fca433a52cd8d1d50fb1ccf7e511362de7c65309331ae4af4a79cecbf508a637

General

Target

fca433a52cd8d1d50fb1ccf7e511362de7c65309331ae4af4a79cecbf508a637.exe
Size

205KB
MD5

571b59595589be1c9e4c60d277ace9a0
SHA1

0b085b239483eba4b9c19db92cb3e1a4ec371d02
SHA256

fca433a52cd8d1d50fb1ccf7e511362de7c65309331ae4af4a79cecbf508a637
SHA512

ddb5e83d26cd73230653b25116c0caeaf00acf9e1440dad399cece4dec00b1506961611ed788b36ef5cae26e6b5c44d1288f45f2f2932d9b0c2d2e8e301b6c8e
SSDEEP

3072:bS8BCfoDaXJNMQW1km6QVoXAl1k4M5jINDlmNYq8exfSXnyY6Q5wMPfqjn8aeqCL:bPB6EQ3HQeXAVM5sJmN18ek7KMW83f0s

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2460	NvdUpd.exe
4080	NvdUpd.exe

Loads dropped DLL 1 IoCs

pid	Process
4996	fca433a52cd8d1d50fb1ccf7e511362de7c65309331ae4af4a79cecbf508a637.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	fca433a52cd8d1d50fb1ccf7e511362de7c65309331ae4af4a79cecbf508a637.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe"	fca433a52cd8d1d50fb1ccf7e511362de7c65309331ae4af4a79cecbf508a637.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 4080	2460	NvdUpd.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2460	NvdUpd.exe
2460	NvdUpd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2460	NvdUpd.exe
2460	NvdUpd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 2460	4996	fca433a52cd8d1d50fb1ccf7e511362de7c65309331ae4af4a79cecbf508a637.exe	82
PID 4996 wrote to memory of 2460	4996	fca433a52cd8d1d50fb1ccf7e511362de7c65309331ae4af4a79cecbf508a637.exe	82
PID 4996 wrote to memory of 2460	4996	fca433a52cd8d1d50fb1ccf7e511362de7c65309331ae4af4a79cecbf508a637.exe	82
PID 2460 wrote to memory of 4080	2460	NvdUpd.exe	83
PID 2460 wrote to memory of 4080	2460	NvdUpd.exe	83
PID 2460 wrote to memory of 4080	2460	NvdUpd.exe	83
PID 2460 wrote to memory of 4080	2460	NvdUpd.exe	83
PID 2460 wrote to memory of 4080	2460	NvdUpd.exe	83
PID 2460 wrote to memory of 4080	2460	NvdUpd.exe	83
PID 2460 wrote to memory of 4080	2460	NvdUpd.exe	83
PID 2460 wrote to memory of 4080	2460	NvdUpd.exe	83
PID 2460 wrote to memory of 4080	2460	NvdUpd.exe	83

C:\Users\Admin\AppData\Local\Temp\fca433a52cd8d1d50fb1ccf7e511362de7c65309331ae4af4a79cecbf508a637.exe
"C:\Users\Admin\AppData\Local\Temp\fca433a52cd8d1d50fb1ccf7e511362de7c65309331ae4af4a79cecbf508a637.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
  "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
    "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
    3⤵
    - Executes dropped EXE
    PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
48f02eb6f815380e758b63ba0dcb53ad

SHA1
d49e6b869e47d9b4b28b2e9ded6a173e146cf908

SHA256
264ac22a85e9a21eaee624096cbfe0101624cdac120fa460207526b0df7a01b7

SHA512
c8b7cd58ba20ad15ca6e3e6941f4d3bd2da28130b5f1f89dc075f087e573c70de33d5fcc055f444ff54edeace97a7233c4b17e9627be913b94d811fe718304a8

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
48f02eb6f815380e758b63ba0dcb53ad

SHA1
d49e6b869e47d9b4b28b2e9ded6a173e146cf908

SHA256
264ac22a85e9a21eaee624096cbfe0101624cdac120fa460207526b0df7a01b7

SHA512
c8b7cd58ba20ad15ca6e3e6941f4d3bd2da28130b5f1f89dc075f087e573c70de33d5fcc055f444ff54edeace97a7233c4b17e9627be913b94d811fe718304a8

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
278KB

MD5
48f02eb6f815380e758b63ba0dcb53ad

SHA1
d49e6b869e47d9b4b28b2e9ded6a173e146cf908

SHA256
264ac22a85e9a21eaee624096cbfe0101624cdac120fa460207526b0df7a01b7

SHA512
c8b7cd58ba20ad15ca6e3e6941f4d3bd2da28130b5f1f89dc075f087e573c70de33d5fcc055f444ff54edeace97a7233c4b17e9627be913b94d811fe718304a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst77C7.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/2460-133-0x0000000000000000-mapping.dmp

Download
memory/2460-139-0x00000000021B0000-0x00000000021B4000-memory.dmp

Filesize
16KB

Download
memory/4080-136-0x0000000000000000-mapping.dmp

Download
memory/4080-137-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/4080-141-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/4080-142-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4080-143-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing