196d78953b7beeabc50a1c0294312246d52b465fa6d3dacb82fe6be223bce9f4

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pdvserv.exe
Size

1.9MB
MD5

78e65d6a04a8d8d91c1ae78b605e6e16
SHA1

8322ce32e6b4f2f35084cc046427c5c234f18ac8
SHA256

e93a3e46d6e8d7d037d9f77a75ee55d2f63665960044a1044813b6d5229d940e
SHA512

bdacf51b4b551fff19c34d73dd3fb77374a0adb9ce940b910e8a47bd517911659f50f9dee119a981dadc0427e8127d06e2022283c1b541e15438d70e32a02669
SSDEEP

24576:FREuSim93ySUIpLfaVSA72yK1/YppeCBRUwsAOIiT3lij76:FSzyb7F29pLl0m

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	Add2Reg.exe

Loads dropped DLL 2 IoCs

pid	Process
2192	pdvserv.exe
2192	pdvserv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pdvserv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdvserv.exe"	Add2Reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdvserv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2192	pdvserv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2192	pdvserv.exe
2192	pdvserv.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3064	2192	pdvserv.exe	30
PID 2192 wrote to memory of 3064	2192	pdvserv.exe	30
PID 2192 wrote to memory of 3064	2192	pdvserv.exe	30
PID 2192 wrote to memory of 3064	2192	pdvserv.exe	30

C:\Users\Admin\AppData\Local\Temp\pdvserv.exe
"C:\Users\Admin\AppData\Local\Temp\pdvserv.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\Add2Reg.exe
  "C:\Users\Admin\AppData\Local\Temp\Add2Reg.exe" pdvserv=C:\Users\Admin\AppData\Local\Temp\pdvserv.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Add2Reg.exe

Filesize
104KB

MD5
a111e43227d1138accd09c64764c8e24

SHA1
8a426c030057376f6b8955e7ece94656b93acb9a

SHA256
0dbf5ef8ca3f25f7a0b91fd139157e6633de9f22cb2cd1c006df52e258124059

SHA512
cd1bfaa144db9a697ae47a604f23daafc00eb0f10df4d200276d22329fc428953353315d942f669b138ce2f35ca4183b07855707ba265d23c5f24cfef8985f6e

Download Submit
\Users\Admin\AppData\Local\Temp\JMEWS.tmp

Filesize
80KB

MD5
088fda06e32f8d6eff8850a51b19c2a0

SHA1
091bd5672805669baacc2f13c20eeeade03d7a53

SHA256
6d448bcf7ebcf6d9224da1afa956b057fdec626f2cddeac0e4edf7bb1222a036

SHA512
03d60afe1eee2401fd1e2dc67d964f945625f3e9d705a8713feb118e33029a39ede37a565e3f848d0f84cac3f11bdd35dd14e04c0efead92dea842fcaa1e8e14

Download Submit
memory/2192-18-0x0000000076B00000-0x0000000076BF0000-memory.dmp

Filesize
960KB

Download
memory/2192-13-0x00000000025E0000-0x00000000025FA000-memory.dmp

Filesize
104KB

Download
memory/2192-15-0x0000000076B10000-0x0000000076B11000-memory.dmp

Filesize
4KB

Download
memory/2192-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2192-17-0x0000000076B00000-0x0000000076BF0000-memory.dmp

Filesize
960KB

Download
memory/2192-19-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2192-21-0x00000000025E0000-0x00000000025FA000-memory.dmp

Filesize
104KB

Download
memory/2192-20-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/2192-25-0x00000000025E0000-0x00000000025FA000-memory.dmp

Filesize
104KB

Download
memory/2192-33-0x00000000025E0000-0x00000000025FA000-memory.dmp

Filesize
104KB

Download
memory/3064-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads