d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4

General

Target

d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe
Size

109KB
MD5

0e2e43cb67f02561f3436a01137912c0
SHA1

0a3545e4db7e3f007f8cfc22c233d567cb5afc20
SHA256

d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4
SHA512

98bf0aa64149807401d1e8d4d9b2abfea0ca0531b75506c8e738509b4e63202d1918e0959582b0623e54a1a44fa24c14889c6e6d48e41679f2824d1d56a10c93
SSDEEP

3072:bS8BCfoDaXJNMFlh2sBytr9OMxIfvQ+Y1ua0:bPB6EFP2qIE1nug/

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1380	NvdUpd.exe
4024	NvdUpd.exe

Loads dropped DLL 1 IoCs

pid	Process
848	d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvUpdSrv = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Corporation\\Updates\\NvdUpd.exe"	d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 4024	1380	NvdUpd.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1380	NvdUpd.exe
1380	NvdUpd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1380	NvdUpd.exe
1380	NvdUpd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1380	848	d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe	82
PID 848 wrote to memory of 1380	848	d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe	82
PID 848 wrote to memory of 1380	848	d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe	82
PID 1380 wrote to memory of 4024	1380	NvdUpd.exe	83
PID 1380 wrote to memory of 4024	1380	NvdUpd.exe	83
PID 1380 wrote to memory of 4024	1380	NvdUpd.exe	83
PID 1380 wrote to memory of 4024	1380	NvdUpd.exe	83
PID 1380 wrote to memory of 4024	1380	NvdUpd.exe	83
PID 1380 wrote to memory of 4024	1380	NvdUpd.exe	83
PID 1380 wrote to memory of 4024	1380	NvdUpd.exe	83
PID 1380 wrote to memory of 4024	1380	NvdUpd.exe	83
PID 1380 wrote to memory of 4024	1380	NvdUpd.exe	83

C:\Users\Admin\AppData\Local\Temp\d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe
"C:\Users\Admin\AppData\Local\Temp\d06b96a47e0ac2ea2772d348216a4d79be24e1a5d81663ba4074a1430fae10f4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
  "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe
    "C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe"
    3⤵
    - Executes dropped EXE
    PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
85KB

MD5
a0d65f5874d3371bf7f5dab210d81cea

SHA1
9513320628ce06d3a5ad37288341141af7fda8b1

SHA256
15159eb54d43e03116423d9d4f286dacf0d4af544e01dd8f2ebc11214e5f6758

SHA512
e5a033f0734eaabfefa4654ce0f55a12be36df260f7c5283d102e20b165fa36937ef175c3e96e3f929557163bbd46101eb28d5b2235ccb0cdb88de997bce5ea8

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
85KB

MD5
a0d65f5874d3371bf7f5dab210d81cea

SHA1
9513320628ce06d3a5ad37288341141af7fda8b1

SHA256
15159eb54d43e03116423d9d4f286dacf0d4af544e01dd8f2ebc11214e5f6758

SHA512
e5a033f0734eaabfefa4654ce0f55a12be36df260f7c5283d102e20b165fa36937ef175c3e96e3f929557163bbd46101eb28d5b2235ccb0cdb88de997bce5ea8

Download Submit
C:\Users\Admin\AppData\Local\NVIDIA Corporation\Updates\NvdUpd.exe

Filesize
85KB

MD5
a0d65f5874d3371bf7f5dab210d81cea

SHA1
9513320628ce06d3a5ad37288341141af7fda8b1

SHA256
15159eb54d43e03116423d9d4f286dacf0d4af544e01dd8f2ebc11214e5f6758

SHA512
e5a033f0734eaabfefa4654ce0f55a12be36df260f7c5283d102e20b165fa36937ef175c3e96e3f929557163bbd46101eb28d5b2235ccb0cdb88de997bce5ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBD6B.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1380-139-0x0000000002110000-0x0000000002114000-memory.dmp

Filesize
16KB

Download
memory/4024-137-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/4024-141-0x0000000000400000-0x00000000036C8000-memory.dmp

Filesize
50.8MB

Download
memory/4024-142-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4024-143-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing