File name: | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe |
Full analysis: | https://app.any.run/tasks/addb1107-1f7b-4c8c-8ab2-57942b9a88a8 |
Verdict: | Malicious activity |
Analysis date: | October 04, 2022, 21:50:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | A590A3B8EB80EFD0B8CE98BFE1F6F465 |
SHA1: | A1DB5703428E8BC6ECF3F0E425DB647375561F22 |
SHA256: | ED3E434362045111E48B9D30C9CB1DD21F58DC625B4CD862CF483ECC5A61DF33 |
SSDEEP: | 196608:TRAwoqFBMTns8HJAiQqGkr3DRnDSuTJ6ZMW9j:TRAfA0ZJr53ZSuk |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2021-Sep-25 21:56:47 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 216 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2021-Sep-25 21:56:47 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 26230 | 26624 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.41746 |
.rdata | 32768 | 5018 | 5120 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.14107 |
.data | 40960 | 131960 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.11058 |
.ndata | 176128 | 73728 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rsrc | 249856 | 156720 | 157184 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.97681 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.26647 | 67624 | UNKNOWN | English - United States | RT_ICON |
2 | 2.62561 | 38056 | UNKNOWN | English - United States | RT_ICON |
3 | 3.61635 | 16936 | UNKNOWN | English - United States | RT_ICON |
4 | 3.35698 | 9640 | UNKNOWN | English - United States | RT_ICON |
5 | 3.21738 | 4264 | UNKNOWN | English - United States | RT_ICON |
6 | 3.8607 | 2440 | UNKNOWN | English - United States | RT_ICON |
7 | 4.69763 | 1128 | UNKNOWN | English - United States | RT_ICON |
103 | 2.56193 | 288 | UNKNOWN | English - United States | RT_DIALOG |
105 | 2.67385 | 512 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3428 | "C:\Users\admin\AppData\Local\Temp\DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe" | C:\Users\admin\AppData\Local\Temp\DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
1156 | "C:\Users\admin\AppData\Local\Temp\DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe" | C:\Users\admin\AppData\Local\Temp\DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2956 | C:\Windows\system32\cmd.exe /c ""C:\Program Files\DriverPack\start.bat" "DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe"" | C:\Windows\system32\cmd.exe | — | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3364 | "C:\Windows\System32\mshta.exe" "C:\Program Files\DriverPack\run.hta" --sfx "DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe" | C:\Windows\System32\mshta.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft (R) HTML Application host Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1260 | "C:\Windows\System32\cmd.exe" /C powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass "Get-Content 'C:\Users\admin\AppData\Roaming\DRPSu\temp\ps.l8uqjtrt.smwkl.cmd.txt' -Wait | Invoke-Expression" > "C:\Users\admin\AppData\Roaming\DRPSu\temp\ps.l8uqjtrt.smwkl.stdout.log" 2> "C:\Users\admin\AppData\Roaming\DRPSu\temp\ps.l8uqjtrt.smwkl.stderr.log" | C:\Windows\System32\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3720 | powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass "Get-Content 'C:\Users\admin\AppData\Roaming\DRPSu\temp\ps.l8uqjtrt.smwkl.cmd.txt' -Wait | Invoke-Expression" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
1784 | "C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\admin\AppData\Roaming\DRPSu\temp\run_command_94681.txt"" | C:\Windows\System32\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
272 | rundll32 kernel32,Sleep | C:\Windows\System32\rundll32.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3340 | netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" | C:\Windows\system32\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
984 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\mxcdmzss.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
|
(PID) Process: | (1156) DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update |
Operation: | write | Name: | http |
Value: 1 | |||
(PID) Process: | (1156) DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update |
Operation: | write | Name: | https |
Value: 1 | |||
(PID) Process: | (1156) DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | GlobalUserOffline |
Value: 0 | |||
(PID) Process: | (1156) DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | DisplayName |
Value: DriverPack | |||
(PID) Process: | (1156) DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | DisplayVersion |
Value: 17.11 | |||
(PID) Process: | (1156) DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | DisplayIcon |
Value: "C:\Program Files\DriverPack\Tools\Icon.ico" | |||
(PID) Process: | (1156) DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | UninstallString |
Value: "C:\Program Files\DriverPack\Uninstall.exe" | |||
(PID) Process: | (1156) DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | Publisher |
Value: DriverPack | |||
(PID) Process: | (1156) DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | NoModify |
Value: 1 | |||
(PID) Process: | (1156) DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | NoRepair |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1156 | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | C:\Program Files\DriverPack\drp.css | text | |
MD5:5FDAF0FD106200153F8243EBB8BC6B18 | SHA256:439BFD8BF9F9176C1757BA277850525F0ABEC59BB3EF7CD8A974A5AD1D2B3004 | |||
1156 | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | C:\Users\admin\AppData\Local\Temp\nszBA79.tmp\modern-wizard.bmp | image | |
MD5:2ADD351A8600764028D38F3A1B0D34F8 | SHA256:65844F7B35D63C3F805324FCA880831BA7086B6BBEA00CE1E29C38D46B67F7E5 | |||
1156 | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | C:\Program Files\DriverPack\start.bat | text | |
MD5:F66F13D4770EB90E6D81222FE3525A3F | SHA256:88EBE6FC9F45E734243DD674A3CDD9222BE692BDE089D0BC06726DD32156B892 | |||
1156 | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | C:\Program Files\DriverPack\css\icons-checkbox.css | text | |
MD5:3BE98220035017D9B818F3CC94F87587 | SHA256:CB134DCB95A407795C671A512C389894D3525FBA3F6A2168FC5B9B7E875E78DC | |||
1156 | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | C:\Program Files\DriverPack\Tools\load8.gif | image | |
MD5:8A061EF740FA2801AB4BF78CB123D9BE | SHA256:EE0CC89EF293B559B64FCB35B469DCB144180FF048B0B6EB14F326847A544903 | |||
1156 | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | C:\Users\admin\AppData\Local\Temp\nszBA79.tmp\InstallOptions.dll | executable | |
MD5:ECE25721125D55AA26CDFE019C871476 | SHA256:C7FEF6457989D97FECC0616A69947927DA9D8C493F7905DC8475C748F044F3CF | |||
1156 | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | C:\Program Files\DriverPack\config.js | text | |
MD5:31009D2EFB710925BF7F308AF59C629B | SHA256:18F86EF3FAD86C97D56274E5577B178A77F40587A80451A971013248E37190A6 | |||
1156 | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | C:\Program Files\DriverPack\DriverPackSolution.html | html | |
MD5:203AC1542D8E93EDBBC80F7B59DB5C44 | SHA256:8892E63141854BCF4BB1452ABEF68DD2C348C59322D697EF11A7AB7C5E3C4AEA | |||
1156 | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | C:\Program Files\DriverPack\Tools\Icon.ico | image | |
MD5:CBD76182149BBA7EB76EC535DA43DB7F | SHA256:8707AE608F38AFD9ADE700BBDCA79344A4F50EAFC9EA3592B1E9FD6B616A6314 | |||
1156 | DriverPack-17-Online_1760402736.1664902656__p0ral00y94b3gbu.exe | C:\Program Files\DriverPack\run.hta | html | |
MD5:6BCAB16CD99663B1093D10F827CA0323 | SHA256:02BD627D6825599ED039F053FECBE7F15000B5D5071E9B6BAAB488BEFA4F02DD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3364 | mshta.exe | GET | 301 | 188.114.97.3:80 | http://allfont.ru/allfont.css?fonts=lucida-console | US | — | — | whitelisted |
3364 | mshta.exe | GET | 301 | 188.114.97.3:80 | http://allfont.ru/cache/css/lucida-console.css | US | — | — | whitelisted |
3364 | mshta.exe | GET | 200 | 2.16.107.114:80 | http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgTfAZP0%2B0D1blFnYCV3UIVwNA%3D%3D | unknown | der | 346 b | whitelisted |
3364 | mshta.exe | GET | 200 | 82.145.55.146:80 | http://update.drp.su/ | GB | html | 141 b | malicious |
3364 | mshta.exe | GET | 200 | 8.253.95.249:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?413e39a5b4a3c95f | US | compressed | 60.9 Kb | whitelisted |
3364 | mshta.exe | GET | 200 | 8.253.95.249:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4771109c9b66a9fa | US | compressed | 4.70 Kb | whitelisted |
3364 | mshta.exe | GET | 200 | 104.18.21.226:80 | http://ocsp2.globalsign.com/rootr5/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQiD0S5cIHyfrLTJ1fvAkJWflH%2B2QQUPeYpSJvqB8ohREom3m7e0oPQn1kCDQHuXyKVQkkF%2BQGRqNw%3D | US | der | 1.26 Kb | whitelisted |
3364 | mshta.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHUeP1PjGFkz6V8I7O6tApc%3D | US | der | 1.41 Kb | whitelisted |
3364 | mshta.exe | GET | 200 | 142.250.187.110:80 | http://www.google-analytics.com/collect?v=1&ds=hta&tid=UA-68879973-23&cid=1760402736.1664902656&t=event&ec=driverpack%20online&ea=yandex%20patcher%20browser%20not%20detected&el=17.11.108%20online&ul=&z=2530251373215409&sc=start&cd1=1760402736.1664902656&cd2=17.11.108%20Online&cd3=7%20x86&cd4=SP%201&cd5=Windows%207%20Professional%20&cd6=(not%20set) | US | image | 35 b | whitelisted |
3364 | mshta.exe | GET | 200 | 23.45.105.185:80 | http://x1.c.lencr.org/ | NL | der | 717 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3364 | mshta.exe | 188.114.97.3:80 | allfont.ru | CLOUDFLARENET | NL | malicious |
3364 | mshta.exe | 8.253.95.249:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
3364 | mshta.exe | 2.16.107.114:80 | e1.o.lencr.org | Akamai International B.V. | DE | suspicious |
3364 | mshta.exe | 23.45.105.185:80 | x1.c.lencr.org | AKAMAI-AS | DE | unknown |
3364 | mshta.exe | 178.162.204.5:80 | auth.drp.su | Leaseweb Deutschland GmbH | DE | suspicious |
3364 | mshta.exe | 188.114.97.3:443 | allfont.ru | CLOUDFLARENET | NL | malicious |
3364 | mshta.exe | 82.145.55.146:80 | update.drp.su | Iomart Cloud Services Limited | GB | malicious |
3364 | mshta.exe | 104.18.21.226:80 | ocsp.globalsign.com | CLOUDFLARENET | — | shared |
3364 | mshta.exe | 77.88.21.119:443 | mc.yandex.ru | YANDEX LLC | RU | whitelisted |
3364 | mshta.exe | 142.250.187.110:80 | www.google-analytics.com | GOOGLE | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
allfont.ru |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
x2.c.lencr.org |
| whitelisted |
e1.o.lencr.org |
| whitelisted |
auth.drp.su |
| suspicious |
mc.yandex.ru |
| whitelisted |
update.drp.su |
| malicious |
www.google-analytics.com |
| whitelisted |
ocsp.globalsign.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET MALWARE Observed DNS Query to DriverPack Domain ( .drp .su) |
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
— | — | Potentially Bad Traffic | ET MALWARE DriverPack Domain in DNS Query |
— | — | A Network Trojan was detected | ET MALWARE Observed DNS Query to DriverPack Domain ( .drp .su) |
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
— | — | Potentially Bad Traffic | ET MALWARE DriverPack Domain in DNS Query |
3364 | mshta.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
3364 | mshta.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
3364 | mshta.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
— | — | A Network Trojan was detected | ET MALWARE Observed DNS Query to DriverPack Domain ( .drp .su) |