d197924a7f9afccfed8432d1f3644b328df8d160b1f6b5363821173b61eb2ac2

General

Target

d197924a7f9afccfed8432d1f3644b328df8d160b1f6b5363821173b61eb2ac2.exe
Size

111KB
MD5

90924b4e018945bdac799000658d2620
SHA1

3a80774ef4b9a82ee19bda468ef0ec6da63c3bad
SHA256

d197924a7f9afccfed8432d1f3644b328df8d160b1f6b5363821173b61eb2ac2
SHA512

add9c1049b698f4604e84c72f6d45fb49dd58b8f80a70152be009d297a8b1d5bd2c91315afb78b925c577e47519969dc55c0f91b2fd508083ebde34360108818
SSDEEP

3072:bS8BCfoDaXJNMn5JW0L9pPtBgPMUS79FOyyl4lScZCT105:bPB6EnZLx9F7bIaUcUTG5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1340	NvdUpd.exe
1488	NvdUpd.exe

Loads dropped DLL 1 IoCs

pid	Process
4164	d197924a7f9afccfed8432d1f3644b328df8d160b1f6b5363821173b61eb2ac2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	d197924a7f9afccfed8432d1f3644b328df8d160b1f6b5363821173b61eb2ac2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe"	d197924a7f9afccfed8432d1f3644b328df8d160b1f6b5363821173b61eb2ac2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1340 set thread context of 1488	1340	NvdUpd.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1340	NvdUpd.exe
1340	NvdUpd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1340	NvdUpd.exe
1340	NvdUpd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 1340	4164	d197924a7f9afccfed8432d1f3644b328df8d160b1f6b5363821173b61eb2ac2.exe	81
PID 4164 wrote to memory of 1340	4164	d197924a7f9afccfed8432d1f3644b328df8d160b1f6b5363821173b61eb2ac2.exe	81
PID 4164 wrote to memory of 1340	4164	d197924a7f9afccfed8432d1f3644b328df8d160b1f6b5363821173b61eb2ac2.exe	81
PID 1340 wrote to memory of 1488	1340	NvdUpd.exe	82
PID 1340 wrote to memory of 1488	1340	NvdUpd.exe	82
PID 1340 wrote to memory of 1488	1340	NvdUpd.exe	82
PID 1340 wrote to memory of 1488	1340	NvdUpd.exe	82
PID 1340 wrote to memory of 1488	1340	NvdUpd.exe	82
PID 1340 wrote to memory of 1488	1340	NvdUpd.exe	82
PID 1340 wrote to memory of 1488	1340	NvdUpd.exe	82
PID 1340 wrote to memory of 1488	1340	NvdUpd.exe	82
PID 1340 wrote to memory of 1488	1340	NvdUpd.exe	82

C:\Users\Admin\AppData\Local\Temp\d197924a7f9afccfed8432d1f3644b328df8d160b1f6b5363821173b61eb2ac2.exe
"C:\Users\Admin\AppData\Local\Temp\d197924a7f9afccfed8432d1f3644b328df8d160b1f6b5363821173b61eb2ac2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
  "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
    "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
    3⤵
    - Executes dropped EXE
    PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
89KB

MD5
342e4f6fed455f8cd2a6003b4bb545d5

SHA1
a699fafed01057be9cb2418cf6a4557200f0ca60

SHA256
fba8ab41129b118208675974371eddc4649610e0705ad4c0746647b0a186534a

SHA512
c739e9d38ea3474d13f14f0f8f58482586cc14dd85fa59bd9c0dfe20282ddc5ca4a0ff69dbd6b673d95910d9292aa46839e1e4a75d5922452bac53d39684beb7

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
89KB

MD5
342e4f6fed455f8cd2a6003b4bb545d5

SHA1
a699fafed01057be9cb2418cf6a4557200f0ca60

SHA256
fba8ab41129b118208675974371eddc4649610e0705ad4c0746647b0a186534a

SHA512
c739e9d38ea3474d13f14f0f8f58482586cc14dd85fa59bd9c0dfe20282ddc5ca4a0ff69dbd6b673d95910d9292aa46839e1e4a75d5922452bac53d39684beb7

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
89KB

MD5
342e4f6fed455f8cd2a6003b4bb545d5

SHA1
a699fafed01057be9cb2418cf6a4557200f0ca60

SHA256
fba8ab41129b118208675974371eddc4649610e0705ad4c0746647b0a186534a

SHA512
c739e9d38ea3474d13f14f0f8f58482586cc14dd85fa59bd9c0dfe20282ddc5ca4a0ff69dbd6b673d95910d9292aa46839e1e4a75d5922452bac53d39684beb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl230B.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1340-139-0x0000000002530000-0x0000000002534000-memory.dmp

Filesize
16KB

Download
memory/1488-137-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1488-141-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1488-142-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1488-143-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing