Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 22:18
General
-
Target
atikmdag-patcher 1.4.8/atikmdag-patcher.exe
-
Size
2.9MB
-
MD5
5dc2c1bb5ccd25decce1c1814f3435ac
-
SHA1
3bd1484e0eabef3dce07fcefc79995cfaf5a54e8
-
SHA256
cb50306b9f47d5c817c1d700c7533f5b7ed50017b22b7e05fdbf5faddb769198
-
SHA512
ee5557135f179b807026c3b1062781f54978ba75ed932f404fbce6847f9ff2296c1f4455a50aa36ecaa1f0129340ec2feb11d81c6d9055ef633e30e36ae1dae1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
-
Suspicious behavior: MapViewOfSection 39 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 482 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8\atikmdag-patcher.exe"C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8\atikmdag-patcher.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8\atikmdag-patcher.exe"C:\Users\Admin\AppData\Local\Temp\atikmdag-patcher 1.4.8\atikmdag-patcher.exe" /VERYSILENT2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NVIDIA\atikmdag-patcher.exe"C:\Users\Admin\AppData\Roaming\NVIDIA\atikmdag-patcher.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\NVIDIA\StringJ.exe"C:\Users\Admin\AppData\Roaming\NVIDIA\StringJ.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"5⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NVIDIA\BORLNDMM.DLLMD5
d329682a25bb2433bc05d170b8e3e9b0
SHA176e3a2004e5ba7f5126fac9922336f38e928d733
SHA256b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618
SHA512432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3
-
C:\Users\Admin\AppData\Roaming\NVIDIA\CC3260MT.DLLMD5
0df3473346769c1c732222c2664e65fe
SHA1b65e69d2b06ef1ef895fd600ec929c54b9cd8da6
SHA2564b5eadc340492faa57df3571c7471f0528832f1e7c822191adb53d9e6be7662d
SHA512e1e059fe8e8396c8c0f93b00ccff626a1850d4f5e750ce6405023e8d7acebbeff3f9e52f7fafa229bf050435964ad6d12f5de85dbbe0e207e83e2307e9e1c284
-
C:\Users\Admin\AppData\Roaming\NVIDIA\StringJ.exeMD5
ed488c462e49d5415fe17ada385e52d2
SHA1d37c8cba8a45a9bbee9c815133dbeb6790a2efc0
SHA256835a461322445f0e47739e7e3489d7c1789d8883649c0b1b3836bb29f693fac0
SHA5120851b691ca94f0db04752a48c21fd4af9a10cba16fdf39f79720ce46dfeb202c166c5c230d6c0c0ad3437cee9d642c80becef4f34ca1dc15616027c1fefa3aca
-
C:\Users\Admin\AppData\Roaming\NVIDIA\atikmdag-patcher.exeMD5
5616e95156f37d4445947144eb72d84b
SHA12ce32920b08f8b6a0959905010b3699fa9111f28
SHA256f3b0e3ba3beb72ad455f478bca6347fbcabbce4ddfa2a6e34f72f11412502434
SHA51227f5a5bbb8dd752b575a74a38ab2aa66c9e714fc9c3e7351005be86c856c6f3cc5bb39835ceb5bd3f7b0f08e4bceb5157970cbf8bd0b927d89b35e042b85552e
-
C:\Users\Admin\AppData\Roaming\NVIDIA\bcbsmp60.bplMD5
90cb3d45db064bf0ef9298209694c1df
SHA13832f08ac6a80ef1e68db155e41e6654e9e185c9
SHA25651fe769cf939981a7f7f018865c2ed7c6dfbd5a6b1d58ff90c5c6728d582ffc9
SHA512d3d33bc6a16484b6486e59eabb7276e655ee2a3b16c1e4a82532d09395c010702b8136b205e0abe8bd22379655367e382d37255e808eb391a9cf3b98bfab666c
-
C:\Users\Admin\AppData\Roaming\NVIDIA\bdertl60.bplMD5
b87ef5f1ed15cfdedadab33fa7ed3beb
SHA1a80521bd90beb801cd0536789e6661a7dc3b8d07
SHA256b56d3e643fb1eef7018aa120ddab53ae0402ef997e1441a1ad7ff4ce25f79658
SHA512fdd5aeef55e17a83bc3d62496b72bc9c668f4b4c7991d48c5935f6a006cf78a395dc12c0fa611891b5dfcfcb1574b95eaf375451584bb99d4cfa8228cfda4acb
-
C:\Users\Admin\AppData\Roaming\NVIDIA\dbrtl60.bplMD5
49e1cadd50625349cebb60ea4119fbf2
SHA109c1d5d78a6b44ff306652bc3613285b6ae32aa7
SHA25695aaa2bccc46106c2d2275dc22651cc8f13b728d15afcc26d8469371c1bb18d5
SHA5121afd847d130d1775089eda162a15b12abfc217703a15a43da84fbbd69dd8d835913326e48862e6515e366ea87f3d5ab609c406f8e9ff32702513c0bf58699876
-
C:\Users\Admin\AppData\Roaming\NVIDIA\dss60.bplMD5
71101555cc2ab52f3fc1c0a6accf248a
SHA109620e314d64c8da3bfadf0ab688961a6a2c750a
SHA2560c1a45d1fff0cc1e4d6ec7111a0e87922b94fe5c5fdb81d542079ea0019e7068
SHA512669d52fa2bd27d1fc2e83fbc74e0228540a8eb1e188ddccaaa4008dd8f1d7566e93afedcc07653726151dce374accc7418b344ce45835262f147d0f5bb3de1de
-
C:\Users\Admin\AppData\Roaming\NVIDIA\qrpt60.bplMD5
84c086e8c65cdaf1e716d6e9e4dc68bf
SHA172eddcc5335a725f530ab11936cf541e960f1c19
SHA256dc6449a610a96e4454a3f4e02c20d0098a3a5a30cab602d0d5fbdb1d3c579636
SHA512e6b59817aea6ba3ce7f5d11df19f36f42e84e4a4337f7e49c5692d0e4692f269a60aab8b4dbf552fe611314ee075c04efa0ebdcc7bf7d024b84e12cd28a90f3c
-
C:\Users\Admin\AppData\Roaming\NVIDIA\rtl60.bplMD5
184791b38f78382c1f6e33f476f9dd59
SHA1a1aacf6f773ff3baebcbd54764b1be66fcece7aa
SHA25655b7332af0e402a1a08d25214a9d5a1bacd52a19ac15fb7f1f7b8fb6957b39ed
SHA5124bdb0ae4474741d59ed5fa12d7e0cf18bf4fef89ae2b9babf737423ea42dca1bc0a0b053922766e7a7182eda38591a8a4a51ac9209db4248dd18dd120e90986d
-
C:\Users\Admin\AppData\Roaming\NVIDIA\tee60.bplMD5
3d7ce1782c91ecf030baa746ec8b718a
SHA199d9c602e590b4d10254e8c8c4daaea5f0bb90eb
SHA25639d0739da046509b322f2f750e23a4d71084f6b88fdcdd71851a40c23ccf023b
SHA5120a89698b75d4dcc2385a9f567e721d903c80c38010ac779bdd5b1bed4e0e8ac60ceac9c3888f9e979386ebe2f166e683afdfdf1468ad6a9968b701149ec0496b
-
C:\Users\Admin\AppData\Roaming\NVIDIA\vcl60.bplMD5
9b619356853521b3f888ef2a830037fb
SHA13a0235763d5e3de490fd125aca0785eae08bceb1
SHA256ca904861fccf5f8b6cb44c33f77f391e4388d3693fe62a6f91fed4084061bd07
SHA512f31f7e98f3aec42e0cb33be91a811f64e11680e7c69183e580b176cf3446456740f528e15aee5deb887a444f4f7c8468583f7e6405e6a5da5057b0c503e58db4
-
C:\Users\Admin\AppData\Roaming\NVIDIA\vcldb60.bplMD5
2cbb26919edeea3f628b2e56ea23c9c8
SHA13cf0a84c913bc11ff8405fe4c3202ab14798fbbe
SHA2563f0a4f6f50acb7ea227808faec072f9a5c4bed0747ca8d7025e56d1f370c0b4f
SHA5125dd9afe5ad7d4b3dff39cebaabc18a1c7254e0c63bb1482b07c716746fa8dad1583adebf5703face84f7718408f9f550f862444926fdcb33716004c1775454d5
-
C:\Users\Admin\AppData\Roaming\NVIDIA\vclx60.bplMD5
aad6f4b96f96dd5e52f7b4989e5c5103
SHA1082d57c34f22ada75827539d2ca8873ec4d10dff
SHA256741b8250412fe40fd3124de2814a506af94f65017e6c90ae2af27a9b54d81052
SHA5120bba5bc67e1f9cd798ef8ee274be03ba1be36fd560fece8553764060baffb301ddf259ee9baeb2ad57f3e25fa75be8765ddd01fd9b40fd3177924bd68bc6d645
-
\Users\Admin\AppData\Roaming\NVIDIA\StringJ.exeMD5
ed488c462e49d5415fe17ada385e52d2
SHA1d37c8cba8a45a9bbee9c815133dbeb6790a2efc0
SHA256835a461322445f0e47739e7e3489d7c1789d8883649c0b1b3836bb29f693fac0
SHA5120851b691ca94f0db04752a48c21fd4af9a10cba16fdf39f79720ce46dfeb202c166c5c230d6c0c0ad3437cee9d642c80becef4f34ca1dc15616027c1fefa3aca
-
\Users\Admin\AppData\Roaming\NVIDIA\StringJ.exeMD5
ed488c462e49d5415fe17ada385e52d2
SHA1d37c8cba8a45a9bbee9c815133dbeb6790a2efc0
SHA256835a461322445f0e47739e7e3489d7c1789d8883649c0b1b3836bb29f693fac0
SHA5120851b691ca94f0db04752a48c21fd4af9a10cba16fdf39f79720ce46dfeb202c166c5c230d6c0c0ad3437cee9d642c80becef4f34ca1dc15616027c1fefa3aca
-
\Users\Admin\AppData\Roaming\NVIDIA\atikmdag-patcher.exeMD5
5616e95156f37d4445947144eb72d84b
SHA12ce32920b08f8b6a0959905010b3699fa9111f28
SHA256f3b0e3ba3beb72ad455f478bca6347fbcabbce4ddfa2a6e34f72f11412502434
SHA51227f5a5bbb8dd752b575a74a38ab2aa66c9e714fc9c3e7351005be86c856c6f3cc5bb39835ceb5bd3f7b0f08e4bceb5157970cbf8bd0b927d89b35e042b85552e
-
\Users\Admin\AppData\Roaming\NVIDIA\bcbsmp60.bplMD5
90cb3d45db064bf0ef9298209694c1df
SHA13832f08ac6a80ef1e68db155e41e6654e9e185c9
SHA25651fe769cf939981a7f7f018865c2ed7c6dfbd5a6b1d58ff90c5c6728d582ffc9
SHA512d3d33bc6a16484b6486e59eabb7276e655ee2a3b16c1e4a82532d09395c010702b8136b205e0abe8bd22379655367e382d37255e808eb391a9cf3b98bfab666c
-
\Users\Admin\AppData\Roaming\NVIDIA\bdertl60.bplMD5
b87ef5f1ed15cfdedadab33fa7ed3beb
SHA1a80521bd90beb801cd0536789e6661a7dc3b8d07
SHA256b56d3e643fb1eef7018aa120ddab53ae0402ef997e1441a1ad7ff4ce25f79658
SHA512fdd5aeef55e17a83bc3d62496b72bc9c668f4b4c7991d48c5935f6a006cf78a395dc12c0fa611891b5dfcfcb1574b95eaf375451584bb99d4cfa8228cfda4acb
-
\Users\Admin\AppData\Roaming\NVIDIA\borlndmm.dllMD5
d329682a25bb2433bc05d170b8e3e9b0
SHA176e3a2004e5ba7f5126fac9922336f38e928d733
SHA256b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618
SHA512432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3
-
\Users\Admin\AppData\Roaming\NVIDIA\cc3260mt.dllMD5
0df3473346769c1c732222c2664e65fe
SHA1b65e69d2b06ef1ef895fd600ec929c54b9cd8da6
SHA2564b5eadc340492faa57df3571c7471f0528832f1e7c822191adb53d9e6be7662d
SHA512e1e059fe8e8396c8c0f93b00ccff626a1850d4f5e750ce6405023e8d7acebbeff3f9e52f7fafa229bf050435964ad6d12f5de85dbbe0e207e83e2307e9e1c284
-
\Users\Admin\AppData\Roaming\NVIDIA\dbrtl60.bplMD5
49e1cadd50625349cebb60ea4119fbf2
SHA109c1d5d78a6b44ff306652bc3613285b6ae32aa7
SHA25695aaa2bccc46106c2d2275dc22651cc8f13b728d15afcc26d8469371c1bb18d5
SHA5121afd847d130d1775089eda162a15b12abfc217703a15a43da84fbbd69dd8d835913326e48862e6515e366ea87f3d5ab609c406f8e9ff32702513c0bf58699876
-
\Users\Admin\AppData\Roaming\NVIDIA\dss60.bplMD5
71101555cc2ab52f3fc1c0a6accf248a
SHA109620e314d64c8da3bfadf0ab688961a6a2c750a
SHA2560c1a45d1fff0cc1e4d6ec7111a0e87922b94fe5c5fdb81d542079ea0019e7068
SHA512669d52fa2bd27d1fc2e83fbc74e0228540a8eb1e188ddccaaa4008dd8f1d7566e93afedcc07653726151dce374accc7418b344ce45835262f147d0f5bb3de1de
-
\Users\Admin\AppData\Roaming\NVIDIA\qrpt60.bplMD5
84c086e8c65cdaf1e716d6e9e4dc68bf
SHA172eddcc5335a725f530ab11936cf541e960f1c19
SHA256dc6449a610a96e4454a3f4e02c20d0098a3a5a30cab602d0d5fbdb1d3c579636
SHA512e6b59817aea6ba3ce7f5d11df19f36f42e84e4a4337f7e49c5692d0e4692f269a60aab8b4dbf552fe611314ee075c04efa0ebdcc7bf7d024b84e12cd28a90f3c
-
\Users\Admin\AppData\Roaming\NVIDIA\rtl60.bplMD5
184791b38f78382c1f6e33f476f9dd59
SHA1a1aacf6f773ff3baebcbd54764b1be66fcece7aa
SHA25655b7332af0e402a1a08d25214a9d5a1bacd52a19ac15fb7f1f7b8fb6957b39ed
SHA5124bdb0ae4474741d59ed5fa12d7e0cf18bf4fef89ae2b9babf737423ea42dca1bc0a0b053922766e7a7182eda38591a8a4a51ac9209db4248dd18dd120e90986d
-
\Users\Admin\AppData\Roaming\NVIDIA\tee60.bplMD5
3d7ce1782c91ecf030baa746ec8b718a
SHA199d9c602e590b4d10254e8c8c4daaea5f0bb90eb
SHA25639d0739da046509b322f2f750e23a4d71084f6b88fdcdd71851a40c23ccf023b
SHA5120a89698b75d4dcc2385a9f567e721d903c80c38010ac779bdd5b1bed4e0e8ac60ceac9c3888f9e979386ebe2f166e683afdfdf1468ad6a9968b701149ec0496b
-
\Users\Admin\AppData\Roaming\NVIDIA\vcl60.bplMD5
9b619356853521b3f888ef2a830037fb
SHA13a0235763d5e3de490fd125aca0785eae08bceb1
SHA256ca904861fccf5f8b6cb44c33f77f391e4388d3693fe62a6f91fed4084061bd07
SHA512f31f7e98f3aec42e0cb33be91a811f64e11680e7c69183e580b176cf3446456740f528e15aee5deb887a444f4f7c8468583f7e6405e6a5da5057b0c503e58db4
-
\Users\Admin\AppData\Roaming\NVIDIA\vcldb60.bplMD5
2cbb26919edeea3f628b2e56ea23c9c8
SHA13cf0a84c913bc11ff8405fe4c3202ab14798fbbe
SHA2563f0a4f6f50acb7ea227808faec072f9a5c4bed0747ca8d7025e56d1f370c0b4f
SHA5125dd9afe5ad7d4b3dff39cebaabc18a1c7254e0c63bb1482b07c716746fa8dad1583adebf5703face84f7718408f9f550f862444926fdcb33716004c1775454d5
-
\Users\Admin\AppData\Roaming\NVIDIA\vclx60.bplMD5
aad6f4b96f96dd5e52f7b4989e5c5103
SHA1082d57c34f22ada75827539d2ca8873ec4d10dff
SHA256741b8250412fe40fd3124de2814a506af94f65017e6c90ae2af27a9b54d81052
SHA5120bba5bc67e1f9cd798ef8ee274be03ba1be36fd560fece8553764060baffb301ddf259ee9baeb2ad57f3e25fa75be8765ddd01fd9b40fd3177924bd68bc6d645
-
memory/564-45-0x0000000000350000-0x0000000000358000-memory.dmpFilesize
32KB
-
memory/564-44-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB
-
memory/564-42-0x0000000000000000-mapping.dmp
-
memory/1476-6-0x0000000074511000-0x0000000074513000-memory.dmpFilesize
8KB
-
memory/1476-4-0x0000000000000000-mapping.dmp
-
memory/1476-7-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1748-40-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/1748-41-0x00000000002F0000-0x00000000002FA000-memory.dmpFilesize
40KB
-
memory/1748-13-0x0000000000000000-mapping.dmp
-
memory/1804-9-0x0000000000000000-mapping.dmp
-
memory/1864-3-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1864-2-0x00000000760B1000-0x00000000760B3000-memory.dmpFilesize
8KB