de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634

Analysis

max time kernel
148s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Size

76KB
MD5

34e05a048fbce8fa1a99022ba8e56785
SHA1

eb971a48ff415aac3f7f480d03e245f4a10ae60b
SHA256

de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634
SHA512

e68bd63234b2c07c0117e0cdb2ca61a42325bc1ad0711d608f8f4a57cbe0fa5b59433d89aebf6d50ecdfadd0a7e330be10a93e296694b95fef1d8f70ab8344ac
SSDEEP

768:QM34MSL0OXIxDMyDRjFVZrhgFwumSCbxTGy/BBGg4NK8jhh/vn2+mRcDkUCXVBnz:74M1OX8MUu3abBGy3G8srcfJ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ndsv.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ndsv.exe

Executes dropped EXE 1 IoCs

pid	Process
548	ndsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2148	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
2148	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	ndsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	ndsv.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	ndsv.exe
File opened (read-only)	\??\W:	ndsv.exe
File opened (read-only)	\??\X:	ndsv.exe
File opened (read-only)	\??\Z:	ndsv.exe
File opened (read-only)	\??\R:	ndsv.exe
File opened (read-only)	\??\T:	ndsv.exe
File opened (read-only)	\??\U:	ndsv.exe
File opened (read-only)	\??\E:	ndsv.exe
File opened (read-only)	\??\I:	ndsv.exe
File opened (read-only)	\??\J:	ndsv.exe
File opened (read-only)	\??\K:	ndsv.exe
File opened (read-only)	\??\L:	ndsv.exe
File opened (read-only)	\??\H:	ndsv.exe
File opened (read-only)	\??\M:	ndsv.exe
File opened (read-only)	\??\O:	ndsv.exe
File opened (read-only)	\??\P:	ndsv.exe
File opened (read-only)	\??\Y:	ndsv.exe
File opened (read-only)	\??\B:	ndsv.exe
File opened (read-only)	\??\G:	ndsv.exe
File opened (read-only)	\??\N:	ndsv.exe
File opened (read-only)	\??\Q:	ndsv.exe
File opened (read-only)	\??\V:	ndsv.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\Desktop.sysm	ndsv.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	ndsv.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	ndsv.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	ndsv.exe

Drops file in Program Files directory 62 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	ndsv.exe
File created	\??\c:\Program Files\Mozilla Firefox\updater.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	ndsv.exe
File created	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	ndsv.exe
File created	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	ndsv.exe
File created	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	ndsv.exe
File created	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	ndsv.exe
File created	\??\c:\Program Files\7-Zip\Uninstall.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	ndsv.exe
File created	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	ndsv.exe
File created	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ndsv.exe
File created	\??\c:\Program Files\Mozilla Firefox\private_browsing.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	ndsv.exe
File created	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	ndsv.exe
File created	\??\c:\Program Files\Mozilla Firefox\firefox.exe	ndsv.exe
File created	\??\c:\Program Files\7-Zip\7z.exe	ndsv.exe
File created	\??\c:\Program Files\7-Zip\7zG.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	ndsv.exe
File created	\??\c:\Program Files\7-Zip\7zFM.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ndsv.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ndsv.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	ndsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	ndsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	ndsv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2148	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
548	ndsv.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 548	2148	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe	28
PID 2148 wrote to memory of 548	2148	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe	28
PID 2148 wrote to memory of 548	2148	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe	28
PID 2148 wrote to memory of 548	2148	de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe	28

C:\Users\Admin\AppData\Local\Temp\de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe
"C:\Users\Admin\AppData\Local\Temp\de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148
- \??\c:\Documents and Settings\Admin\Application Data\Microsoft\ndsv.exe
  "c:\Documents and Settings\Admin\Application Data\Microsoft\ndsv.exe" de52f3a1a34868d16614b49da1275a559514e5dc10150f145991ade1ce544634
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
64f3418dd996457e3fe45dabbee5e815

SHA1
e7e6b60f6661fd889081e0318bf04682adf66f37

SHA256
b19b24b4720226f83ee9197754342a436ff1911eae7bf4ed3e042cf2933e60c4

SHA512
959bc9e4a9ab10fc14d5f14e2e78b003d251658bcfb391b91606193442fb69ff5f8a59fc8b793655b1b887835b1e6863e7a219d89ee16f1dbbb9955c7b833a29

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\ndsv.exe

Filesize
76KB

MD5
def13db7efa4cf74ab82651a267c18e1

SHA1
330102b2114e181d58f0a9802d35b73ca2b18506

SHA256
b766c04172cb81c90bb52d02d5223189469c1b235dbbbda03eb257becfbaa0e4

SHA512
fa4d65cc27145f8a7333241fac89e29667a50f7503fc4057297c34d9300bf4446b93b03756af2c248fda2f3525a14ed9670d91841c911adfae68a3e73b7ddf0f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads