7c598cc2c2b6e6bca52a6d2bd9f1dfa1fc9c14ff69d5e07178fc0d29f3820f40

General

Target

2014-04-03-FlashPack-EK-malware-payload-02.exe
Size

90KB
MD5

e473d28c8f8f7718c802396d49cc7e42
SHA1

178678561f7b64027ca6cb42106d453fa481381b
SHA256

81fdd1088c2f50e309f363c557886cfb6d56783b438e181b34dedd121e1e1702
SHA512

b88da86b99393dcfd25bc2771ddc0d9c0277dfad4655b0915cf5578d4e90005850dcd1bfbe57c50976fdffa2225cf44ca33f8a61286fc70b736a2428ce28912a
SSDEEP

1536:NQpQ5EP0ijnRTXJYOMAr9T5SRXgKJZV9x+LcQ8au8BObaM7E:NQIURTXJYFgw/R9kLse

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1508	nvupdate.exe
3000	nvupdate.exe

Loads dropped DLL 16 IoCs

pid	Process
2160	2014-04-03-FlashPack-EK-malware-payload-02.exe
1508	nvupdate.exe
1508	nvupdate.exe
1508	nvupdate.exe
1508	nvupdate.exe
1508	nvupdate.exe
1508	nvupdate.exe
1508	nvupdate.exe
1508	nvupdate.exe
1508	nvupdate.exe
1508	nvupdate.exe
1508	nvupdate.exe
1508	nvupdate.exe
3000	nvupdate.exe
3000	nvupdate.exe
3000	nvupdate.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/memory/3000-22-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral5/memory/3000-24-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral5/memory/3000-27-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral5/memory/3000-40-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral5/memory/3000-42-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral5/memory/3000-43-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral5/memory/3000-41-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral5/memory/3000-32-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral5/memory/3000-44-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 3000	1508	nvupdate.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe	2014-04-03-FlashPack-EK-malware-payload-02.exe
File opened for modification	C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe	nvupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv	nvupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications	nvupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\SdiMulti	nvupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\SdiMulti\Settings	nvupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\NVIDIA Corporation\Global	nvupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value = "20140402"	nvupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\GUID = "e3dd5a3d-de7a-4d23-8f08-f1b8017629a7"	nvupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\SdiMulti\Recent File List	nvupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	nvupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\NVIDIA Corporation	nvupdate.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\print\command	nvupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mul	nvupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mul\ShellNew	nvupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document	nvupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\DefaultIcon\ = "C:\\PROGRA~2\\NVIDIA~1\\UPDATE~1\\nvupdate.exe,0"	nvupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\open\command	nvupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\DefaultIcon	nvupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\print\command\ = "C:\\PROGRA~2\\NVIDIA~1\\UPDATE~1\\nvupdate.exe /p \"%1\""	nvupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\printto	nvupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\printto\command\ = "C:\\PROGRA~2\\NVIDIA~1\\UPDATE~1\\nvupdate.exe /pt \"%1\" \"%2\" \"%3\" \"%4\""	nvupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\ = "SdiMul Document"	nvupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\open	nvupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\open\command\ = "C:\\PROGRA~2\\NVIDIA~1\\UPDATE~1\\nvupdate.exe \"%1\""	nvupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mul\ = "SdiMul.Document"	nvupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mul\ShellNew\NullFile	nvupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell	nvupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\print	nvupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SdiMul.Document\shell\printto\command	nvupdate.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1508	nvupdate.exe
1508	nvupdate.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 3000	1508	nvupdate.exe	29
PID 1508 wrote to memory of 3000	1508	nvupdate.exe	29
PID 1508 wrote to memory of 3000	1508	nvupdate.exe	29
PID 1508 wrote to memory of 3000	1508	nvupdate.exe	29
PID 1508 wrote to memory of 3000	1508	nvupdate.exe	29
PID 1508 wrote to memory of 3000	1508	nvupdate.exe	29
PID 1508 wrote to memory of 3000	1508	nvupdate.exe	29
PID 1508 wrote to memory of 3000	1508	nvupdate.exe	29
PID 1508 wrote to memory of 3000	1508	nvupdate.exe	29
PID 1508 wrote to memory of 3000	1508	nvupdate.exe	29
PID 1508 wrote to memory of 3000	1508	nvupdate.exe	29

C:\Users\Admin\AppData\Local\Temp\2014-04-03-FlashPack-EK-malware-payload-02.exe
"C:\Users\Admin\AppData\Local\Temp\2014-04-03-FlashPack-EK-malware-payload-02.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:2160

C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe
"C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe
  "C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NVIDIA Corporation\Update Center\nvupdate.exe

Filesize
97KB

MD5
8ad53fcda9d6ff8fc79226f4b9236b64

SHA1
04cf97f42aac5621981c8165576e3f30eb76f4f2

SHA256
4d99d197286dba828c5f39e99abe09318c18a9a3c84aae260e77832f8872e8b2

SHA512
022070ec3cf1c24f8be44ee7b65a844786fc9e819070468c6d6a1f9572adf1374243fe2dee3e256e80ab3320c3c103581298cc2cc5c1f3b68f6c1de8b7ada8c3

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7033.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/1508-31-0x0000000000490000-0x0000000000494000-memory.dmp

Filesize
16KB

Download
memory/3000-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3000-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-32-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing