7250737c9c7a2c0bf8e838271e34e4b0f7f17ef8ac871cd32ccdb3e17ed0120f

General

Target

8c6c1b198d895aacf4ccea121fbde47c.exe
Size

191KB
MD5

8c6c1b198d895aacf4ccea121fbde47c
SHA1

0e6c1ba1f7dd454c509dca64bc2f43365f0b23fd
SHA256

7250737c9c7a2c0bf8e838271e34e4b0f7f17ef8ac871cd32ccdb3e17ed0120f
SHA512

b545d0ada76bd29904502b53d2ad20b1efe08cc0925232e7b8b7304d7906bef6e6791e368242dbc7398a8a0f33b449120e9ca0c1e54a2e5e7baa314238219db4
SSDEEP

3072:p5esEn3NM0iAseO13gbnXp4HN2uY3EeWpzGZvlnSwFoCDvbO/4opwu:zCq0SepXpoN2uY3Ee8zalHFNDTOAa

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

8c6c1b198d895aacf4ccea121fbde47c.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 8c6c1b198d895aacf4ccea121fbde47c.exe
Executes dropped EXE 1 IoCs

Processes:

dplaysvr.exe

pid process

2732 dplaysvr.exe
Loads dropped DLL 3 IoCs

Processes:

8c6c1b198d895aacf4ccea121fbde47c.exedplaysvr.exe

pid process

1640 8c6c1b198d895aacf4ccea121fbde47c.exe
1640 8c6c1b198d895aacf4ccea121fbde47c.exe
2732 dplaysvr.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	8c6c1b198d895aacf4ccea121fbde47c.exe

pid	process
2732	dplaysvr.exe

pid	process
1640	8c6c1b198d895aacf4ccea121fbde47c.exe
1640	8c6c1b198d895aacf4ccea121fbde47c.exe
2732	dplaysvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8c6c1b198d895aacf4ccea121fbde47c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	8c6c1b198d895aacf4ccea121fbde47c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	8c6c1b198d895aacf4ccea121fbde47c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dplaysvr.exe

pid process

2732 dplaysvr.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

8c6c1b198d895aacf4ccea121fbde47c.exedplaysvr.exe

pid process

1640 8c6c1b198d895aacf4ccea121fbde47c.exe
2732 dplaysvr.exe

pid	process
2732	dplaysvr.exe

pid	process
1640	8c6c1b198d895aacf4ccea121fbde47c.exe
2732	dplaysvr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8c6c1b198d895aacf4ccea121fbde47c.exe

description	pid	process	target process
PID 1640 wrote to memory of 2732	1640	8c6c1b198d895aacf4ccea121fbde47c.exe	dplaysvr.exe
PID 1640 wrote to memory of 2732	1640	8c6c1b198d895aacf4ccea121fbde47c.exe	dplaysvr.exe
PID 1640 wrote to memory of 2732	1640	8c6c1b198d895aacf4ccea121fbde47c.exe	dplaysvr.exe
PID 1640 wrote to memory of 2732	1640	8c6c1b198d895aacf4ccea121fbde47c.exe	dplaysvr.exe

C:\Users\Admin\AppData\Local\Temp\8c6c1b198d895aacf4ccea121fbde47c.exe
"C:\Users\Admin\AppData\Local\Temp\8c6c1b198d895aacf4ccea121fbde47c.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\dplaysvr.exe
"C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\8c6c1b198d895aacf4ccea121fbde47c.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:2732

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5744.tmp
Filesize
81KB

MD5
5569f25dfd9fda8b503a3bd9e16ddd47

SHA1
f8185aa05a1f24daefe97cf7593db45a69539489

SHA256
0e3bcf6d2e646b3025c6c8d7c70d4b36c0534076af1554b05b682460cd6c5955

SHA512
b07b6674c160947e253fedc2e7b3c07d97d545acbf043980771ba941f786e5f7f283f6a9f3d92b42b8aca3ecf7c8f21763ff2d21143829117581bc74fda796b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5745.tmp
Filesize
52KB

MD5
d99c8c5e66f0e9407591b0dc386d80c0

SHA1
67070c06a317ab0686e0080317b59f20a58e6403

SHA256
2dfaeabd8cff4d556e481308d200e0b2a683b7bbc89ac8a5ab4d10fe0a08fbb5

SHA512
b7e54e9ca534076d235c42b2b3e4595260a8e1263e0188e449f73d594ec72108dbb16fde8fc98e7a4f530f1f541af03bce1e57f12392a0a3a3cd0ed0522cf0e0

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
884B

MD5
53c2b14b258594b29d3d8aa172e93e66

SHA1
bec86a56ce8280abfb196a725db751c3be36c554

SHA256
2c7c7f676a02b7b09b66e3be5c99e22b59f14955c5eaa0c12ba3b4d80d527015

SHA512
2ecf62675d5c74d681010beb65a55555266ad067dde01ae57ec3db0d551df9d8160c50d2b6f9a6a0f44a7bea9ed6744dc95e69ebadfb4b35f46191ef1cfabaa7

Download Submit
memory/1640-4-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-0-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1640-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-28-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2732-24-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2732-29-0x00000000772D0000-0x00000000772D1000-memory.dmp

Filesize
4KB

Download
memory/2732-26-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2732-27-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2732-30-0x0000000076DA0000-0x0000000076EB0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-33-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2732-31-0x00000000772CF000-0x00000000772D0000-memory.dmp

Filesize
4KB

Download
memory/2732-34-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2732-22-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2732-35-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2732-36-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2732-21-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads