ce6abe055604dd9ecf00f16270f702cf5cde0937321213c458af03cc12e3331c

General

Target

4fd19e172f2d1b6bd0f7406b89a55e73.exe
Size

187KB
MD5

4fd19e172f2d1b6bd0f7406b89a55e73
SHA1

a068836eb57ecbf80dc407f385e55fa79edc1494
SHA256

ce6abe055604dd9ecf00f16270f702cf5cde0937321213c458af03cc12e3331c
SHA512

0c45494d1b5698c9c19831cbab24b8924b3b5a5ffb325fdb7c55c3892e5c11304288c2aa76f27a0d76cc6f56a710c24bb2af13219d3ea3d29eca49a4a35d7150
SSDEEP

3072:DNdo5/O8yhtFKGnWkkJRrbXjDb7bDl3wDzTKFhe0y2/RXLU99q:xlrhtFKGWrbXjPAzTKFN9pXD

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	4fd19e172f2d1b6bd0f7406b89a55e73.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	4fd19e172f2d1b6bd0f7406b89a55e73.exe

Executes dropped EXE 1 IoCs

pid	Process
548	dplaysvr.exe

Loads dropped DLL 1 IoCs

pid	Process
548	dplaysvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	4fd19e172f2d1b6bd0f7406b89a55e73.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	4fd19e172f2d1b6bd0f7406b89a55e73.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4fd19e172f2d1b6bd0f7406b89a55e73.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
548	dplaysvr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 548	4232	4fd19e172f2d1b6bd0f7406b89a55e73.exe	95
PID 4232 wrote to memory of 548	4232	4fd19e172f2d1b6bd0f7406b89a55e73.exe	95
PID 4232 wrote to memory of 548	4232	4fd19e172f2d1b6bd0f7406b89a55e73.exe	95

C:\Users\Admin\AppData\Local\Temp\4fd19e172f2d1b6bd0f7406b89a55e73.exe
"C:\Users\Admin\AppData\Local\Temp\4fd19e172f2d1b6bd0f7406b89a55e73.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\4fd19e172f2d1b6bd0f7406b89a55e73.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:548

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7308.tmp

Filesize
94KB

MD5
677928162cce5f9b485cfb5fca5b33e2

SHA1
971edab96730263b1d828c184091319359fd0f24

SHA256
779ca161ee4256fcf88ba41a71002fdcce609378a9ea0169ebc306cd54f96f21

SHA512
6168e5b3f4a13e42038867d79aca1b648f0177f4c4749e03360a89c9ac14657ae57ea086fd9071e1ebbb1a870f5f5692ddf6879ce2b10bc9972face6032427df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7309.tmp

Filesize
16KB

MD5
b4ee34fe10251a176083d4cf77a38710

SHA1
d2022a54da11c83a00cad689541ada063f361931

SHA256
12ad8b25d072a355bc5936566d9e6325ba2e51df0daa1a35b10e5c9d9014f0a1

SHA512
319a83a2ea3ba9bc8a7c13e06dedd1327d47caf1873b14c7dba2f038a425dfc055b4415d2490ad462739b343ecac4b09e3578f0f94bda56d8dfb6ff838e63f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\730B.tmp

Filesize
882B

MD5
d9dc78b1be3d670726c00679c7f3b14b

SHA1
b269e7e97ea12365a39a3037b9e7c7561019d0ff

SHA256
5fdd84fdbb9a3cbd2e70232d0c8d8ecbe9b25dabafbaa48a341c27b01057f041

SHA512
89e00860d64bd21ba33985087a1fdde2f33e762fd5eecf812e68d45a9f81e36a7d6cafabc0a4aac4d48abe32e64bc12cb45f6f10bcf44ff9c2beaedb51a20681

Download Submit
memory/548-28-0x0000000002080000-0x000000000209D000-memory.dmp

Filesize
116KB

Download
memory/548-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/548-46-0x00000000022A0000-0x0000000002302000-memory.dmp

Filesize
392KB

Download
memory/548-45-0x00000000022A0000-0x000000000233D000-memory.dmp

Filesize
628KB

Download
memory/548-27-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/548-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/548-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/548-39-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/548-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/548-38-0x0000000077252000-0x0000000077253000-memory.dmp

Filesize
4KB

Download
memory/4232-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4232-0-0x00000000021E0000-0x000000000220C000-memory.dmp

Filesize
176KB

Download
memory/4232-42-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4232-1-0x0000000002210000-0x0000000002245000-memory.dmp

Filesize
212KB

Download
memory/4232-2-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads