65ca5f28e409dd3ef8e33010737e8a857d077b36f047fa9f8d3c952d1e13d71d

General

Target

65ca5f28e409dd3ef8e33010737e8a857d077b36f047fa9f8d3c952d1e13d71d.exe
Size

111KB
MD5

80102979bf3efcdae370c23ab5c8e500
SHA1

9fb413264be1205176ac00b69dbf33786a156884
SHA256

65ca5f28e409dd3ef8e33010737e8a857d077b36f047fa9f8d3c952d1e13d71d
SHA512

d77579423d3ea3be47d1173e86958ffd887a5d75928c6c26dc88af01f9e6e69927240aa586b20abc5cf8002631edcf514e0ba21cb24b31610fcdc9727d203957
SSDEEP

3072:7S8BCfoDaXJNMF9YgfS1ae/CtSkhqLyn/CEOtu:7PB6EHYNCtSk0mqA

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
720	NvdUpd.exe
1516	NvdUpd.exe

Loads dropped DLL 1 IoCs

pid	Process
3156	65ca5f28e409dd3ef8e33010737e8a857d077b36f047fa9f8d3c952d1e13d71d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	65ca5f28e409dd3ef8e33010737e8a857d077b36f047fa9f8d3c952d1e13d71d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe"	65ca5f28e409dd3ef8e33010737e8a857d077b36f047fa9f8d3c952d1e13d71d.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 720 set thread context of 1516	720	NvdUpd.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
720	NvdUpd.exe
720	NvdUpd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
720	NvdUpd.exe
720	NvdUpd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 720	3156	65ca5f28e409dd3ef8e33010737e8a857d077b36f047fa9f8d3c952d1e13d71d.exe	83
PID 3156 wrote to memory of 720	3156	65ca5f28e409dd3ef8e33010737e8a857d077b36f047fa9f8d3c952d1e13d71d.exe	83
PID 3156 wrote to memory of 720	3156	65ca5f28e409dd3ef8e33010737e8a857d077b36f047fa9f8d3c952d1e13d71d.exe	83
PID 720 wrote to memory of 1516	720	NvdUpd.exe	84
PID 720 wrote to memory of 1516	720	NvdUpd.exe	84
PID 720 wrote to memory of 1516	720	NvdUpd.exe	84
PID 720 wrote to memory of 1516	720	NvdUpd.exe	84
PID 720 wrote to memory of 1516	720	NvdUpd.exe	84
PID 720 wrote to memory of 1516	720	NvdUpd.exe	84
PID 720 wrote to memory of 1516	720	NvdUpd.exe	84
PID 720 wrote to memory of 1516	720	NvdUpd.exe	84
PID 720 wrote to memory of 1516	720	NvdUpd.exe	84

C:\Users\Admin\AppData\Local\Temp\65ca5f28e409dd3ef8e33010737e8a857d077b36f047fa9f8d3c952d1e13d71d.exe
"C:\Users\Admin\AppData\Local\Temp\65ca5f28e409dd3ef8e33010737e8a857d077b36f047fa9f8d3c952d1e13d71d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
  "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
    "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
    3⤵
    - Executes dropped EXE
    PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
89KB

MD5
db44cc35d4313d00c6acc9085897db55

SHA1
0384fddd8280abb9f31c604c31d030624e677b15

SHA256
15957bbaa9bdf1f8e5900af83db7d174c9b85d9d67c742d88497ecda1e0bd934

SHA512
f45a79d5bac2df8590bf557de67b10de61abb87f32f4c2eb8a634717d01b02e619727b1c325ec53ac6769ce546eb295a04d17120b3ed3a7ddbaeec5b161ce29a

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
89KB

MD5
db44cc35d4313d00c6acc9085897db55

SHA1
0384fddd8280abb9f31c604c31d030624e677b15

SHA256
15957bbaa9bdf1f8e5900af83db7d174c9b85d9d67c742d88497ecda1e0bd934

SHA512
f45a79d5bac2df8590bf557de67b10de61abb87f32f4c2eb8a634717d01b02e619727b1c325ec53ac6769ce546eb295a04d17120b3ed3a7ddbaeec5b161ce29a

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
89KB

MD5
db44cc35d4313d00c6acc9085897db55

SHA1
0384fddd8280abb9f31c604c31d030624e677b15

SHA256
15957bbaa9bdf1f8e5900af83db7d174c9b85d9d67c742d88497ecda1e0bd934

SHA512
f45a79d5bac2df8590bf557de67b10de61abb87f32f4c2eb8a634717d01b02e619727b1c325ec53ac6769ce546eb295a04d17120b3ed3a7ddbaeec5b161ce29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoEAB5.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/720-140-0x0000000000940000-0x0000000000944000-memory.dmp

Filesize
16KB

Download
memory/1516-137-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1516-141-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1516-142-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1516-143-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing