9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465

General

Target

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
Size

209KB
MD5

d960e0563aa47b856beb03a07be9e2f4
SHA1

3975a52e3a27c8a2fefbc56744dc675130913091
SHA256

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465
SHA512

0ade6894227e1004f6073218173a200f78c2aaaf4c473a808b69c99cc119922b86148570f8264033e11964cfc9b1b272646e04c48ed65751874fba5290b4cacf
SSDEEP

6144:P3S2oX3HsHxuB7/rVRNNKkanUV2l5l5zA:vmMur/HV2zI

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

Executes dropped EXE 1 IoCs

Processes:

dplaysvr.exe

pid process

4224 dplaysvr.exe

pid	process
4224	dplaysvr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3816 4224 WerFault.exe dplaysvr.exe

pid	pid_target	process	target process
3816	4224	WerFault.exe	dplaysvr.exe

Modifies registry class 1 IoCs

Processes:

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe

description	pid	process	target process
PID 3136 wrote to memory of 4224	3136	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe	dplaysvr.exe
PID 3136 wrote to memory of 4224	3136	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe	dplaysvr.exe
PID 3136 wrote to memory of 4224	3136	9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe	dplaysvr.exe

C:\Users\Admin\AppData\Local\Temp\9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
"C:\Users\Admin\AppData\Local\Temp\9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\dplaysvr.exe
"C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\9e3093bd14943e2377f366bed3ef152028ad437deb37764581995dccd4e0b465.exe
2⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 2904
3⤵
- Program crash
PID:3816

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4224 -ip 4224
1⤵
PID:2352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\38A.tmp
Filesize
88KB

MD5
ca06596bda9845b53a39396b2e2369be

SHA1
ce26fc706b7013e330e4d251f7ac9952691b8a0c

SHA256
19e8f40399e53e761314ed88e610f85d91e32d9f7f70efada14f6fbfd7871aa4

SHA512
43a6784818b67152a61a85bbe3196927906c322e1d8c0299cb6498c3e4b5ee92660221d16b3c902507f65c8086e0be4680f0558acca0b09a6ab9c351a592e309

Download Submit
C:\Users\Admin\AppData\Local\Temp\39B.tmp
Filesize
47KB

MD5
07a9ee9e1e2731f206f1ecb259185662

SHA1
823b4db9af3dd5d5e2ef0c2f75f2b18f0d3a8011

SHA256
b13d310a64a9350e2f1bc6a0642126698e968facd253a33c84721210718c643f

SHA512
eb98effae5ce721a73171d45c2290038613b24872dc00ca30e6a1c4408c3e55d12fab18b32841d932f4e16c5ff2d17b38e7cc2d145fdedb4950dca44ae46dc17

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe
Filesize
88KB

MD5
ca06596bda9845b53a39396b2e2369be

SHA1
ce26fc706b7013e330e4d251f7ac9952691b8a0c

SHA256
19e8f40399e53e761314ed88e610f85d91e32d9f7f70efada14f6fbfd7871aa4

SHA512
43a6784818b67152a61a85bbe3196927906c322e1d8c0299cb6498c3e4b5ee92660221d16b3c902507f65c8086e0be4680f0558acca0b09a6ab9c351a592e309

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe
Filesize
88KB

MD5
ca06596bda9845b53a39396b2e2369be

SHA1
ce26fc706b7013e330e4d251f7ac9952691b8a0c

SHA256
19e8f40399e53e761314ed88e610f85d91e32d9f7f70efada14f6fbfd7871aa4

SHA512
43a6784818b67152a61a85bbe3196927906c322e1d8c0299cb6498c3e4b5ee92660221d16b3c902507f65c8086e0be4680f0558acca0b09a6ab9c351a592e309

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll
Filesize
47KB

MD5
07a9ee9e1e2731f206f1ecb259185662

SHA1
823b4db9af3dd5d5e2ef0c2f75f2b18f0d3a8011

SHA256
b13d310a64a9350e2f1bc6a0642126698e968facd253a33c84721210718c643f

SHA512
eb98effae5ce721a73171d45c2290038613b24872dc00ca30e6a1c4408c3e55d12fab18b32841d932f4e16c5ff2d17b38e7cc2d145fdedb4950dca44ae46dc17

Download Submit
memory/3136-132-0x0000000002080000-0x00000000020B1000-memory.dmp

Filesize
196KB

Download
memory/3136-133-0x00000000020C0000-0x00000000020F7000-memory.dmp

Filesize
220KB

Download
memory/3136-134-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3136-139-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3136-143-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4224-140-0x0000000000000000-mapping.dmp

Download
memory/4224-142-0x0000000002030000-0x0000000002041000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads