21c88ee24cfc26b4ba4ea1dc24d31dbadeb20c87dcb19966d99c443c7089e233

General

Target

783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe
Size

3.9MB
MD5

88eac956a4fece558db3280a977b6742
SHA1

e106164356d948d05b204a2e47e64a80000db61e
SHA256

783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2
SHA512

3f6f62053cbf9eccaf6157220a17a4354eb696200847e0c1c0904bc7aedeed1425e8d79829f8a6deb54c8220983d4cd198163aef83849cbec8c4b0166790aa18
SSDEEP

98304:KCtlY3/JaXu7ouSnvOV05O9M57uRleMbGv:RjY3/JaXu7ouSnvOV05O9M57uRlerv

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nvdrvsvc\Parameters\ServiceDll = "C:\\Users\\Admin\\Appdata\\Roaming\\nVidia\\nvsvc.dll"	783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2228 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

drive.exe

pid process

2744 drive.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

2376 svchost.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

drive.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drive.exe

pid	process
2228	cmd.exe

pid	process
2744	drive.exe

pid	process
2376	svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drive.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

drive.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lzma\fpHost	drive.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lzma\fpHost\Start = "977"	drive.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lzma\fpHost\Parameters = 000000001f1bed15440000000100ce019ed82e71d561f4cfcfe2505db841638cfd2ff4890c09e22e7623a5b5430e16a59b5a55257526bbc9f58449bbf4c7b3b358445a4819b61a7706e4677a1dd5f1ca24c6e0e7000000000300ce01000000000400ce01000000000500ce01010000000600ce01000c0000000200ce010d005901000000000400ce11000000000a00ce01000000000b00ce0100000000ff00ce01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	drive.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lzma\fpHost\Type = "1960"	drive.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lzma\fpHost\Object = 0b0a01004b110a1d4b070c170c070c170c4b0a170265656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0829161cecf79fcccb61804ce31ecea331c5b788aeeb10e755ddcbd478d236ace025d504b5452574b56554b545452656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082eb186ee0fc478a33f7fdd1b704cda9d09bc42adc7bb177c2055f3d3f400ced57545c514b57515c4b5754574b54555c65656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082598b7a6025e482c574462de6d92aa6fa037f30d25352c0c94c58ba7734bc264e575555545f545152555f030703005f5f54555c656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082598b7a6025e482c574462de6d92aa6fa037f30d25352c0c94c58ba7734bc264e545d504b57504b5454534b5455526565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082bf2b2bb1d3f2978cd5658b9b5f51d031c9b6913a39f38f8f4073b81a9cca1e26570455555f520453555f555f525153075f5f56656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082bf2b2bb1d3f2978cd5658b9b5f51d031c9b6913a39f38f8f4073b81a9cca1e26110a1d4b130017010c06114b02026565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0827937f6cb97742272311e5cbfebc394865480863dd63afe0e3a7c541c74a09c135453564b5452574b5456534b54545d65656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082494dfafa52a7686cbfe63330edda2c0ace5201e05ac6e424e41f178694efaf6e575555545f07065d5f515155555f575455555f5f54565f5154016565656565656565656565656565656565656565656565656565656565656565656565656565c082494dfafa52a7686cbfe63330edda2c0ace5201e05ac6e424e41f178694efaf6e525d4b51534b52564b54515465656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c08267e519919ddeead6f5a952f1d8948d21fbffe6f7a0b69745657cbffa7be44b23110a1d4b0c0b0c1117040803164b0c0a656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0825a6f20c70d53197e8f004a40e9e091c308c20eafc302c1fb126ea92c72ce0f4051534b57575c4b50574b545c5d656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082e459ea24e2e65b95003e7592104424c63741e107c00237ff5dd3de925bf2f662110a1d4b0b02064b1f0a0b0065656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082708ca66caaae1c98ba6bdf6018ced1fa843a5d66d4da950053cb4b3ec0810c6b5451514b5754524b5453524b52566565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0821b330d858b6c84fa576fb11c6724f6549a8b711ed605020caadbf77f4f4ab629110a1d4b04070c090c0b160e0c4b060a086565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c08275a56bd735a6465b515b4f8ec51470c0a7ec458cadb7f1f793b56e4c61fbb91b1108101d4b1710656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0821102cac343b6410626726e55fec0d8ac10ba5c4199f81f3c729e9ffa39b0a85d56524b515d4b5457574b575765656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0827e3fefd73a9ad30345c054a1010e2295964e11a022d66f9dd8e703af35c6ce3c110a1d4b0b0a13024b0b001165656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082b04280e11ae655b34dbfd4e42a6f274a08acb5c66583a632062b87bfeda631065c504b56544b545d4b57575265656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082401221be901e8684729b60b420d09d636df14db1b98186b5b06373cf73bc241b545d504b54514b56554b575456656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565de0140301359e92361f0d42432b751b833dd0665c75c3031d9cb2344c9513ee97e7e	drive.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Lzma\fpHost	drive.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	drive.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lzma	drive.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exesvchost.exe

description	pid	process	target process
PID 2224 wrote to memory of 2228	2224	783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe	cmd.exe
PID 2224 wrote to memory of 2228	2224	783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe	cmd.exe
PID 2224 wrote to memory of 2228	2224	783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe	cmd.exe
PID 2376 wrote to memory of 2744	2376	svchost.exe	drive.exe
PID 2376 wrote to memory of 2744	2376	svchost.exe	drive.exe
PID 2376 wrote to memory of 2744	2376	svchost.exe	drive.exe
PID 2376 wrote to memory of 2744	2376	svchost.exe	drive.exe

C:\Users\Admin\AppData\Local\Temp\783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe
"C:\Users\Admin\AppData\Local\Temp\783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\xnyxrp.bat
  2⤵
  - Deletes itself
  PID:2228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k "nvdrvsvc"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\Appdata\Roaming\nVidia\AppData\App\drive.exe
  C:\Users\Admin\Appdata\Roaming\nVidia\AppData\App\drive.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xnyxrp.bat

Filesize
248B

MD5
b6849e0440ad49764a90ba27e49acb6e

SHA1
f38e867744611e505a37ffba8d1258b652fd1723

SHA256
276c468065e7a6d7ee8d8a8191d986a8d923f9b46df6255681a9e6ffd5699172

SHA512
401399bc980e51c8a86e29da5807ec9a079f20fa3934109a9e6e2d82814767718abb90d770fd4faa80215c92623f590f7a3c133db832c2787c281a91ee1644af

Download Submit
C:\Users\Admin\AppData\Roaming\nVidia\AppData\App\drive.exe

Filesize
362KB

MD5
fd3896c897f5597bd1a21c82f6059730

SHA1
55fe78944c442627957c3230db31219b8249f0fd

SHA256
d77d66801f74ec7981d4215bdd7fa0743bee731bf30ce4b4f85be45f6feccd40

SHA512
e833babbf4d00eed5f38c24bb20a7645bc1d630a1602a034f398960f101558153af8145a10abec53e5e70168b65ba2fc60363036cbc9992dff7ec89ef43f90e5

Download Submit
memory/2224-9-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/2376-11-0x00000000008A0000-0x0000000000A7D000-memory.dmp

Filesize
1.9MB

Download
memory/2376-19-0x00000000008A0000-0x0000000000A7D000-memory.dmp

Filesize
1.9MB

Download
memory/2744-20-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2744-32-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads