36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2

General

Target

36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe
Size

221KB
MD5

7f3d0c8bb6acf0f7edbf7b8e08ada20d
SHA1

8da40061056a883f87521e137ef1d14afa8079a1
SHA256

36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2
SHA512

b7eab84f3aaf3ddc7d623b7e777330e9ba4a0d618e0a3228963d9c831f12a54a1425aa201bb408620fdefb8648c9d44756151dbb77fc44fb283e464f661ef260
SSDEEP

6144:IsNxT5AvAmAWYUWQOQstUufHzkfQs6zxjo:IsndMAmAWgzQs2Ow4sGxM

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe

Executes dropped EXE 1 IoCs

Processes:

dplaysvr.exe

pid process

1580 dplaysvr.exe
Loads dropped DLL 2 IoCs

Processes:

36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exedplaysvr.exe

pid process

956 36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe
1580 dplaysvr.exe

pid	process
1580	dplaysvr.exe

pid	process
956	36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe
1580	dplaysvr.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dplaysvr.exe

pid process

1580 dplaysvr.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exedplaysvr.exe

pid process

956 36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe
1580 dplaysvr.exe

pid	process
1580	dplaysvr.exe

pid	process
956	36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe
1580	dplaysvr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe

description	pid	process	target process
PID 956 wrote to memory of 1580	956	36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe	dplaysvr.exe
PID 956 wrote to memory of 1580	956	36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe	dplaysvr.exe
PID 956 wrote to memory of 1580	956	36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe	dplaysvr.exe
PID 956 wrote to memory of 1580	956	36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe	dplaysvr.exe

C:\Users\Admin\AppData\Local\Temp\36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe
"C:\Users\Admin\AppData\Local\Temp\36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\dplaysvr.exe
"C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\36a3e15c8e0f20bd0c61518d24dbdacd10e17f3340776bfbc5cb54624c4d9bd2.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:1580

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E8F9.tmp
Filesize
100KB

MD5
798097e1f0c5e7bc0489673ef17427f8

SHA1
e21426365eda9a05bbdce8c669f4bb784b4e28a0

SHA256
920ccd90a0b9bea7613b24064da1d25e559cd3f2f10417d5a0eab720c0ea3dd8

SHA512
237ea73263a7ea7adf4b03eae89ef5983f22197f4b60f5a57aed6a36d679c5b307ff90381640bf9dc998b96cebd9bf0c35ec305c915ee14e1e1cbd1931499432

Download Submit
C:\Users\Admin\AppData\Local\Temp\E8FA.tmp
Filesize
54KB

MD5
586decb26d08f1e8781cff690143137d

SHA1
5b8b853c65922cb20518102231dfd6fb1153c40d

SHA256
88e0add20fa0baf414b3e44c8e3763c4c4f0a60edbb8314f35303a6538e5aa26

SHA512
808585219d3845e364ec54383367866cd2b3f199e33986abd13fd619a57739f04905b9c98582c171a53127cb866644af8121bf8c785a11da4cdee68b69d84e64

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe
Filesize
100KB

MD5
798097e1f0c5e7bc0489673ef17427f8

SHA1
e21426365eda9a05bbdce8c669f4bb784b4e28a0

SHA256
920ccd90a0b9bea7613b24064da1d25e559cd3f2f10417d5a0eab720c0ea3dd8

SHA512
237ea73263a7ea7adf4b03eae89ef5983f22197f4b60f5a57aed6a36d679c5b307ff90381640bf9dc998b96cebd9bf0c35ec305c915ee14e1e1cbd1931499432

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe
Filesize
100KB

MD5
798097e1f0c5e7bc0489673ef17427f8

SHA1
e21426365eda9a05bbdce8c669f4bb784b4e28a0

SHA256
920ccd90a0b9bea7613b24064da1d25e559cd3f2f10417d5a0eab720c0ea3dd8

SHA512
237ea73263a7ea7adf4b03eae89ef5983f22197f4b60f5a57aed6a36d679c5b307ff90381640bf9dc998b96cebd9bf0c35ec305c915ee14e1e1cbd1931499432

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll
Filesize
54KB

MD5
586decb26d08f1e8781cff690143137d

SHA1
5b8b853c65922cb20518102231dfd6fb1153c40d

SHA256
88e0add20fa0baf414b3e44c8e3763c4c4f0a60edbb8314f35303a6538e5aa26

SHA512
808585219d3845e364ec54383367866cd2b3f199e33986abd13fd619a57739f04905b9c98582c171a53127cb866644af8121bf8c785a11da4cdee68b69d84e64

Download Submit
\Users\Admin\AppData\Local\dplaysvr.exe
Filesize
100KB

MD5
798097e1f0c5e7bc0489673ef17427f8

SHA1
e21426365eda9a05bbdce8c669f4bb784b4e28a0

SHA256
920ccd90a0b9bea7613b24064da1d25e559cd3f2f10417d5a0eab720c0ea3dd8

SHA512
237ea73263a7ea7adf4b03eae89ef5983f22197f4b60f5a57aed6a36d679c5b307ff90381640bf9dc998b96cebd9bf0c35ec305c915ee14e1e1cbd1931499432

Download Submit
\Users\Admin\AppData\Local\dplayx.dll
Filesize
54KB

MD5
586decb26d08f1e8781cff690143137d

SHA1
5b8b853c65922cb20518102231dfd6fb1153c40d

SHA256
88e0add20fa0baf414b3e44c8e3763c4c4f0a60edbb8314f35303a6538e5aa26

SHA512
808585219d3845e364ec54383367866cd2b3f199e33986abd13fd619a57739f04905b9c98582c171a53127cb866644af8121bf8c785a11da4cdee68b69d84e64

Download Submit
memory/956-57-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/956-55-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/956-56-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/956-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1580-67-0x0000000000260000-0x0000000000271000-memory.dmp

Filesize
68KB

Download
memory/1580-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-68-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/1580-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1580-74-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/1580-73-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/1580-75-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/1580-76-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/1580-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads