2235290b1ef78b3417ef56c6d40edb4a8143bb1a4d241411f1ee3e3f631eb726

General

Target

54e774a831ae65d320a56309b2031571.exe
Size

173KB
MD5

54e774a831ae65d320a56309b2031571
SHA1

c1a900133243bfc8b5197577be45514a310a063c
SHA256

2235290b1ef78b3417ef56c6d40edb4a8143bb1a4d241411f1ee3e3f631eb726
SHA512

63340f9267b04cf186167892a77f204ca760c21ef65006039ae6c17058ba23bd90f092275ccd2e9f9d7904dc06b89384485d4fcefd98d451fcb8222d9d7b0f93
SSDEEP

3072:q9tuNgbNR5Z9V9wyN6SZhk7wj5ZBmrntdqDpFau6WVUu2A4k16Jw/:VNgbz5x9wyN6SZC7S5ZBmrLqdFmch4zw

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	54e774a831ae65d320a56309b2031571.exe

Executes dropped EXE 1 IoCs

pid	Process
2932	dplaysvr.exe

Loads dropped DLL 3 IoCs

pid	Process
2960	54e774a831ae65d320a56309b2031571.exe
2960	54e774a831ae65d320a56309b2031571.exe
2932	dplaysvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	54e774a831ae65d320a56309b2031571.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	54e774a831ae65d320a56309b2031571.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2932	dplaysvr.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2960	54e774a831ae65d320a56309b2031571.exe
2932	dplaysvr.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2932	2960	54e774a831ae65d320a56309b2031571.exe	29
PID 2960 wrote to memory of 2932	2960	54e774a831ae65d320a56309b2031571.exe	29
PID 2960 wrote to memory of 2932	2960	54e774a831ae65d320a56309b2031571.exe	29
PID 2960 wrote to memory of 2932	2960	54e774a831ae65d320a56309b2031571.exe	29

C:\Users\Admin\AppData\Local\Temp\54e774a831ae65d320a56309b2031571.exe
"C:\Users\Admin\AppData\Local\Temp\54e774a831ae65d320a56309b2031571.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\54e774a831ae65d320a56309b2031571.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:2932

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8B9D.tmp

Filesize
72KB

MD5
ee474aeb47ec5bd89d9adedd0d330715

SHA1
407899ebcd465aeec513c9059c5db5c2fd8f3f35

SHA256
02e8b9c583fdcfa44fbcdef3c00d468181e60c2258cf414e6534a9ea33adc966

SHA512
f7783e2b4b59a6f6fe3fea4bb51764f8d4eda8bf8c6a0631f8553490414507f17c16d86d6124a6e2d2ced65c351f7e6b6c199a604f2f73fcc37e6ec2917fef34

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B9E.tmp

Filesize
51KB

MD5
13ec4fb33c3851da40032490cec94cae

SHA1
05716c77843043afb05ccc68eb84b7212b0bf45c

SHA256
f0c2a8bb7ebcb415d51822c50f7f2fa9065597177583fd9b463ae28056ed2014

SHA512
a7237a005311d1da0104223d5de2d0d834d3726cc5e905610615647c9b5e00ec970aa7c97a703708abe82b4c24433893b2f18ddb9ec69ddfd5e4719ab9383807

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
882B

MD5
dfacd03b4a800507e85677733cc3712a

SHA1
db5b14eb23801b68b90e578bdedc6f6b4327639c

SHA256
478f83def583d7305fa43f3efc606b14b0842cc446e39aae552bb5ca1b3c73ae

SHA512
67e015f7d98a62cf9e1ab628b2e9b618ffe9ada70f13704d7aa5991856497b40b67e22c95e257ef595d1ac7b9986ce0448b5fdd43505aa6ef269af96c0e9f302

Download Submit
memory/2932-36-0x0000000075600000-0x0000000075710000-memory.dmp

Filesize
1.1MB

Download
memory/2932-32-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2932-40-0x0000000001B90000-0x0000000001BA0000-memory.dmp

Filesize
64KB

Download
memory/2932-38-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

Filesize
4KB

Download
memory/2932-39-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/2932-24-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/2932-25-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2932-37-0x000000007708F000-0x0000000077090000-memory.dmp

Filesize
4KB

Download
memory/2932-29-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2932-31-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2932-33-0x0000000001B90000-0x0000000001BA0000-memory.dmp

Filesize
64KB

Download
memory/2932-34-0x0000000001B90000-0x0000000001BA0000-memory.dmp

Filesize
64KB

Download
memory/2932-28-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2932-35-0x0000000077090000-0x0000000077091000-memory.dmp

Filesize
4KB

Download
memory/2960-4-0x00000000002F0000-0x000000000031E000-memory.dmp

Filesize
184KB

Download
memory/2960-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2960-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2960-23-0x0000000002F10000-0x0000000002F25000-memory.dmp

Filesize
84KB

Download
memory/2960-20-0x0000000002F10000-0x0000000002F25000-memory.dmp

Filesize
84KB

Download
memory/2960-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2960-41-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads