ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62.exe
Size

100KB
MD5

41cea7cc14b4fcfda9cf7d20828da616
SHA1

27f98ff1d2f795e10b804c5499a96daa9c87b9dc
SHA256

ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62
SHA512

20ae9cfeedf6423472c87b15d0ce63b7112bae386e5c73b804886612ee70617edaf05571bdbb23973cfd165a29fa080fda8be02c3c75832cd5ccaf2fc787a118
SSDEEP

1536:1oLDYsacy7mHMowHjXJK4fmi0C85FMEz5DqWR4ekAxkq3DLQRWAGP0Qw:1oPyys5jXJLfm7jLDqNHM/UFGMQw

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	nvupdate.exe

Loads dropped DLL 1 IoCs

pid	Process
1512	ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe	ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4252	2904	WerFault.exe	83

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2904	nvupdate.exe
2904	nvupdate.exe

C:\Users\Admin\AppData\Local\Temp\ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62.exe
"C:\Users\Admin\AppData\Local\Temp\ad4099f9d85c2733ca62f585f156291e94565a05790fad99918b7d3581b42f62.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:1512

C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe
"C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe" /svc
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 404
  2⤵
  - Program crash
  PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2904 -ip 2904
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
85KB

MD5
2459113ba02c41a97a2dfaf0869b2374

SHA1
0eef196972b9a196ae03c85634e6894df011cd10

SHA256
7bbc3d77c5dcb722d99fc16ab206418aa45a5ebcbbefd4875508ed9cd6207540

SHA512
6e49cdf889fb4c8a3edd6c4450739eb8e3ec5ac54760d55f86b15ef2cc7cdee68b3a8e0a3876a2349ac480249bd439da277166ec4e4828e6420b4edfbc2bec9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn9B4D.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit