d3ea673dbf254d2fc268be67de969033983a375582f4a385d1600a359a1d451c

General

Target

Docx 90273030 PDF KADNlehp.exe
Size

142.2MB
MD5

0b8b8a28d85984ea421e78f312a263b7
SHA1

7390af01335044dbc7ba92ffb2737c525aeaa7e5
SHA256

d3ea673dbf254d2fc268be67de969033983a375582f4a385d1600a359a1d451c
SHA512

9128e36ee055bd05a635d590f82b03087c06f98b3fa30a2cbf18feca8d318a5d6a8ae9f0b4b842ae743eb804b7f8f0476da0c0a53102eabafca65b017051e1de
SSDEEP

49152:vzfYgT8f3q16SrNSZFNiNh1NxPYHgQcRWqmjYE/bYy38zAfdqRnNFF:vzfYdf3xsh1Nx8cRWqmjYE/URN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2312	DriverUpdaterProslsbgDriverManagementExpert.exe

Loads dropped DLL 1 IoCs

pid	Process
2380	Docx 90273030 PDF KADNlehp.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
23	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Docx 90273030 PDF KADNlehp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Docx 90273030 PDF KADNlehp.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	DriverUpdaterProslsbgDriverManagementExpert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DriverUpdaterProslsbgDriverManagementExpert.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	DriverUpdaterProslsbgDriverManagementExpert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	DriverUpdaterProslsbgDriverManagementExpert.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Docx 90273030 PDF KADNlehp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Docx 90273030 PDF KADNlehp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Docx 90273030 PDF KADNlehp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Docx 90273030 PDF KADNlehp.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	DriverUpdaterProslsbgDriverManagementExpert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	DriverUpdaterProslsbgDriverManagementExpert.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2380	Docx 90273030 PDF KADNlehp.exe
2380	Docx 90273030 PDF KADNlehp.exe
2380	Docx 90273030 PDF KADNlehp.exe
2380	Docx 90273030 PDF KADNlehp.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe
2380	Docx 90273030 PDF KADNlehp.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe
2312	DriverUpdaterProslsbgDriverManagementExpert.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2380	Docx 90273030 PDF KADNlehp.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2312	2380	Docx 90273030 PDF KADNlehp.exe	28
PID 2380 wrote to memory of 2312	2380	Docx 90273030 PDF KADNlehp.exe	28
PID 2380 wrote to memory of 2312	2380	Docx 90273030 PDF KADNlehp.exe	28
PID 2380 wrote to memory of 2312	2380	Docx 90273030 PDF KADNlehp.exe	28
PID 2380 wrote to memory of 2312	2380	Docx 90273030 PDF KADNlehp.exe	28
PID 2380 wrote to memory of 2312	2380	Docx 90273030 PDF KADNlehp.exe	28
PID 2380 wrote to memory of 2312	2380	Docx 90273030 PDF KADNlehp.exe	28

C:\Users\Admin\AppData\Local\Temp\Docx 90273030 PDF KADNlehp.exe
"C:\Users\Admin\AppData\Local\Temp\Docx 90273030 PDF KADNlehp.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\ProgramData\FastDriverFinderzfxifTotalDriverScan\DriverUpdaterProslsbgDriverManagementExpert.exe
  "C:\ProgramData\FastDriverFinderzfxifTotalDriverScan\DriverUpdaterProslsbgDriverManagementExpert.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FastDriverFinderzfxifTotalDriverScan\DriverUpdaterProslsbgDriverManagementExpert.exe

Filesize
5.7MB

MD5
726e5d5a15976b9902cf1e4c30f39c68

SHA1
1272689fb1a97372ddcd36028a4afd0175907f43

SHA256
f2f96ed059da38e98909767adce115b3a2ab7b5817d4ca84575c1c47a7ef74f2

SHA512
5e7e03754d75c6e6008a2e22c27179216d4b8071fb33932e8d56ec504ba562dbd24a9890f651bd5ca46f55ae615f46468a5a5ce739c4d5acc19ad6cfd7f530e0

Download Submit
C:\ProgramData\FastDriverFinderzfxifTotalDriverScan\DriverUpdaterProslsbgDriverManagementExpert.exe

Filesize
1.4MB

MD5
389983258db02a3f0c95de15d13f7bea

SHA1
77753cd06a357367300897118e703924a3e76e40

SHA256
a457ac72dbfdb220155eecde1773c9a20618b9ebc5222159298a15ebb7d06582

SHA512
429a55ae2454cf0230e7e2b568b06bb6a0bb3e44e9b9982fbce40e47b0e8e227de14b96bfa52ad33d0881fd01cd049422c0e5e14ce08c579618a17ea42d330f8

Download Submit
C:\ProgramData\FastDriverFinderzfxifTotalDriverScan\DriverUpdaterProslsbgDriverManagementExpert.exe

Filesize
1.3MB

MD5
d50afa24ed18cde00ca7552b90291644

SHA1
ffa5546f08fca79eecd8ed935c49bf032c81d69e

SHA256
15f0460bc19872458574877e1010b1549407ac94fb9633860efdd692dfc71db5

SHA512
b114506656cd740968621780e7142a8caec1a84cbd49bfc58c62853b817055a401fbeb011f31a594707860bede9747f2e76bd6f67701d1309b99e09821285141

Download Submit
C:\Users\Public\FastDriverFinderzfxifTotalDriverScan\QevireHcqngreCebfyfotQevireZnantrzragRkcreg.cfg

Filesize
1KB

MD5
2172c8167f66b2185af50b2ffb8dbcb5

SHA1
37a1b4d57d5646df4b8d5358d3e62d9631c943f5

SHA256
bc78ed8fa6c3b965989174b194256de36e3a0a9c38596cc114e09a0e8539132c

SHA512
8eacbe3dd6145d1ab36e4a4617b18a7bf151a00cda8841f67250a52299250e10a57c3178d1aeb333eed6d84a3e4f9e34592d62fa928aef8284341139c561337d

Download Submit
\ProgramData\FastDriverFinderzfxifTotalDriverScan\DriverUpdaterProslsbgDriverManagementExpert.exe

Filesize
1.7MB

MD5
76208f012f4b9878d59fdde94397a4fd

SHA1
ff630279419bcf64cfd367d2489113dd2bb52545

SHA256
27b1cd742a1359fb16612fe3233d49ac3023528073b09fbcd77245c003690ed7

SHA512
1a289a07c485ba9b65a61861cf469ad603b87ce7ba2a87d03a76a90e6e6ebf3c0abce1c065fd31f3c0b04cc8acabad18b6dacb682e0c874c099343ae06b000a3

Download Submit
memory/2312-335-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2312-386-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2312-339-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2312-325-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2312-336-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2312-328-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2312-331-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2380-323-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2380-333-0x0000000000EA0000-0x0000000001EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2380-327-0x0000000000EA0000-0x0000000001EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2380-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2380-317-0x0000000000EA0000-0x0000000001EA0000-memory.dmp

Filesize
16.0MB

Download
memory/2380-15-0x0000000000EA0000-0x0000000001EA0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads