5fd8ec88ee573613440041bed9eaca56c74fac47e620e9b12f6c31be1a500682

General

Target

b81b1fc7669f866aec8cdc411f1a008f.exe
Size

176KB
MD5

b81b1fc7669f866aec8cdc411f1a008f
SHA1

b70ed913b06ade377bfae616c45111b9dee24073
SHA256

5fd8ec88ee573613440041bed9eaca56c74fac47e620e9b12f6c31be1a500682
SHA512

6dace3c60aa6504da0ced5f2c81f9ce0faeb9505dadb2993d44f714f0846692642fcbbfe70fa97b60fd573bff54630a81a93dab198e0fdb9725e94f9460e5448
SSDEEP

3072:cFOftfiq8/e5PBZ5CmuaveUyl2jEExRcAes:cFOFfz9BZ5CmuamUA2YExR

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	b81b1fc7669f866aec8cdc411f1a008f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	b81b1fc7669f866aec8cdc411f1a008f.exe

Executes dropped EXE 1 IoCs

pid	Process
4064	dplaysvr.exe

Loads dropped DLL 1 IoCs

pid	Process
4064	dplaysvr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	b81b1fc7669f866aec8cdc411f1a008f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dplaysvr = "C:\\Users\\Admin\\AppData\\Local\\dplaysvr.exe"	b81b1fc7669f866aec8cdc411f1a008f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4796	4064	WerFault.exe	93

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b81b1fc7669f866aec8cdc411f1a008f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 4064	4052	b81b1fc7669f866aec8cdc411f1a008f.exe	93
PID 4052 wrote to memory of 4064	4052	b81b1fc7669f866aec8cdc411f1a008f.exe	93
PID 4052 wrote to memory of 4064	4052	b81b1fc7669f866aec8cdc411f1a008f.exe	93

C:\Users\Admin\AppData\Local\Temp\b81b1fc7669f866aec8cdc411f1a008f.exe
"C:\Users\Admin\AppData\Local\Temp\b81b1fc7669f866aec8cdc411f1a008f.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\dplaysvr.exe
  "C:\Users\Admin\AppData\Local\dplaysvr.exe" C:\Users\Admin\AppData\Local\Temp\b81b1fc7669f866aec8cdc411f1a008f.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 3332
    3⤵
    - Program crash
    PID:4796

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4064 -ip 4064
1⤵
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3DD4.tmp

Filesize
76KB

MD5
7b9c92e2778bb2897edfcd72392b4dbe

SHA1
b7fbffcac0ed91051b022f6d373e877b9679f1df

SHA256
481cbbfb74118306ac0e9c6bc1d3410e177395a99388705c721087da338889d5

SHA512
cab13d93e9ae7f4a6827014ea154a850ed0eefdde24f9741767251727c354b520f9428b1e62d3eb86f7d6596044cfc7d793a9bc61a9b70a47bfe3a00c6b6f6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DD5.tmp

Filesize
54KB

MD5
cccf8a2b21e4e9067674aec6a66b0a23

SHA1
611c7a3bbe0b684885dba66e676b58da4e64b61a

SHA256
3074bbbf352888ea03a1af8c562137afdf3885e8be50e887e8fa25f1ab841b0c

SHA512
a18d95f9a79c09e7be0f527e7e47c2369142ba422f5ee1ad73359f769bbe272a43463b0a3e37144d546f50880fa8921768a4e000d6830408a60e01adbaed406d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3DD7.tmp

Filesize
884B

MD5
025c180d805b044648f7b34af5e59624

SHA1
28bbf0b8a600d413ccbf3db082e1b2544e3e8eb6

SHA256
c81cedd5d6e1868a45ee83df069a4f22795ab930adfc799f502dac476c380c8f

SHA512
36b3d3e8b9ff9773862830d817ec5daa31f1d144483ddd163f7966e79afd700c59fc616dfd765d670110e32961fc2bbc0753403e046d0c718d894d49b49c2d1f

Download Submit
memory/4052-0-0x00000000006F0000-0x0000000000720000-memory.dmp

Filesize
192KB

Download
memory/4052-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4052-22-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4052-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4064-20-0x00000000004D0000-0x00000000004E7000-memory.dmp

Filesize
92KB

Download
memory/4064-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4064-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4064-25-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/4064-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads