9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465

General

Target

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
Size

209KB
MD5

d960e0563aa47b856beb03a07be9e2f4
SHA1

3975a52e3a27c8a2fefbc56744dc675130913091
SHA256

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465
SHA512

0ade6894227e1004f6073218173a200f78c2aaaf4c473a808b69c99cc119922b86148570f8264033e11964cfc9b1b272646e04c48ed65751874fba5290b4cacf
SSDEEP

6144:P3S2oX3HsHxuB7/rVRNNKkanUV2l5l5zA:vmMur/HV2zI

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

Executes dropped EXE 1 IoCs

Processes:

dplaysvr.exe

pid process

1112 dplaysvr.exe

pid	process
1112	dplaysvr.exe

Loads dropped DLL 3 IoCs

Processes:

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exedplaysvr.exe

pid	process
536	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
536	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
1112	dplaysvr.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dplaysvr.exe

pid process

1112 dplaysvr.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exedplaysvr.exe

pid process

536 9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
1112 dplaysvr.exe

pid	process
1112	dplaysvr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

description	pid	process	target process
PID 536 wrote to memory of 1112	536	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe	dplaysvr.exe
PID 536 wrote to memory of 1112	536	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe	dplaysvr.exe
PID 536 wrote to memory of 1112	536	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe	dplaysvr.exe
PID 536 wrote to memory of 1112	536	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe	dplaysvr.exe

C:\Users\Admin\AppData\Local\Temp\9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
"C:\Users\Admin\AppData\Local\Temp\9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\dplaysvr.exe
"C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:1112

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9F7B.tmp
Filesize
88KB

MD5
ca06596bda9845b53a39396b2e2369be

SHA1
ce26fc706b7013e330e4d251f7ac9952691b8a0c

SHA256
19e8f40399e53e761314ed88e610f85d91e32d9f7f70efada14f6fbfd7871aa4

SHA512
43a6784818b67152a61a85bbe3196927906c322e1d8c0299cb6498c3e4b5ee92660221d16b3c902507f65c8086e0be4680f0558acca0b09a6ab9c351a592e309

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F7C.tmp
Filesize
47KB

MD5
07a9ee9e1e2731f206f1ecb259185662

SHA1
823b4db9af3dd5d5e2ef0c2f75f2b18f0d3a8011

SHA256
b13d310a64a9350e2f1bc6a0642126698e968facd253a33c84721210718c643f

SHA512
eb98effae5ce721a73171d45c2290038613b24872dc00ca30e6a1c4408c3e55d12fab18b32841d932f4e16c5ff2d17b38e7cc2d145fdedb4950dca44ae46dc17

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe
Filesize
88KB

MD5
ca06596bda9845b53a39396b2e2369be

SHA1
ce26fc706b7013e330e4d251f7ac9952691b8a0c

SHA256
19e8f40399e53e761314ed88e610f85d91e32d9f7f70efada14f6fbfd7871aa4

SHA512
43a6784818b67152a61a85bbe3196927906c322e1d8c0299cb6498c3e4b5ee92660221d16b3c902507f65c8086e0be4680f0558acca0b09a6ab9c351a592e309

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe
Filesize
88KB

MD5
ca06596bda9845b53a39396b2e2369be

SHA1
ce26fc706b7013e330e4d251f7ac9952691b8a0c

SHA256
19e8f40399e53e761314ed88e610f85d91e32d9f7f70efada14f6fbfd7871aa4

SHA512
43a6784818b67152a61a85bbe3196927906c322e1d8c0299cb6498c3e4b5ee92660221d16b3c902507f65c8086e0be4680f0558acca0b09a6ab9c351a592e309

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll
Filesize
47KB

MD5
07a9ee9e1e2731f206f1ecb259185662

SHA1
823b4db9af3dd5d5e2ef0c2f75f2b18f0d3a8011

SHA256
b13d310a64a9350e2f1bc6a0642126698e968facd253a33c84721210718c643f

SHA512
eb98effae5ce721a73171d45c2290038613b24872dc00ca30e6a1c4408c3e55d12fab18b32841d932f4e16c5ff2d17b38e7cc2d145fdedb4950dca44ae46dc17

Download Submit
\Users\Admin\AppData\Local\dplaysvr.exe
Filesize
88KB

MD5
ca06596bda9845b53a39396b2e2369be

SHA1
ce26fc706b7013e330e4d251f7ac9952691b8a0c

SHA256
19e8f40399e53e761314ed88e610f85d91e32d9f7f70efada14f6fbfd7871aa4

SHA512
43a6784818b67152a61a85bbe3196927906c322e1d8c0299cb6498c3e4b5ee92660221d16b3c902507f65c8086e0be4680f0558acca0b09a6ab9c351a592e309

Download Submit
\Users\Admin\AppData\Local\dplaysvr.exe
Filesize
88KB

MD5
ca06596bda9845b53a39396b2e2369be

SHA1
ce26fc706b7013e330e4d251f7ac9952691b8a0c

SHA256
19e8f40399e53e761314ed88e610f85d91e32d9f7f70efada14f6fbfd7871aa4

SHA512
43a6784818b67152a61a85bbe3196927906c322e1d8c0299cb6498c3e4b5ee92660221d16b3c902507f65c8086e0be4680f0558acca0b09a6ab9c351a592e309

Download Submit
\Users\Admin\AppData\Local\dplayx.dll
Filesize
47KB

MD5
07a9ee9e1e2731f206f1ecb259185662

SHA1
823b4db9af3dd5d5e2ef0c2f75f2b18f0d3a8011

SHA256
b13d310a64a9350e2f1bc6a0642126698e968facd253a33c84721210718c643f

SHA512
eb98effae5ce721a73171d45c2290038613b24872dc00ca30e6a1c4408c3e55d12fab18b32841d932f4e16c5ff2d17b38e7cc2d145fdedb4950dca44ae46dc17

Download Submit
memory/536-60-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/536-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/536-62-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/536-61-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/536-78-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/536-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1112-69-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1112-70-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1112-72-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1112-68-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/1112-74-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1112-76-0x00000000002E0000-0x00000000002EF000-memory.dmp

Filesize
60KB

Download
memory/1112-75-0x00000000002D0000-0x00000000002D9000-memory.dmp

Filesize
36KB

Download
memory/1112-77-0x0000000000300000-0x0000000000309000-memory.dmp

Filesize
36KB

Download
memory/1112-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads