download: | DriverPack-17-Online.exe |
Full analysis: | https://app.any.run/tasks/b051e25f-cfab-46db-9512-b7379585e47f |
Verdict: | Malicious activity |
Analysis date: | October 04, 2022, 22:20:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | A590A3B8EB80EFD0B8CE98BFE1F6F465 |
SHA1: | A1DB5703428E8BC6ECF3F0E425DB647375561F22 |
SHA256: | ED3E434362045111E48B9D30C9CB1DD21F58DC625B4CD862CF483ECC5A61DF33 |
SSDEEP: | 196608:TRAwoqFBMTns8HJAiQqGkr3DRnDSuTJ6ZMW9j:TRAfA0ZJr53ZSuk |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2021-Sep-25 21:56:47 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 216 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2021-Sep-25 21:56:47 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 26230 | 26624 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.41746 |
.rdata | 32768 | 5018 | 5120 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.14107 |
.data | 40960 | 131960 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.11058 |
.ndata | 176128 | 73728 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rsrc | 249856 | 156720 | 157184 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.97681 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.26647 | 67624 | UNKNOWN | English - United States | RT_ICON |
2 | 2.62561 | 38056 | UNKNOWN | English - United States | RT_ICON |
3 | 3.61635 | 16936 | UNKNOWN | English - United States | RT_ICON |
4 | 3.35698 | 9640 | UNKNOWN | English - United States | RT_ICON |
5 | 3.21738 | 4264 | UNKNOWN | English - United States | RT_ICON |
6 | 3.8607 | 2440 | UNKNOWN | English - United States | RT_ICON |
7 | 4.69763 | 1128 | UNKNOWN | English - United States | RT_ICON |
103 | 2.56193 | 288 | UNKNOWN | English - United States | RT_DIALOG |
105 | 2.67385 | 512 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3336 | "C:\Users\admin\AppData\Local\Temp\DriverPack-17-Online.exe" | C:\Users\admin\AppData\Local\Temp\DriverPack-17-Online.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
2028 | "C:\Users\admin\AppData\Local\Temp\DriverPack-17-Online.exe" | C:\Users\admin\AppData\Local\Temp\DriverPack-17-Online.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2392 | C:\Windows\system32\cmd.exe /c ""C:\Program Files\DriverPack\start.bat" "DriverPack-17-Online.exe"" | C:\Windows\system32\cmd.exe | — | DriverPack-17-Online.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2560 | "C:\Windows\System32\mshta.exe" "C:\Program Files\DriverPack\run.hta" --sfx "DriverPack-17-Online.exe" | C:\Windows\System32\mshta.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft (R) HTML Application host Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1308 | "C:\Windows\System32\cmd.exe" /C powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass "Get-Content 'C:\Users\admin\AppData\Roaming\DRPSu\temp\ps.l8urmaeg.u40fy.cmd.txt' -Wait | Invoke-Expression" > "C:\Users\admin\AppData\Roaming\DRPSu\temp\ps.l8urmaeg.u40fy.stdout.log" 2> "C:\Users\admin\AppData\Roaming\DRPSu\temp\ps.l8urmaeg.u40fy.stderr.log" | C:\Windows\System32\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
308 | powershell -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass "Get-Content 'C:\Users\admin\AppData\Roaming\DRPSu\temp\ps.l8urmaeg.u40fy.cmd.txt' -Wait | Invoke-Expression" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
468 | rundll32 kernel32,Sleep | C:\Windows\System32\rundll32.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2888 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\eyaihmn4.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
3152 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES5DEF.tmp" "c:\Users\admin\AppData\Local\Temp\CSC5BC65D8FC95343B6B0ADEE92A75B917.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 12.00.51209.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
700 | "C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\admin\AppData\Roaming\DRPSu\temp\run_command_61357.txt"" | C:\Windows\System32\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
(PID) Process: | (2028) DriverPack-17-Online.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update |
Operation: | write | Name: | http |
Value: 1 | |||
(PID) Process: | (2028) DriverPack-17-Online.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update |
Operation: | write | Name: | https |
Value: 1 | |||
(PID) Process: | (2028) DriverPack-17-Online.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | GlobalUserOffline |
Value: 0 | |||
(PID) Process: | (2028) DriverPack-17-Online.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | DisplayName |
Value: DriverPack | |||
(PID) Process: | (2028) DriverPack-17-Online.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | DisplayVersion |
Value: 17.11 | |||
(PID) Process: | (2028) DriverPack-17-Online.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | DisplayIcon |
Value: "C:\Program Files\DriverPack\Tools\Icon.ico" | |||
(PID) Process: | (2028) DriverPack-17-Online.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | UninstallString |
Value: "C:\Program Files\DriverPack\Uninstall.exe" | |||
(PID) Process: | (2028) DriverPack-17-Online.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | Publisher |
Value: DriverPack | |||
(PID) Process: | (2028) DriverPack-17-Online.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | NoModify |
Value: 1 | |||
(PID) Process: | (2028) DriverPack-17-Online.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack |
Operation: | write | Name: | NoRepair |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2028 | DriverPack-17-Online.exe | C:\Program Files\DriverPack\DriverPackSolution.html | html | |
MD5:203AC1542D8E93EDBBC80F7B59DB5C44 | SHA256:8892E63141854BCF4BB1452ABEF68DD2C348C59322D697EF11A7AB7C5E3C4AEA | |||
2028 | DriverPack-17-Online.exe | C:\Program Files\DriverPack\Tools\modules\bugreport.hta | html | |
MD5:69013B5F2C85EF14D5AF5B0598796A16 | SHA256:A9B7A43232D0B48DC2F75269DCA5898F4149B81634C461C279A81AC725879E2E | |||
2028 | DriverPack-17-Online.exe | C:\Program Files\DriverPack\Tools\load8.gif | image | |
MD5:8A061EF740FA2801AB4BF78CB123D9BE | SHA256:EE0CC89EF293B559B64FCB35B469DCB144180FF048B0B6EB14F326847A544903 | |||
2028 | DriverPack-17-Online.exe | C:\Program Files\DriverPack\Tools\driverpack-wget.exe | executable | |
MD5:BD126A7B59D5D1F97BA89A3E71425731 | SHA256:A48AD33695A44DE887BBA8F2F3174FD8FB01A46A19E3EC9078B0118647CCF599 | |||
2028 | DriverPack-17-Online.exe | C:\Program Files\DriverPack\css\custom-control.css | text | |
MD5:F7F8703ADA2176DC144343A2C2ACB1CD | SHA256:7D7853E95258A7A3F8EAF41795F7124E7D2DACDEB5F1EFE212B3FF7ED0DA9E50 | |||
2028 | DriverPack-17-Online.exe | C:\Program Files\DriverPack\css\ie7.css | text | |
MD5:2DBDB8116515F8458F9750F63C074FA7 | SHA256:2FFFEDDB2D1C6CEE5CC956965B7047B0C2888F48CBA13A4FCB070417F1D4899D | |||
2028 | DriverPack-17-Online.exe | C:\Program Files\DriverPack\Tools\Icon.ico | image | |
MD5:CBD76182149BBA7EB76EC535DA43DB7F | SHA256:8707AE608F38AFD9ADE700BBDCA79344A4F50EAFC9EA3592B1E9FD6B616A6314 | |||
2028 | DriverPack-17-Online.exe | C:\Program Files\DriverPack\Tools\run.hta | html | |
MD5:66E315709C21E476C5511BD8325DF9F7 | SHA256:5B5582C940D24BD040CABD1D0D1C21249899546E0D3278692200ED65C3201EBF | |||
2028 | DriverPack-17-Online.exe | C:\Users\admin\AppData\Local\Temp\nsiEC3C.tmp\modern-wizard.bmp | image | |
MD5:2ADD351A8600764028D38F3A1B0D34F8 | SHA256:65844F7B35D63C3F805324FCA880831BA7086B6BBEA00CE1E29C38D46B67F7E5 | |||
2028 | DriverPack-17-Online.exe | C:\Program Files\DriverPack\css\icons-checkbox.css | text | |
MD5:3BE98220035017D9B818F3CC94F87587 | SHA256:CB134DCB95A407795C671A512C389894D3525FBA3F6A2168FC5B9B7E875E78DC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2560 | mshta.exe | GET | 301 | 188.114.97.3:80 | http://allfont.ru/cache/css/lucida-console.css | US | — | — | whitelisted |
2560 | mshta.exe | GET | 301 | 188.114.97.3:80 | http://allfont.ru/allfont.css?fonts=lucida-console | US | — | — | whitelisted |
2560 | mshta.exe | GET | 200 | 2.22.117.227:80 | http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgTfAZP0%2B0D1blFnYCV3UIVwNA%3D%3D | GB | der | 346 b | whitelisted |
2560 | mshta.exe | GET | 200 | 23.216.77.69:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9a576261f19502c4 | US | compressed | 60.9 Kb | whitelisted |
2560 | mshta.exe | GET | 200 | 23.216.77.69:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3ce451c255eea243 | US | compressed | 4.70 Kb | whitelisted |
2560 | mshta.exe | GET | 200 | 37.9.8.75:80 | http://update.drp.su/ | RU | html | 141 b | malicious |
2560 | mshta.exe | GET | 200 | 104.125.75.233:80 | http://x2.c.lencr.org/ | NL | der | 300 b | whitelisted |
2560 | mshta.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDDr6WyPB2UqgqvyNjw%3D%3D | US | der | 938 b | whitelisted |
2560 | mshta.exe | GET | 200 | 104.18.20.226:80 | http://ocsp2.globalsign.com/rootr5/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQiD0S5cIHyfrLTJ1fvAkJWflH%2B2QQUPeYpSJvqB8ohREom3m7e0oPQn1kCDQHuXyKVQkkF%2BQGRqNw%3D | US | der | 1.26 Kb | whitelisted |
2560 | mshta.exe | GET | 200 | 172.217.18.14:80 | http://www.google-analytics.com/collect?v=1&ds=hta&tid=UA-68879973-26&cid=671090449.7270461486&t=event&ec=driverpack%20online&ea=yandex%20patcher%20browser%20not%20detected&el=17.11.108%20online&ul=&z=3423150966845401&sc=start&cd1=671090449.7270461486&cd2=17.11.108%20Online&cd3=7%20x86&cd4=SP%201&cd5=Windows%207%20Professional%20&cd6=(not%20set) | US | image | 35 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2560 | mshta.exe | 188.114.97.3:80 | allfont.ru | CLOUDFLARENET | NL | malicious |
2560 | mshta.exe | 188.114.97.3:443 | allfont.ru | CLOUDFLARENET | NL | malicious |
2560 | mshta.exe | 23.216.77.69:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | suspicious |
2560 | mshta.exe | 104.18.21.226:80 | ocsp.globalsign.com | CLOUDFLARENET | — | shared |
2560 | mshta.exe | 87.250.250.119:443 | mc.yandex.ru | YANDEX LLC | RU | whitelisted |
2560 | mshta.exe | 2.22.117.227:80 | e1.o.lencr.org | Akamai International B.V. | DE | suspicious |
2560 | mshta.exe | 178.162.204.5:80 | auth.drp.su | Leaseweb Deutschland GmbH | DE | suspicious |
2560 | mshta.exe | 96.16.145.230:80 | x1.c.lencr.org | AKAMAI-AS | DE | suspicious |
— | — | 104.125.75.233:80 | x2.c.lencr.org | AKAMAI-AS | DE | suspicious |
2560 | mshta.exe | 37.9.8.75:80 | update.drp.su | OOO Network of data-centers Selectel | RU | malicious |
Domain | IP | Reputation |
---|---|---|
allfont.ru |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
x2.c.lencr.org |
| whitelisted |
e1.o.lencr.org |
| whitelisted |
auth.drp.su |
| suspicious |
mc.yandex.ru |
| whitelisted |
update.drp.su |
| malicious |
ocsp.globalsign.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET MALWARE Observed DNS Query to DriverPack Domain ( .drp .su) |
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
— | — | Potentially Bad Traffic | ET MALWARE DriverPack Domain in DNS Query |
— | — | A Network Trojan was detected | ET MALWARE Observed DNS Query to DriverPack Domain ( .drp .su) |
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
— | — | Potentially Bad Traffic | ET MALWARE DriverPack Domain in DNS Query |
2560 | mshta.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
2560 | mshta.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
2560 | mshta.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |