9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b

General

Target

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
Size

186KB
MD5

672fe820b80e57830884bd719175e49d
SHA1

d6f8a311d91ae0a9af6f1042c088240f32867743
SHA256

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b
SHA512

6ed3deaff6ed4f9b4a49ac32457301c8e86691d38ffee7319e9d02cb6f4be8c0a7c153811621d88fec236b9559c6407b0b5a7c0615ed159234812d1761b117c8
SSDEEP

3072:dPwYi9DaW25hmcq+vLQmllkdzKZrPfPyuCnENXmTxuVKWILdyR/9vNG8q+hrC7c4:dPwt1aW8hmc5D4FePfPytgmE4WQK9VqJ

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

Executes dropped EXE 1 IoCs

Processes:

dplaysvr.exe

pid process

1176 dplaysvr.exe

pid	process
1176	dplaysvr.exe

Loads dropped DLL 3 IoCs

Processes:

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exedplaysvr.exe

pid	process
972	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
972	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
1176	dplaysvr.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dplaysvr.exe

pid process

1176 dplaysvr.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exedplaysvr.exe

pid process

972 9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
1176 dplaysvr.exe

pid	process
1176	dplaysvr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

description	pid	process	target process
PID 972 wrote to memory of 1176	972	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe	dplaysvr.exe
PID 972 wrote to memory of 1176	972	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe	dplaysvr.exe
PID 972 wrote to memory of 1176	972	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe	dplaysvr.exe
PID 972 wrote to memory of 1176	972	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe	dplaysvr.exe

C:\Users\Admin\AppData\Local\Temp\9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
"C:\Users\Admin\AppData\Local\Temp\9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Local\dplaysvr.exe
"C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:1176

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9A6C.tmp

Filesize
60KB

MD5
18dbd0f48b606008da2b6d19015cb0f4

SHA1
70637b9d26e63cc4a8f01ab0b6111608cad59c60

SHA256
3e29ed22d397fd92e0060585e6afe4f10ce75f83646ece987ec9f7c8f609b6db

SHA512
944a354416abb6e02381f9ba0dbe5ab33f8dc333df2a7b67cc7390ea83cf85a9a64d6d47418dacc50946273c1e013494f01d25da2a92e29ea922a70fec893692

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A6D.tmp

Filesize
40KB

MD5
cf03fc3c2e01d86556cd1b5db9c3422b

SHA1
c060405c276a4da29bada7479410e6d239f80fb1

SHA256
8605e50aabd334bba51fc91993e8c477f78d47787a3000abc03f7faf360b6042

SHA512
d06a85cb831ed9954c471c4248cc03a97b4a4dc76dbd11974094a700c69a5cc8436d9544a5129b882397936325b2ceeaff0615fe82481acd1e3d5ae95c2b61c3

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe

Filesize
60KB

MD5
18dbd0f48b606008da2b6d19015cb0f4

SHA1
70637b9d26e63cc4a8f01ab0b6111608cad59c60

SHA256
3e29ed22d397fd92e0060585e6afe4f10ce75f83646ece987ec9f7c8f609b6db

SHA512
944a354416abb6e02381f9ba0dbe5ab33f8dc333df2a7b67cc7390ea83cf85a9a64d6d47418dacc50946273c1e013494f01d25da2a92e29ea922a70fec893692

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe

Filesize
60KB

MD5
18dbd0f48b606008da2b6d19015cb0f4

SHA1
70637b9d26e63cc4a8f01ab0b6111608cad59c60

SHA256
3e29ed22d397fd92e0060585e6afe4f10ce75f83646ece987ec9f7c8f609b6db

SHA512
944a354416abb6e02381f9ba0dbe5ab33f8dc333df2a7b67cc7390ea83cf85a9a64d6d47418dacc50946273c1e013494f01d25da2a92e29ea922a70fec893692

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll

Filesize
40KB

MD5
cf03fc3c2e01d86556cd1b5db9c3422b

SHA1
c060405c276a4da29bada7479410e6d239f80fb1

SHA256
8605e50aabd334bba51fc91993e8c477f78d47787a3000abc03f7faf360b6042

SHA512
d06a85cb831ed9954c471c4248cc03a97b4a4dc76dbd11974094a700c69a5cc8436d9544a5129b882397936325b2ceeaff0615fe82481acd1e3d5ae95c2b61c3

Download Submit
\Users\Admin\AppData\Local\dplaysvr.exe

Filesize
60KB

MD5
18dbd0f48b606008da2b6d19015cb0f4

SHA1
70637b9d26e63cc4a8f01ab0b6111608cad59c60

SHA256
3e29ed22d397fd92e0060585e6afe4f10ce75f83646ece987ec9f7c8f609b6db

SHA512
944a354416abb6e02381f9ba0dbe5ab33f8dc333df2a7b67cc7390ea83cf85a9a64d6d47418dacc50946273c1e013494f01d25da2a92e29ea922a70fec893692

Download Submit
\Users\Admin\AppData\Local\dplaysvr.exe

Filesize
60KB

MD5
18dbd0f48b606008da2b6d19015cb0f4

SHA1
70637b9d26e63cc4a8f01ab0b6111608cad59c60

SHA256
3e29ed22d397fd92e0060585e6afe4f10ce75f83646ece987ec9f7c8f609b6db

SHA512
944a354416abb6e02381f9ba0dbe5ab33f8dc333df2a7b67cc7390ea83cf85a9a64d6d47418dacc50946273c1e013494f01d25da2a92e29ea922a70fec893692

Download Submit
\Users\Admin\AppData\Local\dplayx.dll

Filesize
40KB

MD5
cf03fc3c2e01d86556cd1b5db9c3422b

SHA1
c060405c276a4da29bada7479410e6d239f80fb1

SHA256
8605e50aabd334bba51fc91993e8c477f78d47787a3000abc03f7faf360b6042

SHA512
d06a85cb831ed9954c471c4248cc03a97b4a4dc76dbd11974094a700c69a5cc8436d9544a5129b882397936325b2ceeaff0615fe82481acd1e3d5ae95c2b61c3

Download Submit
memory/972-57-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/972-56-0x0000000000280000-0x00000000002B2000-memory.dmp

Filesize
200KB

Download
memory/972-69-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/972-54-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download
memory/972-55-0x0000000000250000-0x000000000027D000-memory.dmp

Filesize
180KB

Download
memory/972-77-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1176-65-0x0000000000000000-mapping.dmp

Download
memory/1176-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1176-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1176-68-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/1176-73-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1176-74-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/1176-75-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/1176-76-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/1176-67-0x00000000001B0000-0x00000000001BE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads