61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558

General

Target

61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe
Size

93KB
MD5

67cec721adc056510bf16507032e3fd0
SHA1

9d1c6b781fe0f0d6ed145910ed958a50f0e9a86d
SHA256

61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558
SHA512

11a74b7ddc62b406f0e4ebc417509cf9d3bf28610d380e3634f1d933137d80e6572bdcc4cb7151976f9a5d41e37e90cb172c7907fbb45020656db0d75b72fa58
SSDEEP

1536:7SV8/DcCDCMMkG0DaXJNMEgTSBY3Pzl9PLP2TJoH+9QYQLVhvOkSXCnt:7S8BCfoDaXJNMi2XPL2Ce9QYQR5OkSXC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1940	NvdUpd.exe
612	NvdUpd.exe

Loads dropped DLL 3 IoCs

pid	Process
1664	61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe
1664	61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe
1664	61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe"	61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 612	1940	NvdUpd.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1940	1664	61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe	28
PID 1664 wrote to memory of 1940	1664	61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe	28
PID 1664 wrote to memory of 1940	1664	61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe	28
PID 1664 wrote to memory of 1940	1664	61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe	28
PID 1940 wrote to memory of 612	1940	NvdUpd.exe	29
PID 1940 wrote to memory of 612	1940	NvdUpd.exe	29
PID 1940 wrote to memory of 612	1940	NvdUpd.exe	29
PID 1940 wrote to memory of 612	1940	NvdUpd.exe	29
PID 1940 wrote to memory of 612	1940	NvdUpd.exe	29
PID 1940 wrote to memory of 612	1940	NvdUpd.exe	29
PID 1940 wrote to memory of 612	1940	NvdUpd.exe	29
PID 1940 wrote to memory of 612	1940	NvdUpd.exe	29
PID 1940 wrote to memory of 612	1940	NvdUpd.exe	29

C:\Users\Admin\AppData\Local\Temp\61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe
"C:\Users\Admin\AppData\Local\Temp\61bb3c864b567fc1bee5948d9a6422a4a923415a23aa47ba8624588de83e3558.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
  "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
    "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
    3⤵
    - Executes dropped EXE
    PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
108KB

MD5
68230fd9724f15fd008cf6e8f6b6f19a

SHA1
489344586ec442da0824f0ed7e9194474778475b

SHA256
09ffc88a0d06cd0da5cd96e17a6ddb9de59c5b27e36c81c815149f5a34350e76

SHA512
8cafeb09372a357c00eeb9e5799d4301b251178a7e844ec56facc709a0f182ee3469d63653778fe7f10aea0c157298aa02d930ff0e02e3d082ad93c0fc6ce4e6

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
108KB

MD5
68230fd9724f15fd008cf6e8f6b6f19a

SHA1
489344586ec442da0824f0ed7e9194474778475b

SHA256
09ffc88a0d06cd0da5cd96e17a6ddb9de59c5b27e36c81c815149f5a34350e76

SHA512
8cafeb09372a357c00eeb9e5799d4301b251178a7e844ec56facc709a0f182ee3469d63653778fe7f10aea0c157298aa02d930ff0e02e3d082ad93c0fc6ce4e6

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
108KB

MD5
68230fd9724f15fd008cf6e8f6b6f19a

SHA1
489344586ec442da0824f0ed7e9194474778475b

SHA256
09ffc88a0d06cd0da5cd96e17a6ddb9de59c5b27e36c81c815149f5a34350e76

SHA512
8cafeb09372a357c00eeb9e5799d4301b251178a7e844ec56facc709a0f182ee3469d63653778fe7f10aea0c157298aa02d930ff0e02e3d082ad93c0fc6ce4e6

Download Submit
\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
108KB

MD5
68230fd9724f15fd008cf6e8f6b6f19a

SHA1
489344586ec442da0824f0ed7e9194474778475b

SHA256
09ffc88a0d06cd0da5cd96e17a6ddb9de59c5b27e36c81c815149f5a34350e76

SHA512
8cafeb09372a357c00eeb9e5799d4301b251178a7e844ec56facc709a0f182ee3469d63653778fe7f10aea0c157298aa02d930ff0e02e3d082ad93c0fc6ce4e6

Download Submit
\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
108KB

MD5
68230fd9724f15fd008cf6e8f6b6f19a

SHA1
489344586ec442da0824f0ed7e9194474778475b

SHA256
09ffc88a0d06cd0da5cd96e17a6ddb9de59c5b27e36c81c815149f5a34350e76

SHA512
8cafeb09372a357c00eeb9e5799d4301b251178a7e844ec56facc709a0f182ee3469d63653778fe7f10aea0c157298aa02d930ff0e02e3d082ad93c0fc6ce4e6

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1F56.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/612-62-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/612-68-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/612-66-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/612-65-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/612-69-0x00000000004042FE-mapping.dmp

Download
memory/612-71-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/612-72-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/612-73-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/612-75-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1664-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1940-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing