fee6c20ff91039b8aaf23eccf19fd2e66b35670bcf5d20f9d4ca79e15dd1d5af

General

Target

GeForce_Experience_v3.27.0.120.exe
Size

125.8MB
MD5

3ddce7921a97b87a94c0d55cf1f0b0db
SHA1

df844fe010101c9faa36e880bb87b25a2ea741d8
SHA256

fee6c20ff91039b8aaf23eccf19fd2e66b35670bcf5d20f9d4ca79e15dd1d5af
SHA512

e491b437b8ebada92292d1fa3556f374fa3ad590b63332e374b1be2817aefd23cab143f9251a5f260f5f71441d4ef75cff1a6e60c283019825b40955eaff7c40
SSDEEP

3145728:mku+sWNWb+yg2fpokYeDY0gQyrbyQauJY8:S/WNa+yvGe00gQyreua8

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1748	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
2156	GeForce_Experience_v3.27.0.120.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE\Blob = 0f0000000100000014000000f53631b5177626eb6541df5563c8187d9dca421a09000000010000005e000000305c06082b0601050507030306082b0601050507030106082b0601050507030206082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b06010505070308060a2b0601040182370a030453000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c0b000000010000001000000045006e00740072007500730074000000030000000100000014000000801d62d07b449d5c5c035c98ea61fa443c2a58fe2000000001000000600400003082045c30820344a00302010202043863b966300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3139313232343138323035315a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3743072301106096086480186f8420101040403020007301f0603551d2304183016801455e481d11180bed889b908a331f9a1240916b970301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d010105050003820101005947ac21848a17c99c89531eba80851ac63c4e3eb19cb67cc6925d186402e3d3060811617c63e32b9d31037076d2a328a0f4bb9a6373ed6de52adbed14a92bc63611d02beb078ba5da9e5c199d5612f55429c805edb2122a8df4031bffe7921087b03ab5c39d053712a3c7f415b9d5a439169b533a2391f1a882a26a8868c1790222bcaaa6d6aedfb0145fb887d0dd7c7f7bffaf1ccfe6db07ad5edb859dd02b0d33db04d1e64940132b76fb3ee99c890f15ce18b08578214f6b4f0efa3667cd07f2ff08d0e2ded9bf2aafb88786213c04cab794687fcf3ce998d738ffecc0d950f02e4b58ae466fd02ec360da725572bd4c459e61babf84819203d1d2697cc5	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE\Blob = 19000000010000001000000091fad483f14848a8a69b18b805cdbb3a030000000100000014000000801d62d07b449d5c5c035c98ea61fa443c2a58fe0b000000010000001000000045006e007400720075007300740000001d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b97053000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c009000000010000005e000000305c06082b0601050507030306082b0601050507030106082b0601050507030206082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b06010505070308060a2b0601040182370a03040f0000000100000014000000f53631b5177626eb6541df5563c8187d9dca421a2000000001000000600400003082045c30820344a00302010202043863b966300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3139313232343138323035315a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3743072301106096086480186f8420101040403020007301f0603551d2304183016801455e481d11180bed889b908a331f9a1240916b970301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d010105050003820101005947ac21848a17c99c89531eba80851ac63c4e3eb19cb67cc6925d186402e3d3060811617c63e32b9d31037076d2a328a0f4bb9a6373ed6de52adbed14a92bc63611d02beb078ba5da9e5c199d5612f55429c805edb2122a8df4031bffe7921087b03ab5c39d053712a3c7f415b9d5a439169b533a2391f1a882a26a8868c1790222bcaaa6d6aedfb0145fb887d0dd7c7f7bffaf1ccfe6db07ad5edb859dd02b0d33db04d1e64940132b76fb3ee99c890f15ce18b08578214f6b4f0efa3667cd07f2ff08d0e2ded9bf2aafb88786213c04cab794687fcf3ce998d738ffecc0d950f02e4b58ae466fd02ec360da725572bd4c459e61babf84819203d1d2697cc5	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\801D62D07B449D5C5C035C98EA61FA443C2A58FE\Blob = 040000000100000010000000ba21ea20d6dddb8fc1578b40ada1fcfc0f0000000100000014000000f53631b5177626eb6541df5563c8187d9dca421a09000000010000005e000000305c06082b0601050507030306082b0601050507030106082b0601050507030206082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b06010505070308060a2b0601040182370a030453000000010000002400000030223020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c0b000000010000001000000045006e00740072007500730074000000030000000100000014000000801d62d07b449d5c5c035c98ea61fa443c2a58fe19000000010000001000000091fad483f14848a8a69b18b805cdbb3a2000000001000000600400003082045c30820344a00302010202043863b966300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3139313232343138323035315a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3743072301106096086480186f8420101040403020007301f0603551d2304183016801455e481d11180bed889b908a331f9a1240916b970301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970301d06092a864886f67d0741000410300e1b0856352e303a342e3003020490300d06092a864886f70d010105050003820101005947ac21848a17c99c89531eba80851ac63c4e3eb19cb67cc6925d186402e3d3060811617c63e32b9d31037076d2a328a0f4bb9a6373ed6de52adbed14a92bc63611d02beb078ba5da9e5c199d5612f55429c805edb2122a8df4031bffe7921087b03ab5c39d053712a3c7f415b9d5a439169b533a2391f1a882a26a8868c1790222bcaaa6d6aedfb0145fb887d0dd7c7f7bffaf1ccfe6db07ad5edb859dd02b0d33db04d1e64940132b76fb3ee99c890f15ce18b08578214f6b4f0efa3667cd07f2ff08d0e2ded9bf2aafb88786213c04cab794687fcf3ce998d738ffecc0d950f02e4b58ae466fd02ec360da725572bd4c459e61babf84819203d1d2697cc5	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1748	2156	GeForce_Experience_v3.27.0.120.exe	28
PID 2156 wrote to memory of 1748	2156	GeForce_Experience_v3.27.0.120.exe	28
PID 2156 wrote to memory of 1748	2156	GeForce_Experience_v3.27.0.120.exe	28
PID 2156 wrote to memory of 1748	2156	GeForce_Experience_v3.27.0.120.exe	28
PID 2156 wrote to memory of 1748	2156	GeForce_Experience_v3.27.0.120.exe	28
PID 2156 wrote to memory of 1748	2156	GeForce_Experience_v3.27.0.120.exe	28
PID 2156 wrote to memory of 1748	2156	GeForce_Experience_v3.27.0.120.exe	28

C:\Users\Admin\AppData\Local\Temp\GeForce_Experience_v3.27.0.120.exe
"C:\Users\Admin\AppData\Local\Temp\GeForce_Experience_v3.27.0.120.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\NVIDIA\GFE\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\NVIDIA\GFE\setup.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab8AB5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVIDIA\GFE\NVI2\NVI2.DLL

Filesize
5.6MB

MD5
81d73ef370d492b5a342640857487c56

SHA1
f3ece87ecf3928afba415efc2e1f75c238379bdb

SHA256
733d40d7ebbc1866039b6b727e2eab618e04cdea7d10e775371c1752fb78c76d

SHA512
0090b442bddf78e1ad32fa9aef73a6de5356d84285d7193bd9c952217cfa000749303b2637309642fa3b228390f588c2068237150984dd3c7a90cf373437c09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar93AD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\NVIDIA\GFE\setup.exe

Filesize
632KB

MD5
4d9b788901548301b8f4cc32817b3fad

SHA1
07dded6cc951a3fdbc4bdad19188036a95939600

SHA256
296b2ad647c2d3313cbab5b536d91d476f58bfb91184e3e8ec5e824fad5cd0f4

SHA512
fb39ad86e47518a56909e6927515dd8712bb6c0e9e234e38eeaa3fb1f745fa7d245790c091dc759fdfb92ad02b698a8c7a3b0202c768b64b217dc7aa4b6de512

Download Submit

Analysis

Sharing