4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1

General

Target

4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe
Size

191KB
MD5

08bc0f08cbe773666ae684ed81c1763c
SHA1

6ef5d42a110a6746d23fe001f2762f31d43c391f
SHA256

4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1
SHA512

029e25bdff3b4cd61e98ec37a82b2d1d31eb7b4d03dd467e05f4eacb9e52a73189f2755b0b6906f1b811b0a78c38ddb15e6ced05cb47bd870814f15ef7b6ed17

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe

Executes dropped EXE 1 IoCs

Processes:

dplaysvr.exe

pid process

4472 dplaysvr.exe

pid	process
4472	dplaysvr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Control Panel\International\Geo\Nation	4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe

Loads dropped DLL 1 IoCs

Processes:

dplaysvr.exe

pid process

4472 dplaysvr.exe

pid	process
4472	dplaysvr.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe
Key created	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dplaysvr.exe

pid process

4472 dplaysvr.exe

pid	process
4472	dplaysvr.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe

description	pid	process	target process
PID 3516 wrote to memory of 4472	3516	4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe	dplaysvr.exe
PID 3516 wrote to memory of 4472	3516	4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe	dplaysvr.exe
PID 3516 wrote to memory of 4472	3516	4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe	dplaysvr.exe

C:\Users\Admin\AppData\Local\Temp\4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe
"C:\Users\Admin\AppData\Local\Temp\4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\4f115913a68ae3d442205bf35920d2b8431bd7a3995a72a648b682fdd783efd1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4472

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\741B.tmp

Filesize
77KB

MD5
1ba3e906a6012b5abf2750b445d7f30a

SHA1
a2c6ef8aa49c8c2549eadf1d41d0b39850d4a09e

SHA256
9fd947eebbd6c83b4d94c39f017a5366ccfef9d6bd2dee41b86ae81a09022d02

SHA512
ef69e5abf1445a4d9135d23236c39a149681f5b86b745ff8d7d0041eddc31e90464b2fb1611e2e57c009afe64b004cae0466794c806b2a0b4eb5d52b1afa2c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\741C.tmp

Filesize
121KB

MD5
00fa7a4b8b0daf60f5935b34d7325ce3

SHA1
0988e042f7df078ac386c3ae1c70ffccda4025a3

SHA256
45eb8a8e170e06673bc60be26f9c66509d7af934923e4a643234313ec3dc540b

SHA512
3af0d3031bdf7773ab1b0615f45993c4f3e30a405496f4f59c1b4ac4e16ec207e62e54630b314e29963bdb69fedbe71364983f278c2389cf0679d70464448404

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe

Filesize
77KB

MD5
1ba3e906a6012b5abf2750b445d7f30a

SHA1
a2c6ef8aa49c8c2549eadf1d41d0b39850d4a09e

SHA256
9fd947eebbd6c83b4d94c39f017a5366ccfef9d6bd2dee41b86ae81a09022d02

SHA512
ef69e5abf1445a4d9135d23236c39a149681f5b86b745ff8d7d0041eddc31e90464b2fb1611e2e57c009afe64b004cae0466794c806b2a0b4eb5d52b1afa2c2e

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe

Filesize
77KB

MD5
1ba3e906a6012b5abf2750b445d7f30a

SHA1
a2c6ef8aa49c8c2549eadf1d41d0b39850d4a09e

SHA256
9fd947eebbd6c83b4d94c39f017a5366ccfef9d6bd2dee41b86ae81a09022d02

SHA512
ef69e5abf1445a4d9135d23236c39a149681f5b86b745ff8d7d0041eddc31e90464b2fb1611e2e57c009afe64b004cae0466794c806b2a0b4eb5d52b1afa2c2e

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll

Filesize
121KB

MD5
00fa7a4b8b0daf60f5935b34d7325ce3

SHA1
0988e042f7df078ac386c3ae1c70ffccda4025a3

SHA256
45eb8a8e170e06673bc60be26f9c66509d7af934923e4a643234313ec3dc540b

SHA512
3af0d3031bdf7773ab1b0615f45993c4f3e30a405496f4f59c1b4ac4e16ec207e62e54630b314e29963bdb69fedbe71364983f278c2389cf0679d70464448404

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll

Filesize
121KB

MD5
00fa7a4b8b0daf60f5935b34d7325ce3

SHA1
0988e042f7df078ac386c3ae1c70ffccda4025a3

SHA256
45eb8a8e170e06673bc60be26f9c66509d7af934923e4a643234313ec3dc540b

SHA512
3af0d3031bdf7773ab1b0615f45993c4f3e30a405496f4f59c1b4ac4e16ec207e62e54630b314e29963bdb69fedbe71364983f278c2389cf0679d70464448404

Download Submit
memory/3516-130-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/3516-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-137-0x0000000000000000-mapping.dmp

Download
memory/4472-139-0x0000000000590000-0x00000000005A8000-memory.dmp

Filesize
96KB

Download
memory/4472-140-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4472-141-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4472-143-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4472-144-0x00000000020A0000-0x00000000020C3000-memory.dmp

Filesize
140KB

Download
memory/4472-145-0x0000000002100000-0x0000000002123000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads