ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62.exe
Size

100KB
MD5

41cea7cc14b4fcfda9cf7d20828da616
SHA1

27f98ff1d2f795e10b804c5499a96daa9c87b9dc
SHA256

ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62
SHA512

20ae9cfeedf6423472c87b15d0ce63b7112bae386e5c73b804886612ee70617edaf05571bdbb23973cfd165a29fa080fda8be02c3c75832cd5ccaf2fc787a118
SSDEEP

1536:1oLDYsacy7mHMowHjXJK4fmi0C85FMEz5DqWR4ekAxkq3DLQRWAGP0Qw:1oPyys5jXJLfm7jLDqNHM/UFGMQw

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1352	nvupdate.exe
1992	nvupdate.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1992-66-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1992-64-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1992-67-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1992-72-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1992-78-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1992-79-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1992-80-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1992-81-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Loads dropped DLL 8 IoCs

pid	Process
820	ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62.exe
1352	nvupdate.exe
1352	nvupdate.exe
1352	nvupdate.exe
1352	nvupdate.exe
1992	nvupdate.exe
1992	nvupdate.exe
1992	nvupdate.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 1992	1352	nvupdate.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe	ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62.exe
File opened for modification	C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe	nvupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\NVIDIA Corporation	nvupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\NVIDIA Corporation\Global	nvupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value = "20140507"	nvupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\GUID = "0246a632-4959-41f1-b700-c9c359339f3c"	nvupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv	nvupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	nvupdate.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1352	nvupdate.exe
1352	nvupdate.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1992	1352	nvupdate.exe	29
PID 1352 wrote to memory of 1992	1352	nvupdate.exe	29
PID 1352 wrote to memory of 1992	1352	nvupdate.exe	29
PID 1352 wrote to memory of 1992	1352	nvupdate.exe	29
PID 1352 wrote to memory of 1992	1352	nvupdate.exe	29
PID 1352 wrote to memory of 1992	1352	nvupdate.exe	29
PID 1352 wrote to memory of 1992	1352	nvupdate.exe	29
PID 1352 wrote to memory of 1992	1352	nvupdate.exe	29
PID 1352 wrote to memory of 1992	1352	nvupdate.exe	29
PID 1352 wrote to memory of 1992	1352	nvupdate.exe	29
PID 1352 wrote to memory of 1992	1352	nvupdate.exe	29

C:\Users\Admin\AppData\Local\Temp\ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62.exe
"C:\Users\Admin\AppData\Local\Temp\ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:820

C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe
"C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe
  "C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
\Users\Admin\AppData\Local\Temp\nsj19CB.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/820-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1352-70-0x0000000000200000-0x0000000000204000-memory.dmp

Filesize
16KB

Download
memory/1992-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1992-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1992-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1992-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1992-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1992-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1992-79-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1992-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1992-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download