67cc0faf38e8ee0d7fb18e055dcf66504f4677d05e2b263299787e7ea488e1ff

General

Target

7d1d719f317498e6f7f6d7b44b27ddf9.exe
Size

195KB
MD5

7d1d719f317498e6f7f6d7b44b27ddf9
SHA1

a82d38fc063afcb3585f0072b4510e3a1b13e55d
SHA256

67cc0faf38e8ee0d7fb18e055dcf66504f4677d05e2b263299787e7ea488e1ff
SHA512

f53505b0abd4874425cc9ea37ef902907f5d70c80d4168cbbf43aab70e38566a3780f604e994ac18c2b2bfdcdf24d6dd0f4720d21a90d85498acb0858d246f3d
SSDEEP

6144:2OwCLq5kf3M+d9tu/SuqZ7HKZPOQyy7qyz8J6u:2BGfeVqcZmHQT8Jz

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	7d1d719f317498e6f7f6d7b44b27ddf9.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	7d1d719f317498e6f7f6d7b44b27ddf9.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	dplaysvr.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	dplaysvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	7d1d719f317498e6f7f6d7b44b27ddf9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	7d1d719f317498e6f7f6d7b44b27ddf9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7d1d719f317498e6f7f6d7b44b27ddf9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2196	dplaysvr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2196	2704	7d1d719f317498e6f7f6d7b44b27ddf9.exe	90
PID 2704 wrote to memory of 2196	2704	7d1d719f317498e6f7f6d7b44b27ddf9.exe	90
PID 2704 wrote to memory of 2196	2704	7d1d719f317498e6f7f6d7b44b27ddf9.exe	90

C:\Users\Admin\AppData\Local\Temp\7d1d719f317498e6f7f6d7b44b27ddf9.exe
"C:\Users\Admin\AppData\Local\Temp\7d1d719f317498e6f7f6d7b44b27ddf9.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\7d1d719f317498e6f7f6d7b44b27ddf9.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2196

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52C3.tmp

Filesize
76KB

MD5
1ce1cfd0ed58d1202ad54e09b967c3b1

SHA1
074798baaeaa9f70da57ba325c8fdea4dbfe6106

SHA256
4906ea8d325eea92b2ef224f46e3868198269c5de164ebeca2148c68094ae87b

SHA512
674a80b9fb477e6ee76c3082196acd8ca85c5152436149a1289224d0360abb46ef9b18bfa74a948869bc74ae3aee2ab5c8d4df25e91925036e918b2eb662301c

Download Submit
C:\Users\Admin\AppData\Local\Temp\52C4.tmp

Filesize
133KB

MD5
d79aa72d33612fcae2577c92b2751151

SHA1
e95995c0f63911b7725fafa23c9c5b3b66ff4c3e

SHA256
031ca6a480ccfd8b36d3de8c0300aeabb2b8f456567495dfca9f68c2ca511e2c

SHA512
c5751de8e696b81379878a35d8e0086b436bfd7e8b5e60da66fae17721c066b76d64d5c8669e28cc9a4951d0f3dd71bcf3218eb08c194049cd56d7350051c628

Download Submit
C:\Users\Admin\AppData\Local\Temp\52C6.tmp

Filesize
884B

MD5
dd1a34efdfbf126ca8abec378480436f

SHA1
9acce3e10d6ae1a3720c55322861bb3f77a9f253

SHA256
014aa9166f5a7e33ef3bfb6a45b51a9f67caf205d951e5ca35dec3c05f48d895

SHA512
e77dbc5b4e107a5a7c6505ca2b07e7739d98c136abbe28af909931839ab387b57e24116b0dbf42aeafabf0726442087915748c552cbd55d5cdfdf8b011a42b08

Download Submit
memory/2196-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2196-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2196-37-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2196-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2196-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2196-23-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2196-35-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2196-34-0x00000000771B2000-0x00000000771B3000-memory.dmp

Filesize
4KB

Download
memory/2196-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2196-33-0x0000000000640000-0x0000000000665000-memory.dmp

Filesize
148KB

Download
memory/2196-31-0x0000000010000000-0x0000000010025000-memory.dmp

Filesize
148KB

Download
memory/2196-32-0x00000000005E0000-0x0000000000605000-memory.dmp

Filesize
148KB

Download
memory/2196-30-0x0000000000640000-0x0000000000665000-memory.dmp

Filesize
148KB

Download
memory/2704-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-1-0x00000000021E0000-0x0000000002214000-memory.dmp

Filesize
208KB

Download
memory/2704-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads