ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268

General

Target

ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe
Size

206KB
MD5

00896d0fabce787ef836b79030937a20
SHA1

133809d80bc189c87c623c191694862b42eac214
SHA256

ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268
SHA512

4b301755d0d9b6979decd645d298db8a5366b78a2b7a59921daefc23e2a0656d6b15d6b7340e4b7fdc7aee83f279a7bc031d0bca455362fd748cce539f2de103
SSDEEP

3072:bS8BCfoDaXJNMqxvMiDu166YZQrA69RElT+vMZkjCSfCwPEIsmE3D8A+QwGCipii:bPB6EqxUHLYO4YMZgCaCFz8Gag

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
960	NvdUpd.exe
2036	NvdUpd.exe

Loads dropped DLL 3 IoCs

pid	Process
1732	ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe
1732	ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe
1732	ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe"	ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 960 set thread context of 2036	960	NvdUpd.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
960	NvdUpd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
960	NvdUpd.exe
960	NvdUpd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 960	1732	ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe	27
PID 1732 wrote to memory of 960	1732	ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe	27
PID 1732 wrote to memory of 960	1732	ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe	27
PID 1732 wrote to memory of 960	1732	ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe	27
PID 960 wrote to memory of 2036	960	NvdUpd.exe	28
PID 960 wrote to memory of 2036	960	NvdUpd.exe	28
PID 960 wrote to memory of 2036	960	NvdUpd.exe	28
PID 960 wrote to memory of 2036	960	NvdUpd.exe	28
PID 960 wrote to memory of 2036	960	NvdUpd.exe	28
PID 960 wrote to memory of 2036	960	NvdUpd.exe	28
PID 960 wrote to memory of 2036	960	NvdUpd.exe	28
PID 960 wrote to memory of 2036	960	NvdUpd.exe	28
PID 960 wrote to memory of 2036	960	NvdUpd.exe	28
PID 960 wrote to memory of 2036	960	NvdUpd.exe	28

C:\Users\Admin\AppData\Local\Temp\ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe
"C:\Users\Admin\AppData\Local\Temp\ffbce5da231d0da4b9ae8293524da8c6d737ab82635e9e0ec99e939adf38d268.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
  "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
    "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
    3⤵
    - Executes dropped EXE
    PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
f84d1bc60890aa2178c02828deeb38b7

SHA1
aa83705876f9a252eb34231b738f9f46a24a45db

SHA256
d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764

SHA512
11c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
f84d1bc60890aa2178c02828deeb38b7

SHA1
aa83705876f9a252eb34231b738f9f46a24a45db

SHA256
d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764

SHA512
11c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
f84d1bc60890aa2178c02828deeb38b7

SHA1
aa83705876f9a252eb34231b738f9f46a24a45db

SHA256
d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764

SHA512
11c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3

Download Submit
\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
f84d1bc60890aa2178c02828deeb38b7

SHA1
aa83705876f9a252eb34231b738f9f46a24a45db

SHA256
d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764

SHA512
11c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3

Download Submit
\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
f84d1bc60890aa2178c02828deeb38b7

SHA1
aa83705876f9a252eb34231b738f9f46a24a45db

SHA256
d82215e69b7933fc31161538b73f4d8fc1a297f2b25a1a27c7cf8e5ebff3d764

SHA512
11c1d2166140f641250c8190f677df3a137778606f68cffa7354a13fbbe7ebcb34fa799d2dc78d08432a8fb9d9259fbf872197e961d32ddc046aa6ba35aa02c3

Download Submit
\Users\Admin\AppData\Local\Temp\nsd320B.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/960-65-0x00000000002C0000-0x00000000002C4000-memory.dmp

Filesize
16KB

Download
memory/1732-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/2036-62-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/2036-64-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2036-66-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2036-68-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2036-69-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2036-71-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2036-75-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2036-76-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2036-78-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing