21c88ee24cfc26b4ba4ea1dc24d31dbadeb20c87dcb19966d99c443c7089e233

General

Target

783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe
Size

3.9MB
MD5

88eac956a4fece558db3280a977b6742
SHA1

e106164356d948d05b204a2e47e64a80000db61e
SHA256

783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2
SHA512

3f6f62053cbf9eccaf6157220a17a4354eb696200847e0c1c0904bc7aedeed1425e8d79829f8a6deb54c8220983d4cd198163aef83849cbec8c4b0166790aa18
SSDEEP

98304:KCtlY3/JaXu7ouSnvOV05O9M57uRleMbGv:RjY3/JaXu7ouSnvOV05O9M57uRlerv

Score

8^/10

discovery persistence

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nvdrvsvc\Parameters\ServiceDll = "C:\\Users\\Admin\\Appdata\\Roaming\\nVidia\\nvsvc.dll"	783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe

Executes dropped EXE 1 IoCs

Processes:

drive.exe

pid process

4116 drive.exe
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

644 svchost.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

drive.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drive.exe

pid	process
4116	drive.exe

pid	process
644	svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drive.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

drive.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Lzma\fpHost\Type = "1960"	drive.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Lzma\fpHost\Object = 0b0a01004b110a1d4b070c170c070c170c4b0a170265656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0829161cecf79fcccb61804ce31ecea331c5b788aeeb10e755ddcbd478d236ace025d504b5452574b56554b545452656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082eb186ee0fc478a33f7fdd1b704cda9d09bc42adc7bb177c2055f3d3f400ced57545c514b57515c4b5754574b54555c65656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082598b7a6025e482c574462de6d92aa6fa037f30d25352c0c94c58ba7734bc264e575555545f545152555f030703005f5f54555c656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082598b7a6025e482c574462de6d92aa6fa037f30d25352c0c94c58ba7734bc264e545d504b57504b5454534b5455526565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082bf2b2bb1d3f2978cd5658b9b5f51d031c9b6913a39f38f8f4073b81a9cca1e26570455555f520453555f555f525153075f5f56656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082bf2b2bb1d3f2978cd5658b9b5f51d031c9b6913a39f38f8f4073b81a9cca1e26110a1d4b130017010c06114b02026565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0827937f6cb97742272311e5cbfebc394865480863dd63afe0e3a7c541c74a09c135453564b5452574b5456534b54545d65656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082494dfafa52a7686cbfe63330edda2c0ace5201e05ac6e424e41f178694efaf6e575555545f07065d5f515155555f575455555f5f54565f5154016565656565656565656565656565656565656565656565656565656565656565656565656565c082494dfafa52a7686cbfe63330edda2c0ace5201e05ac6e424e41f178694efaf6e525d4b51534b52564b54515465656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c08267e519919ddeead6f5a952f1d8948d21fbffe6f7a0b69745657cbffa7be44b23110a1d4b0c0b0c1117040803164b0c0a656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0825a6f20c70d53197e8f004a40e9e091c308c20eafc302c1fb126ea92c72ce0f4051534b57575c4b50574b545c5d656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082e459ea24e2e65b95003e7592104424c63741e107c00237ff5dd3de925bf2f662110a1d4b0b02064b1f0a0b0065656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082708ca66caaae1c98ba6bdf6018ced1fa843a5d66d4da950053cb4b3ec0810c6b5451514b5754524b5453524b52566565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0821b330d858b6c84fa576fb11c6724f6549a8b711ed605020caadbf77f4f4ab629110a1d4b04070c090c0b160e0c4b060a086565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c08275a56bd735a6465b515b4f8ec51470c0a7ec458cadb7f1f793b56e4c61fbb91b1108101d4b1710656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0821102cac343b6410626726e55fec0d8ac10ba5c4199f81f3c729e9ffa39b0a85d56524b515d4b5457574b575765656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c0827e3fefd73a9ad30345c054a1010e2295964e11a022d66f9dd8e703af35c6ce3c110a1d4b0b0a13024b0b001165656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082b04280e11ae655b34dbfd4e42a6f274a08acb5c66583a632062b87bfeda631065c504b56544b545d4b57575265656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565c082401221be901e8684729b60b420d09d636df14db1b98186b5b06373cf73bc241b545d504b54514b56554b575456656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565656565de0140301359e92361f0d42432b751b833dd0665c75c3031d9cb2344c9513ee97e7e	drive.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Lzma\fpHost	drive.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	drive.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Lzma	drive.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Lzma\fpHost\Start = "977"	drive.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Lzma\fpHost\Parameters = 000000001f1bed15440000000100ce018f6b9587ecdbe44a370d5af010dbf74a3a972e84828006b0c970751483917b990855ad5a8f098aa99d1cd7ff321e2c3063e2c735072674982ae4035e9b9e1e4a432e87e0000000000300ce01000000000400ce01000000000500ce01010000000600ce01000c0000000200ce010d005901000000000400ce11000000000a00ce01000000000b00ce0100000000ff00ce01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	drive.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exesvchost.exe

description	pid	process	target process
PID 3216 wrote to memory of 2336	3216	783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe	cmd.exe
PID 3216 wrote to memory of 2336	3216	783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe	cmd.exe
PID 644 wrote to memory of 4116	644	svchost.exe	drive.exe
PID 644 wrote to memory of 4116	644	svchost.exe	drive.exe
PID 644 wrote to memory of 4116	644	svchost.exe	drive.exe

C:\Users\Admin\AppData\Local\Temp\783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe
"C:\Users\Admin\AppData\Local\Temp\783c4a9cf616f01dbad0fc49bb49d61bb6f9fb95c1bcafacb9529198fc0b77a2.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xnyxrp.bat
  2⤵
  PID:2336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k "nvdrvsvc"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\Appdata\Roaming\nVidia\AppData\App\drive.exe
  C:\Users\Admin\Appdata\Roaming\nVidia\AppData\App\drive.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xnyxrp.bat

Filesize
248B

MD5
b6849e0440ad49764a90ba27e49acb6e

SHA1
f38e867744611e505a37ffba8d1258b652fd1723

SHA256
276c468065e7a6d7ee8d8a8191d986a8d923f9b46df6255681a9e6ffd5699172

SHA512
401399bc980e51c8a86e29da5807ec9a079f20fa3934109a9e6e2d82814767718abb90d770fd4faa80215c92623f590f7a3c133db832c2787c281a91ee1644af

Download Submit
C:\Users\Admin\AppData\Roaming\nVidia\AppData\App\drive.exe

Filesize
362KB

MD5
f84c2198d1fcad97e2de608aac29d30d

SHA1
912a1b49d5dc5dd643b1a70459fd39260e9ef8ca

SHA256
83085d79329b4951cbefdc8bf9d6b4d04accf33c25a547511efeeab4cfe3d9f2

SHA512
f4a536b8d4d91c0f4be59dcfcf14566dbfffa27a6dcab35bf97897c3a53d8529e55e489a64faf4c2ff886342c73c2d81498eca10410ab975241c4d2379162d12

Download Submit
memory/644-11-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/3216-4-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/4116-12-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4116-24-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads