5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e

General

Target

5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe
Size

122KB
MD5

0660c7107a521ef3467678bf1417a860
SHA1

4c59ff3c87b06ab283a04be9ea48d872dd0fd229
SHA256

5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e
SHA512

3ecb34b1d72b7b17b57bdd0deecaec9111ea7698acb866a16b4dc1f5246298acab0e06f4eb3c05cf79e153f2de049edc56b2abb0dc3f35b8ef2f1fb5b983b7c3
SSDEEP

3072:bS8BCfoDaXJNMhz6mZixAc39tFOtUa9fwHPTQEXt5FeUy+huC:bPB6Eh+rAU8tUaNw7Qg5sl+YC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1892	NvdUpd.exe
1824	NvdUpd.exe

Loads dropped DLL 1 IoCs

pid	Process
4392	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe"	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1892 set thread context of 1824	1892	NvdUpd.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1892	NvdUpd.exe
1892	NvdUpd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1892	NvdUpd.exe
1892	NvdUpd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 1892	4392	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe	83
PID 4392 wrote to memory of 1892	4392	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe	83
PID 4392 wrote to memory of 1892	4392	5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe	83
PID 1892 wrote to memory of 1824	1892	NvdUpd.exe	84
PID 1892 wrote to memory of 1824	1892	NvdUpd.exe	84
PID 1892 wrote to memory of 1824	1892	NvdUpd.exe	84
PID 1892 wrote to memory of 1824	1892	NvdUpd.exe	84
PID 1892 wrote to memory of 1824	1892	NvdUpd.exe	84
PID 1892 wrote to memory of 1824	1892	NvdUpd.exe	84
PID 1892 wrote to memory of 1824	1892	NvdUpd.exe	84
PID 1892 wrote to memory of 1824	1892	NvdUpd.exe	84
PID 1892 wrote to memory of 1824	1892	NvdUpd.exe	84

C:\Users\Admin\AppData\Local\Temp\5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe
"C:\Users\Admin\AppData\Local\Temp\5932a2d54d23d250519cd12807d20b78d7ba73d29fedcca14c06ef2ffe11955e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
  "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
    "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
    3⤵
    - Executes dropped EXE
    PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
126KB

MD5
518ed52dfc1f7a3d6079b00148b7b566

SHA1
85d18da08a71673321fc9f3ffb029351adffd177

SHA256
ed2de07745124c6ee21380c482452e34982d28b54886f97d34f6210ad4bf0dc5

SHA512
a2c60976411f2603324b6493dc9cbbcdfcb891587a8f81d306d4bc6387efa3844e1cd0c8875216f3baa5482476714176c13987aa974fff14906f2c2a2d8a6e76

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
126KB

MD5
518ed52dfc1f7a3d6079b00148b7b566

SHA1
85d18da08a71673321fc9f3ffb029351adffd177

SHA256
ed2de07745124c6ee21380c482452e34982d28b54886f97d34f6210ad4bf0dc5

SHA512
a2c60976411f2603324b6493dc9cbbcdfcb891587a8f81d306d4bc6387efa3844e1cd0c8875216f3baa5482476714176c13987aa974fff14906f2c2a2d8a6e76

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
126KB

MD5
518ed52dfc1f7a3d6079b00148b7b566

SHA1
85d18da08a71673321fc9f3ffb029351adffd177

SHA256
ed2de07745124c6ee21380c482452e34982d28b54886f97d34f6210ad4bf0dc5

SHA512
a2c60976411f2603324b6493dc9cbbcdfcb891587a8f81d306d4bc6387efa3844e1cd0c8875216f3baa5482476714176c13987aa974fff14906f2c2a2d8a6e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb303A.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1824-137-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1824-141-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1824-142-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1824-143-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1892-139-0x00000000012E0000-0x00000000012E4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing