c3c5ace13b00673a4622119daac1bfdd13bdc88d94124ababcd16324637b8834

General

Target

4d6dbcf7914b3e8feaf0fbf75f08523c.exe
Size

155KB
MD5

4d6dbcf7914b3e8feaf0fbf75f08523c
SHA1

9f52f32594e2d0bf9c34dbd786c9378b6faf0214
SHA256

c3c5ace13b00673a4622119daac1bfdd13bdc88d94124ababcd16324637b8834
SHA512

358ece12d00902551bd8a41a06fde4e7b77f0c9f0602165e6f3107a90a93b89b5ff2c26818ddcbcb84f15bed8142ef08a59e9cd31e826e2dc0045b8d86519c4d
SSDEEP

3072:XXNPIR7cznPmwECfj+qwuK5xGj4uTFY+Vxl:HNPIp5qTIxGDhYIx

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	4d6dbcf7914b3e8feaf0fbf75f08523c.exe

Executes dropped EXE 1 IoCs

pid	Process
2564	dplaysvr.exe

Loads dropped DLL 3 IoCs

pid	Process
2896	4d6dbcf7914b3e8feaf0fbf75f08523c.exe
2896	4d6dbcf7914b3e8feaf0fbf75f08523c.exe
2564	dplaysvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	4d6dbcf7914b3e8feaf0fbf75f08523c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	4d6dbcf7914b3e8feaf0fbf75f08523c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2564	dplaysvr.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2896	4d6dbcf7914b3e8feaf0fbf75f08523c.exe
2564	dplaysvr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2564	2896	4d6dbcf7914b3e8feaf0fbf75f08523c.exe	29
PID 2896 wrote to memory of 2564	2896	4d6dbcf7914b3e8feaf0fbf75f08523c.exe	29
PID 2896 wrote to memory of 2564	2896	4d6dbcf7914b3e8feaf0fbf75f08523c.exe	29
PID 2896 wrote to memory of 2564	2896	4d6dbcf7914b3e8feaf0fbf75f08523c.exe	29

C:\Users\Admin\AppData\Local\Temp\4d6dbcf7914b3e8feaf0fbf75f08523c.exe
"C:\Users\Admin\AppData\Local\Temp\4d6dbcf7914b3e8feaf0fbf75f08523c.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\4d6dbcf7914b3e8feaf0fbf75f08523c.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:2564

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\638.tmp

Filesize
68KB

MD5
37517422efa2162da0cbf1ab53ff8dc9

SHA1
e5bf2c0e2107e88d494efcc26787cfba29201eae

SHA256
f25d5aa5a4d1c548bb6500be889d240c001407c245b0cd2c3db4470179dd5f4e

SHA512
d79b334e86eb17617760cf7ed3dafb348faee89ec52c42dd50e8c249b7803225e959e29ef3660fce7ae7cf84739b9d93eb520c774a08e7da73d5e5f54c88d55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\639.tmp

Filesize
30KB

MD5
025761b21de842fadae111dd1e88fd29

SHA1
2ea24e07973d276add5ddf4ae5730393c5acf32e

SHA256
3e2b06d8bcf4ca4fd03633fb32de64728889542c4fe34695930f68a3a1b39a3c

SHA512
bb9fbbb1179ca2b7eea93daecd40b52d8a966049dd35d6d1ddee617f1eed995b44ff888ce33ec72a402de146087be255a17afe0d2052ee2ce6fe2702c99deee2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
884B

MD5
edb70e0091a21ac94afe2a048549979c

SHA1
84121f1eb4ce53110475ead9515170b320291478

SHA256
e187da6700f91309e896681a308d52d7ceb0ce4ebf41a1cd7bca191b18f8716a

SHA512
aee14421ce7c4e26dea35fe47f54a0b2e05b751bbceb9ddf97c10d2506d5a521559b682092ed7f122eb88539a2a45eebfd04061fee0712c7e186f697603bb733

Download Submit
memory/2564-28-0x0000000000310000-0x000000000031F000-memory.dmp

Filesize
60KB

Download
memory/2564-30-0x0000000077550000-0x0000000077551000-memory.dmp

Filesize
4KB

Download
memory/2564-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2564-21-0x0000000000020000-0x0000000000038000-memory.dmp

Filesize
96KB

Download
memory/2564-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2564-26-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2564-27-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/2564-36-0x0000000000310000-0x000000000031F000-memory.dmp

Filesize
60KB

Download
memory/2564-29-0x0000000075740000-0x0000000075850000-memory.dmp

Filesize
1.1MB

Download
memory/2564-35-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2564-31-0x000000007754F000-0x0000000077550000-memory.dmp

Filesize
4KB

Download
memory/2564-34-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2564-33-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2896-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2896-3-0x00000000003C0000-0x00000000003EE000-memory.dmp

Filesize
184KB

Download
memory/2896-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2896-37-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads