9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b

General

Target

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
Size

186KB
MD5

672fe820b80e57830884bd719175e49d
SHA1

d6f8a311d91ae0a9af6f1042c088240f32867743
SHA256

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b
SHA512

6ed3deaff6ed4f9b4a49ac32457301c8e86691d38ffee7319e9d02cb6f4be8c0a7c153811621d88fec236b9559c6407b0b5a7c0615ed159234812d1761b117c8
SSDEEP

3072:dPwYi9DaW25hmcq+vLQmllkdzKZrPfPyuCnENXmTxuVKWILdyR/9vNG8q+hrC7c4:dPwt1aW8hmc5D4FePfPytgmE4WQK9VqJ

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

Executes dropped EXE 1 IoCs

Processes:

dplaysvr.exe

pid process

2276 dplaysvr.exe

pid	process
2276	dplaysvr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

Loads dropped DLL 1 IoCs

Processes:

dplaysvr.exe

pid process

2276 dplaysvr.exe

pid	process
2276	dplaysvr.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dplaysvr.exe

pid process

2276 dplaysvr.exe

pid	process
2276	dplaysvr.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe

description	pid	process	target process
PID 3032 wrote to memory of 2276	3032	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe	dplaysvr.exe
PID 3032 wrote to memory of 2276	3032	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe	dplaysvr.exe
PID 3032 wrote to memory of 2276	3032	9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe	dplaysvr.exe

C:\Users\Admin\AppData\Local\Temp\9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
"C:\Users\Admin\AppData\Local\Temp\9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\dplaysvr.exe
"C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\9b6dbaa324c0286b4c5fa0cfcbc21678a2c0137d3f32a11eab04b19cedf4240b.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2276

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6457.tmp

Filesize
60KB

MD5
18dbd0f48b606008da2b6d19015cb0f4

SHA1
70637b9d26e63cc4a8f01ab0b6111608cad59c60

SHA256
3e29ed22d397fd92e0060585e6afe4f10ce75f83646ece987ec9f7c8f609b6db

SHA512
944a354416abb6e02381f9ba0dbe5ab33f8dc333df2a7b67cc7390ea83cf85a9a64d6d47418dacc50946273c1e013494f01d25da2a92e29ea922a70fec893692

Download Submit
C:\Users\Admin\AppData\Local\Temp\6458.tmp

Filesize
40KB

MD5
cf03fc3c2e01d86556cd1b5db9c3422b

SHA1
c060405c276a4da29bada7479410e6d239f80fb1

SHA256
8605e50aabd334bba51fc91993e8c477f78d47787a3000abc03f7faf360b6042

SHA512
d06a85cb831ed9954c471c4248cc03a97b4a4dc76dbd11974094a700c69a5cc8436d9544a5129b882397936325b2ceeaff0615fe82481acd1e3d5ae95c2b61c3

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe

Filesize
60KB

MD5
18dbd0f48b606008da2b6d19015cb0f4

SHA1
70637b9d26e63cc4a8f01ab0b6111608cad59c60

SHA256
3e29ed22d397fd92e0060585e6afe4f10ce75f83646ece987ec9f7c8f609b6db

SHA512
944a354416abb6e02381f9ba0dbe5ab33f8dc333df2a7b67cc7390ea83cf85a9a64d6d47418dacc50946273c1e013494f01d25da2a92e29ea922a70fec893692

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe

Filesize
60KB

MD5
18dbd0f48b606008da2b6d19015cb0f4

SHA1
70637b9d26e63cc4a8f01ab0b6111608cad59c60

SHA256
3e29ed22d397fd92e0060585e6afe4f10ce75f83646ece987ec9f7c8f609b6db

SHA512
944a354416abb6e02381f9ba0dbe5ab33f8dc333df2a7b67cc7390ea83cf85a9a64d6d47418dacc50946273c1e013494f01d25da2a92e29ea922a70fec893692

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll

Filesize
40KB

MD5
cf03fc3c2e01d86556cd1b5db9c3422b

SHA1
c060405c276a4da29bada7479410e6d239f80fb1

SHA256
8605e50aabd334bba51fc91993e8c477f78d47787a3000abc03f7faf360b6042

SHA512
d06a85cb831ed9954c471c4248cc03a97b4a4dc76dbd11974094a700c69a5cc8436d9544a5129b882397936325b2ceeaff0615fe82481acd1e3d5ae95c2b61c3

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll

Filesize
40KB

MD5
cf03fc3c2e01d86556cd1b5db9c3422b

SHA1
c060405c276a4da29bada7479410e6d239f80fb1

SHA256
8605e50aabd334bba51fc91993e8c477f78d47787a3000abc03f7faf360b6042

SHA512
d06a85cb831ed9954c471c4248cc03a97b4a4dc76dbd11974094a700c69a5cc8436d9544a5129b882397936325b2ceeaff0615fe82481acd1e3d5ae95c2b61c3

Download Submit
memory/2276-142-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2276-148-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/2276-139-0x0000000000000000-mapping.dmp

Download
memory/2276-141-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2276-150-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/2276-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2276-149-0x00000000008F0000-0x00000000008FE000-memory.dmp

Filesize
56KB

Download
memory/2276-145-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2276-147-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3032-133-0x0000000000910000-0x0000000000942000-memory.dmp

Filesize
200KB

Download
memory/3032-134-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3032-144-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3032-132-0x00000000005B0000-0x00000000005DD000-memory.dmp

Filesize
180KB

Download
memory/3032-151-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads