3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8

General

Target

3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe
Size

111KB
MD5

5121973cfc3fddf89231a8620a406480
SHA1

5fe07c712d7108412f71f7c6207d0ac63b47ffb8
SHA256

3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8
SHA512

8ab32b053f989a42598dd0ec6d3490efbd9a79aba39def8a2595c5add13d58c0e4ed9d1475b3a5bb4c4e9a4cde56c430be37669fa261e672bc9653a9394ebe55
SSDEEP

3072:7S8BCfoDaXJNMX72CWzfCE5wbDwh+NUL6eR+rf:7PB6EXJWz0IQNveR8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1176	NvdUpd.exe
1492	NvdUpd.exe

Loads dropped DLL 3 IoCs

pid	Process
1248	3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe
1248	3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe
1248	3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe"	3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1176 set thread context of 1492	1176	NvdUpd.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1176	NvdUpd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1176	NvdUpd.exe
1176	NvdUpd.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1176	1248	3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe	26
PID 1248 wrote to memory of 1176	1248	3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe	26
PID 1248 wrote to memory of 1176	1248	3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe	26
PID 1248 wrote to memory of 1176	1248	3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe	26
PID 1176 wrote to memory of 1492	1176	NvdUpd.exe	27
PID 1176 wrote to memory of 1492	1176	NvdUpd.exe	27
PID 1176 wrote to memory of 1492	1176	NvdUpd.exe	27
PID 1176 wrote to memory of 1492	1176	NvdUpd.exe	27
PID 1176 wrote to memory of 1492	1176	NvdUpd.exe	27
PID 1176 wrote to memory of 1492	1176	NvdUpd.exe	27
PID 1176 wrote to memory of 1492	1176	NvdUpd.exe	27
PID 1176 wrote to memory of 1492	1176	NvdUpd.exe	27
PID 1176 wrote to memory of 1492	1176	NvdUpd.exe	27
PID 1176 wrote to memory of 1492	1176	NvdUpd.exe	27

C:\Users\Admin\AppData\Local\Temp\3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe
"C:\Users\Admin\AppData\Local\Temp\3a0f21b4926ea58cf88ddd0450833096ede56c60995324b56950d7b2fee7abe8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
  "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
    "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
    3⤵
    - Executes dropped EXE
    PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
89KB

MD5
245af2cdd9ca6786f779f8c04dc55f72

SHA1
f42b0d775ff8ce27d0f7606fb25044104ec1fef2

SHA256
cd9d5a36f77b9e44d5edca6a26ef1daa9cf8189fafe05638e608244ed71470cc

SHA512
c3e0c54ad418d7487158581a696b66e4da1b318b9024e7ebe3f2450b8693b225c615486395dab23d55ffa88c7125aa70eda9c13a4bab69c5874f8f9050c5ee96

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
89KB

MD5
245af2cdd9ca6786f779f8c04dc55f72

SHA1
f42b0d775ff8ce27d0f7606fb25044104ec1fef2

SHA256
cd9d5a36f77b9e44d5edca6a26ef1daa9cf8189fafe05638e608244ed71470cc

SHA512
c3e0c54ad418d7487158581a696b66e4da1b318b9024e7ebe3f2450b8693b225c615486395dab23d55ffa88c7125aa70eda9c13a4bab69c5874f8f9050c5ee96

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
89KB

MD5
245af2cdd9ca6786f779f8c04dc55f72

SHA1
f42b0d775ff8ce27d0f7606fb25044104ec1fef2

SHA256
cd9d5a36f77b9e44d5edca6a26ef1daa9cf8189fafe05638e608244ed71470cc

SHA512
c3e0c54ad418d7487158581a696b66e4da1b318b9024e7ebe3f2450b8693b225c615486395dab23d55ffa88c7125aa70eda9c13a4bab69c5874f8f9050c5ee96

Download Submit
\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
89KB

MD5
245af2cdd9ca6786f779f8c04dc55f72

SHA1
f42b0d775ff8ce27d0f7606fb25044104ec1fef2

SHA256
cd9d5a36f77b9e44d5edca6a26ef1daa9cf8189fafe05638e608244ed71470cc

SHA512
c3e0c54ad418d7487158581a696b66e4da1b318b9024e7ebe3f2450b8693b225c615486395dab23d55ffa88c7125aa70eda9c13a4bab69c5874f8f9050c5ee96

Download Submit
\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
89KB

MD5
245af2cdd9ca6786f779f8c04dc55f72

SHA1
f42b0d775ff8ce27d0f7606fb25044104ec1fef2

SHA256
cd9d5a36f77b9e44d5edca6a26ef1daa9cf8189fafe05638e608244ed71470cc

SHA512
c3e0c54ad418d7487158581a696b66e4da1b318b9024e7ebe3f2450b8693b225c615486395dab23d55ffa88c7125aa70eda9c13a4bab69c5874f8f9050c5ee96

Download Submit
\Users\Admin\AppData\Local\Temp\nsy625E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1176-66-0x00000000002E0000-0x00000000002E4000-memory.dmp

Filesize
16KB

Download
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1492-64-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1492-65-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1492-68-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1492-69-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1492-71-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1492-62-0x00000000001B0000-0x00000000002AA000-memory.dmp

Filesize
1000KB

Download
memory/1492-75-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/1492-76-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1492-78-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing