6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a

General

Target

6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe
Size

289KB
MD5

795c22ec14d24150443be37fce9fae73
SHA1

cafdddc3fde7ef1bdcbdd6ca067a57ed2a4f8a9b
SHA256

6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a
SHA512

76fee17f95cccad4e8cd9b559bc16f009492d45ae37ba8ed7d715df74dae0f518255effd02e8a907cdc737ae6a76a7f2ff9f4e906b8eebc635afcc0cd3884d89
SSDEEP

3072:iCA3hovBn7VqEizw6RidCLbJWMrwoO7rnN3lnpkAjL6LBVlvMLL3QveQR1:CxovBn7Vq9RidcZQHN1p3yLxMLLeJ

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe

Executes dropped EXE 1 IoCs

pid	Process
4924	dplaysvr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe

Loads dropped DLL 1 IoCs

pid	Process
4924	dplaysvr.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4924	dplaysvr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 4924	4284	6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe	81
PID 4284 wrote to memory of 4924	4284	6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe	81
PID 4284 wrote to memory of 4924	4284	6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe	81

C:\Users\Admin\AppData\Local\Temp\6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe
"C:\Users\Admin\AppData\Local\Temp\6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\6fbc1dc92a94cda2e12fd18cdfa7fdcf1ae2b440ad120f395f6431e344044e8a.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4924

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A53D.tmp

Filesize
120KB

MD5
c6bd4c97401be0242c9ddcd5d5da1a91

SHA1
fb8f74ab4a3f6ab512c32c0ce0f9f6542867230d

SHA256
09e5dd5201d60a47d519ea7b9857e88fe135af3f764667b69edded809c93b2ae

SHA512
bd23e74bfc795ff3d11cfabe0cd7111467c8458310409729dcf1798dd1431829927648900f4ab5d1013675f7750e8762ae3fc6deb81fddf644c8a3e089104152

Download Submit
C:\Users\Admin\AppData\Local\Temp\A53E.tmp

Filesize
45KB

MD5
505a7c309518b834d684c40c2b5a674b

SHA1
1756d0ad98525c4289dcbd6284c37b8147316fad

SHA256
1819b9fccf0cfe6de0110186d63e25e9209c47478f4cb04bf7ccd63d39145332

SHA512
d5c17bc2e1add8d309e26b621d1dc01633fae0c16c2536d25d3a20f15198743386bd929f40896fa8fef3b149b0f1d3a9bfe30eefc853deb6172415432143fb93

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe

Filesize
120KB

MD5
c6bd4c97401be0242c9ddcd5d5da1a91

SHA1
fb8f74ab4a3f6ab512c32c0ce0f9f6542867230d

SHA256
09e5dd5201d60a47d519ea7b9857e88fe135af3f764667b69edded809c93b2ae

SHA512
bd23e74bfc795ff3d11cfabe0cd7111467c8458310409729dcf1798dd1431829927648900f4ab5d1013675f7750e8762ae3fc6deb81fddf644c8a3e089104152

Download Submit
C:\Users\Admin\AppData\Local\dplaysvr.exe

Filesize
120KB

MD5
c6bd4c97401be0242c9ddcd5d5da1a91

SHA1
fb8f74ab4a3f6ab512c32c0ce0f9f6542867230d

SHA256
09e5dd5201d60a47d519ea7b9857e88fe135af3f764667b69edded809c93b2ae

SHA512
bd23e74bfc795ff3d11cfabe0cd7111467c8458310409729dcf1798dd1431829927648900f4ab5d1013675f7750e8762ae3fc6deb81fddf644c8a3e089104152

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll

Filesize
45KB

MD5
505a7c309518b834d684c40c2b5a674b

SHA1
1756d0ad98525c4289dcbd6284c37b8147316fad

SHA256
1819b9fccf0cfe6de0110186d63e25e9209c47478f4cb04bf7ccd63d39145332

SHA512
d5c17bc2e1add8d309e26b621d1dc01633fae0c16c2536d25d3a20f15198743386bd929f40896fa8fef3b149b0f1d3a9bfe30eefc853deb6172415432143fb93

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll

Filesize
45KB

MD5
505a7c309518b834d684c40c2b5a674b

SHA1
1756d0ad98525c4289dcbd6284c37b8147316fad

SHA256
1819b9fccf0cfe6de0110186d63e25e9209c47478f4cb04bf7ccd63d39145332

SHA512
d5c17bc2e1add8d309e26b621d1dc01633fae0c16c2536d25d3a20f15198743386bd929f40896fa8fef3b149b0f1d3a9bfe30eefc853deb6172415432143fb93

Download Submit
memory/4284-144-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4284-132-0x0000000000670000-0x00000000006A2000-memory.dmp

Filesize
200KB

Download
memory/4284-134-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4284-151-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4284-133-0x00000000006B0000-0x00000000006FB000-memory.dmp

Filesize
300KB

Download
memory/4924-142-0x0000000002070000-0x0000000002090000-memory.dmp

Filesize
128KB

Download
memory/4924-143-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4924-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4924-141-0x0000000002050000-0x0000000002061000-memory.dmp

Filesize
68KB

Download
memory/4924-147-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4924-148-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/4924-149-0x00000000020D0000-0x00000000020E0000-memory.dmp

Filesize
64KB

Download
memory/4924-150-0x00000000020F0000-0x00000000020F8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing