Analysis date: | June 07, 2024, 06:42:23 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | 9FEC2B556F540B0045464C3D42452EBD |
| SHA1: | 27841CE06A1298AB2C83797A910CD08398B9BBDB |
| SHA256: | 6246DA681FF14B27E1FA20ED56E3E19A5D38C8E59BFFCB4BB6AE00DCBD75FB59 |
| SSDEEP: | 49152:6SrLSRPAq/gg375U1WxFzR6ZqmhTdE+Fkf4swqlXtKP1VaRNEZyyjkNrlWlQ1v5A:6SaJt4g361WxFzRn6a4swqNtiazQkNrW |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3988)
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
- USBDriverInstall.exe (PID: 308)
- drvinst.exe (PID: 728)
Creates a writable file in the system directory
- drvinst.exe (PID: 728)
SUSPICIOUS
Drops a system driver (possible attempt to evade defenses)
- WinRAR.exe (PID: 3988)
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
- USBDriverInstall.exe (PID: 308)
- drvinst.exe (PID: 728)
The process creates files with name similar to system file names
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
Reads the Internet Settings
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
Reads security settings of Internet Explorer
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
Executable content was dropped or overwritten
- USBDriverInstall.exe (PID: 308)
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
- drvinst.exe (PID: 728)
Creates a software uninstall entry
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
Malware-specific behavior (creating "System.dll" in Temp)
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
Creates files in the driver directory
- drvinst.exe (PID: 728)
Checks Windows Trust Settings
- drvinst.exe (PID: 728)
Executes as Windows Service
- VSSVC.exe (PID: 1604)
Reads settings of System Certificates
- rundll32.exe (PID: 1488)
INFO
Manual execution by a user
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
- USB-Driver-Installer-1.0.3.0.exe (PID: 1120)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3988)
Reads the computer name
- USBDriverInstall.exe (PID: 308)
- drvinst.exe (PID: 728)
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
Reads the machine GUID from the registry
- USBDriverInstall.exe (PID: 308)
- drvinst.exe (PID: 728)
Checks supported languages
- USBDriverInstall.exe (PID: 308)
- drvinst.exe (PID: 728)
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
Create files in a temporary directory
- USBDriverInstall.exe (PID: 308)
- USB-Driver-Installer-1.0.3.0.exe (PID: 1112)
Reads the software policy settings
- drvinst.exe (PID: 728)
- rundll32.exe (PID: 1488)
Adds/modifies Windows certificates
- drvinst.exe (PID: 728)
Reads security settings of Internet Explorer
- rundll32.exe (PID: 1488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xpi | | | Mozilla Firefox browser extension (66.6) |
|---|---|---|
| .zip | | | ZIP compressed archive (33.3) |
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2022:07:28 16:32:26 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | USB-Driver-Install-1.0.3.0/ |
Total processes
45
Monitored processes
7
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 308 | "C:\Users\admin\AppData\Local\Temp\USBDriverInstaller\USBDriverInstall.exe" | C:\Users\admin\AppData\Local\Temp\USBDriverInstaller\USBDriverInstall.exe | USB-Driver-Installer-1.0.3.0.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 728 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{1181b9c9-77f6-7c14-bb4b-440de21b4524}\mbedSerial.inf" "0" "625a73943" "0000056C" "WinSta0\Default" "000003F8" "208" "C:\Users\admin\AppData\Local\Temp\USBDriverInstaller" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1112 | "C:\Users\admin\Desktop\USB-Driver-Install-1.0.3.0\USB-Driver-Installer-1.0.3.0.exe" | C:\Users\admin\Desktop\USB-Driver-Install-1.0.3.0\USB-Driver-Installer-1.0.3.0.exe | explorer.exe | ||||||||||||
User: admin Company: NIIMBOT Integrity Level: HIGH Description: Exit code: 0 Version: Modules
| |||||||||||||||
| 1120 | "C:\Users\admin\Desktop\USB-Driver-Install-1.0.3.0\USB-Driver-Installer-1.0.3.0.exe" | C:\Users\admin\Desktop\USB-Driver-Install-1.0.3.0\USB-Driver-Installer-1.0.3.0.exe | — | explorer.exe | |||||||||||
User: admin Company: NIIMBOT Integrity Level: MEDIUM Description: Exit code: 3221226540 Version: Modules
| |||||||||||||||
| 1488 | rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{62a034ef-4047-76a5-ce0a-1835d15fd03e} Global\{54c1562a-fd0b-652f-f945-b53ac6c1492e} C:\Windows\System32\DriverStore\Temp\{2bb22186-702e-2941-b1e2-d1050463402c}\mbedSerial.inf C:\Windows\System32\DriverStore\Temp\{2bb22186-702e-2941-b1e2-d1050463402c}\mbedSerial.cat | C:\Windows\System32\rundll32.exe | — | drvinst.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1604 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3988 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\USB-Driver-Install-1.0.3.0 (4).zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
Total events
19 070
Read events
18 844
Write events
219
Delete events
7
Modification events
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\USB-Driver-Install-1.0.3.0 (4).zip | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3988) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
16
Suspicious files
26
Text files
4
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3988.38252\USB-Driver-Install-1.0.3.0\USB 虚拟串口驱动安装指南.rtf | — | |
MD5:— | SHA256:— | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3988.38252\USB-Driver-Install-1.0.3.0\windows7\x64\mbedSerial_x64.sys | executable | |
MD5:5E2B119706AA83677FA57CA024E726C4 | SHA256:5E2C295DF191231454FF8E3AF07340FBC1F07BE68B2FBC7A8F0569AADDA81B31 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3988.38252\USB-Driver-Install-1.0.3.0\windows7\x86\mbedSerial.inf | binary | |
MD5:0DB6CDFBB8194564AC74E1238D77A533 | SHA256:6A3B5F3E11040D9AE520BECA1EBE9BDAA6A7205A775CE3425566E4A4681FA538 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3988.38252\USB-Driver-Install-1.0.3.0\windows7\x86\mbedserial.cat | cat | |
MD5:E66E3980373FAC29792824C7E03542A3 | SHA256:2FE4F5356037DB73FF8615744448EC9602BDB2A76A9110476FB6178B3CB23F03 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3988.38252\USB-Driver-Install-1.0.3.0\USB-Driver-Installer-1.0.3.0.exe | executable | |
MD5:CCC672609A7422C957E4A2B4240D6936 | SHA256:76652781A38F0AB405E6FC5285CB62BEFCA2BC2044CC3B3CA2B7D84BE7A1C0D3 | |||
| 1112 | USB-Driver-Installer-1.0.3.0.exe | C:\Users\admin\AppData\Local\Temp\nsq9E37.tmp\LangDLL.dll | executable | |
MD5:014A3BE4A7C1CCB217916DBF4F222BD1 | SHA256:09ACFC5EE34A1DFA1AF3A9D34F00C3B1327B56641FEEBD536E13752349C08AC8 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3988.38252\USB-Driver-Install-1.0.3.0\windows7\x64\mbedSerial_x64.inf | binary | |
MD5:0F7034E7A9F62083048D18CF5EF58960 | SHA256:D7D12DDC9DFFDCA3C01C79AB58713538C3668E2817A84B7B5A25E5F65DA04567 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3988.38252\USB-Driver-Install-1.0.3.0\USB Virtual serial port driver Installation Guide.rtf | text | |
MD5:2C13816C5E1A37671BFE12B8882135C1 | SHA256:0DCB1E86C1C32CDAD3BF72FC14DE7663FE2D4EB1F8AE15767CA83B51B45A434B | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3988.38252\USB-Driver-Install-1.0.3.0\windows7\x64\mbedserial_x64.cat | cat | |
MD5:1525D4532C09304159B7B59E6E24434A | SHA256:9152AC1BC599CCF53F94F2FC6E3DECA77FF406D261FD9F49C25CA683A9CB5CC3 | |||
| 3988 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3988.38252\USB-Driver-Install-1.0.3.0\windows7\usbinstall.bat | text | |
MD5:7AE6B9AA2D5A02781BC3C71D78E9EE40 | SHA256:92DA1D54CEB0191801DB1D1D71FBE19DE3BF4FC256A3A9A8CA824E8DCF6DF700 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |