5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e

General

Target

5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe
Size

122KB
MD5

0660c7107a521ef3467678bf1417a860
SHA1

4c59ff3c87b06ab283a04be9ea48d872dd0fd229
SHA256

5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e
SHA512

3ecb34b1d72b7b17b57bdd0deecaec9111ea7698acb866a16b4dc1f5246298acab0e06f4eb3c05cf79e153f2de049edc56b2abb0dc3f35b8ef2f1fb5b983b7c3
SSDEEP

3072:bS8BCfoDaXJNMhz6mZixAc39tFOtUa9fwHPTQEXt5FeUy+huC:bPB6Eh+rAU8tUaNw7Qg5sl+YC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1372	NvdUpd.exe

Loads dropped DLL 3 IoCs

pid	Process
1896	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe
1896	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe
1896	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe"	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1372	1896	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe	23
PID 1896 wrote to memory of 1372	1896	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe	23
PID 1896 wrote to memory of 1372	1896	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe	23
PID 1896 wrote to memory of 1372	1896	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe	23

C:\Users\Admin\AppData\Local\Temp\5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe
"C:\Users\Admin\AppData\Local\Temp\5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
  "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
  2⤵
  - Executes dropped EXE
  PID:1372
- - C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
    "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
    3⤵
    PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
54KB

MD5
443215d5fb7567441aac2cb0dfd4a21d

SHA1
cbe7e9141e96e2f8ed83aba5736d23fd8203a5be

SHA256
2a5a97fe547e4e92738feff9ca7e0685b8a051400df620ff4ec7a8b985b5ef64

SHA512
7661f04c4bd76fc421612a0036e519f1bd453d0bdc9f7d1548574b6037e21205d03ca20adf7409dddc5c5279e5dff7b4d4171a4fdebe199989e7f4e35419246b

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
49KB

MD5
7cdb4c0b0955a019dc9c668768232553

SHA1
fddea2c769e2bec608ecc726f9447a8ba43a31fa

SHA256
20e658e7461ef77bb46e46c21485a45d5b089f9a377baf27d6b481d5f5443604

SHA512
e8101b7583ee8b0a86527831a70f01b9b7def7a0c097241dead450b3920b0bd004b74958656fef219d5b1fc60dee647e8909f45967b1f68b83274c597852c1c6

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
78KB

MD5
6721e143da967e6e7a2b0441c5456f01

SHA1
ff440526efdf28c498367e32f80555f7f7bcedb7

SHA256
f358618519b96a3956ff4c09ce31faea55afdcb0aeea877b84aca02f7f4b8fbe

SHA512
570c5ca4839efa005eff2a8f54d898ad33d56597f4efc1da0b403aef653b6d932952e3de38ba193b6fd27d320e9501c93188c0ba23865cb2ac2e15514d7c0bea

Download Submit
\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
18KB

MD5
003b125f6bbef94a8b40546970499230

SHA1
5e155a871310b565586e5a4bbffaa85538dfca4a

SHA256
f9ba350b9c610bf583660143cddeea5dc8748fa7f90346e1e866121f87f1f9ad

SHA512
0e1019e9a5261a3e81adb831a905693292d72a0b0398bc198dfce1f85a6547579d6d3e0867cfb29243d9db37a918cf6ff7c2dd968537a273266488172e600238

Download Submit
\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
36KB

MD5
7c9df82c99ec34b5f8fbedce3441cab0

SHA1
41e9836e4906c3322274fd4a04e3e290dd0ad423

SHA256
de185672c59726510ca05d6988188fb3c5afbc64d4c63df64485a969b68dfa5d

SHA512
4aa392dceec7df2bc946522b910e2392927ee9833c42d2a68c7dde3ddf5100d7e1bfa98a71851aaa1f031d337313817ee37ed917d869733cb8334ed5db8ac866

Download Submit
\Users\Admin\AppData\Local\Temp\nso5554.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1272-69-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1272-62-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/1272-64-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1272-66-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1272-68-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1272-71-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1272-75-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1272-76-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1372-65-0x00000000003E0000-0x00000000003E4000-memory.dmp

Filesize
16KB

Download
memory/1896-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing