4993d15ee04142d0cf9afd04dd4c31f50120d18859704106419ac53505eb9409

General

Target

4993d15ee04142d0cf9afd04dd4c31f50120d18859704106419ac53505eb9409.exe
Size

205KB
MD5

6a5572abe94615a7145dead4c24ae750
SHA1

208029b6619b2d2072db72a7708e2b436945afd7
SHA256

4993d15ee04142d0cf9afd04dd4c31f50120d18859704106419ac53505eb9409
SHA512

3c96e38532cf71749bf79c9c3a63dc0322a779d8f1e69c140c79108feb6bc350a44d193a9ac0d54012768387640550d6351f68fb3ccc0e4aafe14f9beeb5218a
SSDEEP

3072:7S8BCfoDaXJNMR9vuudUmU/A9pkh5Ost9/Bw2u/v9lVa6pKrSC8gq/Qfdx34o+uF:7PB6ERpLdX8JLwtm6QrzciXv

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1292	NvdUpd.exe
3608	NvdUpd.exe

Loads dropped DLL 1 IoCs

pid	Process
4836	4993d15ee04142d0cf9afd04dd4c31f50120d18859704106419ac53505eb9409.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe"	4993d15ee04142d0cf9afd04dd4c31f50120d18859704106419ac53505eb9409.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	4993d15ee04142d0cf9afd04dd4c31f50120d18859704106419ac53505eb9409.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1292 set thread context of 3608	1292	NvdUpd.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1292	NvdUpd.exe
1292	NvdUpd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1292	NvdUpd.exe
1292	NvdUpd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1292	4836	4993d15ee04142d0cf9afd04dd4c31f50120d18859704106419ac53505eb9409.exe	82
PID 4836 wrote to memory of 1292	4836	4993d15ee04142d0cf9afd04dd4c31f50120d18859704106419ac53505eb9409.exe	82
PID 4836 wrote to memory of 1292	4836	4993d15ee04142d0cf9afd04dd4c31f50120d18859704106419ac53505eb9409.exe	82
PID 1292 wrote to memory of 3608	1292	NvdUpd.exe	84
PID 1292 wrote to memory of 3608	1292	NvdUpd.exe	84
PID 1292 wrote to memory of 3608	1292	NvdUpd.exe	84
PID 1292 wrote to memory of 3608	1292	NvdUpd.exe	84
PID 1292 wrote to memory of 3608	1292	NvdUpd.exe	84
PID 1292 wrote to memory of 3608	1292	NvdUpd.exe	84
PID 1292 wrote to memory of 3608	1292	NvdUpd.exe	84
PID 1292 wrote to memory of 3608	1292	NvdUpd.exe	84
PID 1292 wrote to memory of 3608	1292	NvdUpd.exe	84

C:\Users\Admin\AppData\Local\Temp\4993d15ee04142d0cf9afd04dd4c31f50120d18859704106419ac53505eb9409.exe
"C:\Users\Admin\AppData\Local\Temp\4993d15ee04142d0cf9afd04dd4c31f50120d18859704106419ac53505eb9409.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
  "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
    "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
    3⤵
    - Executes dropped EXE
    PID:3608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
a7e489f9cd414a45b7118665f82ca5be

SHA1
c2724367727bc5bc37469fcac6169041d2a30d95

SHA256
869730b38262a76439fd122249fa32ca41c2020d999462176dfb38f95fcaf81d

SHA512
12bc2ecf253904cbbc332d3e09817f7ae866d5bbdb2f346543c13489bfe3b06cb1f0277f6d313f14ccd7cb9397ce3fb5d7511aa6a6deeeea9dbdc3401aaeabcc

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
a7e489f9cd414a45b7118665f82ca5be

SHA1
c2724367727bc5bc37469fcac6169041d2a30d95

SHA256
869730b38262a76439fd122249fa32ca41c2020d999462176dfb38f95fcaf81d

SHA512
12bc2ecf253904cbbc332d3e09817f7ae866d5bbdb2f346543c13489bfe3b06cb1f0277f6d313f14ccd7cb9397ce3fb5d7511aa6a6deeeea9dbdc3401aaeabcc

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
a7e489f9cd414a45b7118665f82ca5be

SHA1
c2724367727bc5bc37469fcac6169041d2a30d95

SHA256
869730b38262a76439fd122249fa32ca41c2020d999462176dfb38f95fcaf81d

SHA512
12bc2ecf253904cbbc332d3e09817f7ae866d5bbdb2f346543c13489bfe3b06cb1f0277f6d313f14ccd7cb9397ce3fb5d7511aa6a6deeeea9dbdc3401aaeabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp9419.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1292-133-0x0000000000000000-mapping.dmp

Download
memory/1292-138-0x0000000002290000-0x0000000002294000-memory.dmp

Filesize
16KB

Download
memory/3608-136-0x0000000000000000-mapping.dmp

Download
memory/3608-137-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/3608-141-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/3608-142-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3608-143-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing