4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae

General

Target

4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe
Size

205KB
MD5

62742dbc51fa10feaba8b045d602fe70
SHA1

04ac6c208b1b91f16da033c9795ace1f1b191f70
SHA256

4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae
SHA512

75ba821d99200584fe022237a064aa163fda03eb7a2e9d006d6f5cd9170a77138f6c5143c3776d5fdb26147992108a15dc41e963fbdf5000e4d7c5224ce4963f
SSDEEP

6144:7PB6Etm9cMrfgtnUUGMkuU+CfaHktTmH2UIF65+:rXtm9c9nUiIrtvrF65+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1144	NvdUpd.exe
2028	NvdUpd.exe

Loads dropped DLL 3 IoCs

pid	Process
1604	4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe
1604	4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe
1604	4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe"	4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1144 set thread context of 2028	1144	NvdUpd.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1144	NvdUpd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1144	NvdUpd.exe
1144	NvdUpd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1144	1604	4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe	28
PID 1604 wrote to memory of 1144	1604	4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe	28
PID 1604 wrote to memory of 1144	1604	4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe	28
PID 1604 wrote to memory of 1144	1604	4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe	28
PID 1144 wrote to memory of 2028	1144	NvdUpd.exe	29
PID 1144 wrote to memory of 2028	1144	NvdUpd.exe	29
PID 1144 wrote to memory of 2028	1144	NvdUpd.exe	29
PID 1144 wrote to memory of 2028	1144	NvdUpd.exe	29
PID 1144 wrote to memory of 2028	1144	NvdUpd.exe	29
PID 1144 wrote to memory of 2028	1144	NvdUpd.exe	29
PID 1144 wrote to memory of 2028	1144	NvdUpd.exe	29
PID 1144 wrote to memory of 2028	1144	NvdUpd.exe	29
PID 1144 wrote to memory of 2028	1144	NvdUpd.exe	29
PID 1144 wrote to memory of 2028	1144	NvdUpd.exe	29

C:\Users\Admin\AppData\Local\Temp\4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe
"C:\Users\Admin\AppData\Local\Temp\4f784aae96a41f515b02f2789aba0e9745c2137d81e2d5808c7b28d9dbd0f0ae.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
  "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
    "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
    3⤵
    - Executes dropped EXE
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
628fa9cf4551eb1855d593e9b0727381

SHA1
d46f83088addca030600a512612f61f4d31a5e4d

SHA256
eba45950bbe31251703594df390faad58079ffff1a839f3fb50d693bb0ffd21e

SHA512
eeb85aefd60a2361e52c41fd636ca963bff73f5f11e319690e4582fa962a143d17ad30bc6e6fb758521e34109948310952d8958909c7410a479e42f1e9956698

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
628fa9cf4551eb1855d593e9b0727381

SHA1
d46f83088addca030600a512612f61f4d31a5e4d

SHA256
eba45950bbe31251703594df390faad58079ffff1a839f3fb50d693bb0ffd21e

SHA512
eeb85aefd60a2361e52c41fd636ca963bff73f5f11e319690e4582fa962a143d17ad30bc6e6fb758521e34109948310952d8958909c7410a479e42f1e9956698

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
628fa9cf4551eb1855d593e9b0727381

SHA1
d46f83088addca030600a512612f61f4d31a5e4d

SHA256
eba45950bbe31251703594df390faad58079ffff1a839f3fb50d693bb0ffd21e

SHA512
eeb85aefd60a2361e52c41fd636ca963bff73f5f11e319690e4582fa962a143d17ad30bc6e6fb758521e34109948310952d8958909c7410a479e42f1e9956698

Download Submit
\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
628fa9cf4551eb1855d593e9b0727381

SHA1
d46f83088addca030600a512612f61f4d31a5e4d

SHA256
eba45950bbe31251703594df390faad58079ffff1a839f3fb50d693bb0ffd21e

SHA512
eeb85aefd60a2361e52c41fd636ca963bff73f5f11e319690e4582fa962a143d17ad30bc6e6fb758521e34109948310952d8958909c7410a479e42f1e9956698

Download Submit
\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
628fa9cf4551eb1855d593e9b0727381

SHA1
d46f83088addca030600a512612f61f4d31a5e4d

SHA256
eba45950bbe31251703594df390faad58079ffff1a839f3fb50d693bb0ffd21e

SHA512
eeb85aefd60a2361e52c41fd636ca963bff73f5f11e319690e4582fa962a143d17ad30bc6e6fb758521e34109948310952d8958909c7410a479e42f1e9956698

Download Submit
\Users\Admin\AppData\Local\Temp\nsj2649.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1144-65-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/1604-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/2028-62-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/2028-64-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2028-66-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2028-68-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2028-69-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2028-71-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2028-75-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/2028-76-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2028-78-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing