2235290b1ef78b3417ef56c6d40edb4a8143bb1a4d241411f1ee3e3f631eb726

General

Target

54e774a831ae65d320a56309b2031571.exe
Size

173KB
MD5

54e774a831ae65d320a56309b2031571
SHA1

c1a900133243bfc8b5197577be45514a310a063c
SHA256

2235290b1ef78b3417ef56c6d40edb4a8143bb1a4d241411f1ee3e3f631eb726
SHA512

63340f9267b04cf186167892a77f204ca760c21ef65006039ae6c17058ba23bd90f092275ccd2e9f9d7904dc06b89384485d4fcefd98d451fcb8222d9d7b0f93
SSDEEP

3072:q9tuNgbNR5Z9V9wyN6SZhk7wj5ZBmrntdqDpFau6WVUu2A4k16Jw/:VNgbz5x9wyN6SZC7S5ZBmrLqdFmch4zw

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	54e774a831ae65d320a56309b2031571.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	54e774a831ae65d320a56309b2031571.exe

Executes dropped EXE 1 IoCs

pid	Process
4296	dplaysvr.exe

Loads dropped DLL 1 IoCs

pid	Process
4296	dplaysvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	54e774a831ae65d320a56309b2031571.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	54e774a831ae65d320a56309b2031571.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	54e774a831ae65d320a56309b2031571.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4296	dplaysvr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4296	2628	54e774a831ae65d320a56309b2031571.exe	21
PID 2628 wrote to memory of 4296	2628	54e774a831ae65d320a56309b2031571.exe	21
PID 2628 wrote to memory of 4296	2628	54e774a831ae65d320a56309b2031571.exe	21

C:\Users\Admin\AppData\Local\Temp\54e774a831ae65d320a56309b2031571.exe
"C:\Users\Admin\AppData\Local\Temp\54e774a831ae65d320a56309b2031571.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\54e774a831ae65d320a56309b2031571.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4296

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\495D.tmp

Filesize
72KB

MD5
ee474aeb47ec5bd89d9adedd0d330715

SHA1
407899ebcd465aeec513c9059c5db5c2fd8f3f35

SHA256
02e8b9c583fdcfa44fbcdef3c00d468181e60c2258cf414e6534a9ea33adc966

SHA512
f7783e2b4b59a6f6fe3fea4bb51764f8d4eda8bf8c6a0631f8553490414507f17c16d86d6124a6e2d2ced65c351f7e6b6c199a604f2f73fcc37e6ec2917fef34

Download Submit
C:\Users\Admin\AppData\Local\dplayx.dll

Filesize
51KB

MD5
13ec4fb33c3851da40032490cec94cae

SHA1
05716c77843043afb05ccc68eb84b7212b0bf45c

SHA256
f0c2a8bb7ebcb415d51822c50f7f2fa9065597177583fd9b463ae28056ed2014

SHA512
a7237a005311d1da0104223d5de2d0d834d3726cc5e905610615647c9b5e00ec970aa7c97a703708abe82b4c24433893b2f18ddb9ec69ddfd5e4719ab9383807

Download Submit
memory/2628-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2628-1-0x00000000021C0000-0x00000000021EE000-memory.dmp

Filesize
184KB

Download
memory/2628-2-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2628-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2628-40-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4296-21-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4296-25-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4296-22-0x0000000000690000-0x00000000006A5000-memory.dmp

Filesize
84KB

Download
memory/4296-27-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4296-29-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4296-31-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4296-32-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/4296-30-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/4296-33-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/4296-35-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/4296-34-0x0000000077662000-0x0000000077663000-memory.dmp

Filesize
4KB

Download
memory/4296-37-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4296-23-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads