c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f

General

Target

c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe
Size

240KB
MD5

b79f74322e1326e011cd591a82bfa8e5
SHA1

d25aa351d105abc8d6fd801f21da37bbbd87d6e0
SHA256

c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f
SHA512

1f3893f2fbfc7cfb34df26542e61ddb8f18940eac5e48509794dcf272ae81c7f561fa705362525badb1d9bc3c7bde484d80522988032ca35ad338f53f4ad26e8
SSDEEP

6144:WvXunbL2YE6Iv2wu4r8T1lxg+/x/jdXkdXLV:WWnf2V1rmk+pjdUdB

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe

Executes dropped EXE 1 IoCs

Processes:

dplaysvr.exe

pid process

4540 dplaysvr.exe

pid	process
4540	dplaysvr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe

Loads dropped DLL 1 IoCs

Processes:

dplaysvr.exe

pid process

4540 dplaysvr.exe

pid	process
4540	dplaysvr.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dplaysvr.exe

pid process

4540 dplaysvr.exe

pid	process
4540	dplaysvr.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe

description	pid	process	target process
PID 4776 wrote to memory of 4540	4776	c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe	dplaysvr.exe
PID 4776 wrote to memory of 4540	4776	c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe	dplaysvr.exe
PID 4776 wrote to memory of 4540	4776	c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe	dplaysvr.exe

C:\Users\Admin\AppData\Local\Temp\c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe
"C:\Users\Admin\AppData\Local\Temp\c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\dplaysvr.exe
"C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\c9c1abde8481b321d3329d78b751b1b2125d04d8ae5cea995f6f13dd4c1c127f.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C505.tmp
Filesize
112KB

MD5
2dc617bd7b93fafc5e5f5a5e6e2716e8

SHA1
1e8095a809cfa795aa90776604a558ea254ef682

SHA256
02e0a6507489a9594cd88e5413a1bc1d665d77eb6c08d2aedc2537b44ee59776

SHA512
a80a71abf01d8b70791f6643efba7fd2db521442eb131862875e0f348f78eb53cc8b445ad824b2e01357be530e65d4090e1ad2ab52682bf0d4364c3d1eec755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C506.tmp
Filesize
54KB

MD5
72333d11b6c1aa8169ea64a05ff0f278

SHA1
c05200f5f8977394f9f873714db47d26a11de066

SHA256
8faef9cbb17b31e6097c56be1cc27db717ed57832db5916680661a3d4c9f51c8

SHA512
060ba0339137b21f433cd0aff7732788ab279b64f9d196490f45d2d6ba5ac6af1f2447be39024b266e59944888edc60668b8a6d89c50e3b6764abf12d6dbd3cf

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe
Filesize
112KB

MD5
2dc617bd7b93fafc5e5f5a5e6e2716e8

SHA1
1e8095a809cfa795aa90776604a558ea254ef682

SHA256
02e0a6507489a9594cd88e5413a1bc1d665d77eb6c08d2aedc2537b44ee59776

SHA512
a80a71abf01d8b70791f6643efba7fd2db521442eb131862875e0f348f78eb53cc8b445ad824b2e01357be530e65d4090e1ad2ab52682bf0d4364c3d1eec755c

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe
Filesize
112KB

MD5
2dc617bd7b93fafc5e5f5a5e6e2716e8

SHA1
1e8095a809cfa795aa90776604a558ea254ef682

SHA256
02e0a6507489a9594cd88e5413a1bc1d665d77eb6c08d2aedc2537b44ee59776

SHA512
a80a71abf01d8b70791f6643efba7fd2db521442eb131862875e0f348f78eb53cc8b445ad824b2e01357be530e65d4090e1ad2ab52682bf0d4364c3d1eec755c

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll
Filesize
54KB

MD5
72333d11b6c1aa8169ea64a05ff0f278

SHA1
c05200f5f8977394f9f873714db47d26a11de066

SHA256
8faef9cbb17b31e6097c56be1cc27db717ed57832db5916680661a3d4c9f51c8

SHA512
060ba0339137b21f433cd0aff7732788ab279b64f9d196490f45d2d6ba5ac6af1f2447be39024b266e59944888edc60668b8a6d89c50e3b6764abf12d6dbd3cf

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll
Filesize
54KB

MD5
72333d11b6c1aa8169ea64a05ff0f278

SHA1
c05200f5f8977394f9f873714db47d26a11de066

SHA256
8faef9cbb17b31e6097c56be1cc27db717ed57832db5916680661a3d4c9f51c8

SHA512
060ba0339137b21f433cd0aff7732788ab279b64f9d196490f45d2d6ba5ac6af1f2447be39024b266e59944888edc60668b8a6d89c50e3b6764abf12d6dbd3cf

Download Submit
memory/4540-142-0x00000000004E0000-0x00000000004F1000-memory.dmp

Filesize
68KB

Download
memory/4540-148-0x0000000001FD0000-0x0000000001FD9000-memory.dmp

Filesize
36KB

Download
memory/4540-140-0x0000000000000000-mapping.dmp

Download
memory/4540-150-0x0000000002030000-0x0000000002039000-memory.dmp

Filesize
36KB

Download
memory/4540-149-0x0000000001FF0000-0x0000000002002000-memory.dmp

Filesize
72KB

Download
memory/4540-143-0x0000000001F80000-0x0000000001FA2000-memory.dmp

Filesize
136KB

Download
memory/4540-144-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4540-145-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4540-147-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4776-133-0x0000000002230000-0x0000000002272000-memory.dmp

Filesize
264KB

Download
memory/4776-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-132-0x00000000021F0000-0x0000000002224000-memory.dmp

Filesize
208KB

Download
memory/4776-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads