Overview
overview
10Static
static
7KiPoypXawe...IA.exe
windows11-21h2-x64
8out.exe
windows11-21h2-x64
3KiPoypXawe...er.exe
windows11-21h2-x64
5$PLUGINSDI...er.exe
windows11-21h2-x64
5KiPoypXawe...ll.bat
windows11-21h2-x64
7KiPoypXawe...64.exe
windows11-21h2-x64
7KiPoypXawe...86.exe
windows11-21h2-x64
7KiPoypXawe...64.exe
windows11-21h2-x64
7KiPoypXawe...86.exe
windows11-21h2-x64
KiPoypXawe...64.exe
windows11-21h2-x64
7KiPoypXawe...86.exe
windows11-21h2-x64
7KiPoypXawe...64.exe
windows11-21h2-x64
7KiPoypXawe...86.exe
windows11-21h2-x64
7KiPoypXawe...64.exe
windows11-21h2-x64
7KiPoypXawe...86.exe
windows11-21h2-x64
7KiPoypXawe...64.exe
windows11-21h2-x64
7KiPoypXawe...86.exe
windows11-21h2-x64
7KiPoypXawe...er.exe
windows11-21h2-x64
10KiPoypXawe...er.ini
windows11-21h2-x64
3KiPoypXawe...up.exe
windows11-21h2-x64
7Analysis
-
max time kernel
93s -
max time network
106s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-12-2024 18:07
Behavioral task
behavioral1
Sample
KiPoypXaweM/NVIDIA.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
out.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
KiPoypXaweM/Requirements/OverwolfInstaller.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/OWInstaller.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/install_all.bat
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2005_x64.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2005_x86.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2008_x64.exe
Resource
win11-20241023-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2008_x86.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2010_x64.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2010_x86.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2012_x64.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2012_x86.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2013_x64.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2013_x86.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2015_2017_2019_2022_x64.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2015_2017_2019_2022_x86.exe
Resource
win11-20241023-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
KiPoypXaweM/Requirements/Windows Update Blocker/Windows Update Blocker.exe
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
KiPoypXaweM/Requirements/Windows Update Blocker/Windows Update Blocker.ini
Resource
win11-20241007-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
KiPoypXaweM/Requirements/dxwebsetup.exe
Resource
win11-20241007-en
windows11-21h2-x64
General
-
Target
KiPoypXaweM/NVIDIA.exe
-
Size
59.5MB
-
MD5
e9411904a5793c0accdfe6c04f188f54
-
SHA1
1685b9afcd93937f56a7f8a34d39bd5e3f2d201b
-
SHA256
04bc993d4352f2bda8ea5f9d8cf124711b4b5ad82329a64c97fd325f22c6ed98
-
SHA512
052ac21a92072846107d5785127cb6b47a1cd45b3dc2bf317ade84b6ec6e252d7afd2bf562ef2efe483c4eda632aa808b512cebc3d10b9bcb77a3ff452ed7ef1
-
SSDEEP
786432:4CAq85qFp3n4/14bJ7spyKbb3vhgnG/GYdXW+nZq4Hw3MutfvvTBlA1l3apTyB5a:zc14t0rGGeH+ZqmwMYNq1l3a4BT6CGO
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NVIDIA.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\MicrosoftStoreHwd.txt NVIDIA.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4436 sc.exe 3768 sc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 NVIDIA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString NVIDIA.exe -
Kills process with taskkill 10 IoCs
pid Process 2104 taskkill.exe 2784 taskkill.exe 1860 taskkill.exe 4688 taskkill.exe 2472 taskkill.exe 4576 taskkill.exe 3752 taskkill.exe 2336 taskkill.exe 4692 taskkill.exe 1104 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe 2884 NVIDIA.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2472 taskkill.exe Token: SeDebugPrivilege 1104 taskkill.exe Token: SeDebugPrivilege 4576 taskkill.exe Token: SeDebugPrivilege 3752 taskkill.exe Token: SeDebugPrivilege 2336 taskkill.exe Token: SeDebugPrivilege 2104 taskkill.exe Token: SeDebugPrivilege 2784 taskkill.exe Token: SeDebugPrivilege 1860 taskkill.exe Token: SeDebugPrivilege 4692 taskkill.exe Token: SeDebugPrivilege 4688 taskkill.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2884 wrote to memory of 1320 2884 NVIDIA.exe 78 PID 2884 wrote to memory of 1320 2884 NVIDIA.exe 78 PID 2884 wrote to memory of 4456 2884 NVIDIA.exe 79 PID 2884 wrote to memory of 4456 2884 NVIDIA.exe 79 PID 4456 wrote to memory of 2472 4456 cmd.exe 80 PID 4456 wrote to memory of 2472 4456 cmd.exe 80 PID 2884 wrote to memory of 2964 2884 NVIDIA.exe 82 PID 2884 wrote to memory of 2964 2884 NVIDIA.exe 82 PID 2964 wrote to memory of 1104 2964 cmd.exe 83 PID 2964 wrote to memory of 1104 2964 cmd.exe 83 PID 2884 wrote to memory of 3668 2884 NVIDIA.exe 84 PID 2884 wrote to memory of 3668 2884 NVIDIA.exe 84 PID 3668 wrote to memory of 4436 3668 cmd.exe 85 PID 3668 wrote to memory of 4436 3668 cmd.exe 85 PID 2884 wrote to memory of 4124 2884 NVIDIA.exe 86 PID 2884 wrote to memory of 4124 2884 NVIDIA.exe 86 PID 4124 wrote to memory of 4576 4124 cmd.exe 87 PID 4124 wrote to memory of 4576 4124 cmd.exe 87 PID 2884 wrote to memory of 2344 2884 NVIDIA.exe 88 PID 2884 wrote to memory of 2344 2884 NVIDIA.exe 88 PID 2344 wrote to memory of 3752 2344 cmd.exe 89 PID 2344 wrote to memory of 3752 2344 cmd.exe 89 PID 2884 wrote to memory of 1896 2884 NVIDIA.exe 90 PID 2884 wrote to memory of 1896 2884 NVIDIA.exe 90 PID 1896 wrote to memory of 2336 1896 cmd.exe 91 PID 1896 wrote to memory of 2336 1896 cmd.exe 91 PID 2884 wrote to memory of 792 2884 NVIDIA.exe 92 PID 2884 wrote to memory of 792 2884 NVIDIA.exe 92 PID 2884 wrote to memory of 1148 2884 NVIDIA.exe 93 PID 2884 wrote to memory of 1148 2884 NVIDIA.exe 93 PID 1148 wrote to memory of 2104 1148 cmd.exe 94 PID 1148 wrote to memory of 2104 1148 cmd.exe 94 PID 2884 wrote to memory of 2872 2884 NVIDIA.exe 95 PID 2884 wrote to memory of 2872 2884 NVIDIA.exe 95 PID 2872 wrote to memory of 2784 2872 cmd.exe 96 PID 2872 wrote to memory of 2784 2872 cmd.exe 96 PID 2884 wrote to memory of 4540 2884 NVIDIA.exe 97 PID 2884 wrote to memory of 4540 2884 NVIDIA.exe 97 PID 4540 wrote to memory of 3768 4540 cmd.exe 98 PID 4540 wrote to memory of 3768 4540 cmd.exe 98 PID 2884 wrote to memory of 4840 2884 NVIDIA.exe 99 PID 2884 wrote to memory of 4840 2884 NVIDIA.exe 99 PID 4840 wrote to memory of 1860 4840 cmd.exe 100 PID 4840 wrote to memory of 1860 4840 cmd.exe 100 PID 2884 wrote to memory of 1992 2884 NVIDIA.exe 101 PID 2884 wrote to memory of 1992 2884 NVIDIA.exe 101 PID 1992 wrote to memory of 4692 1992 cmd.exe 102 PID 1992 wrote to memory of 4692 1992 cmd.exe 102 PID 2884 wrote to memory of 4544 2884 NVIDIA.exe 103 PID 2884 wrote to memory of 4544 2884 NVIDIA.exe 103 PID 4544 wrote to memory of 4688 4544 cmd.exe 104 PID 4544 wrote to memory of 4688 4544 cmd.exe 104 PID 2884 wrote to memory of 4432 2884 NVIDIA.exe 105 PID 2884 wrote to memory of 4432 2884 NVIDIA.exe 105 PID 2884 wrote to memory of 1036 2884 NVIDIA.exe 106 PID 2884 wrote to memory of 1036 2884 NVIDIA.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\NVIDIA.exe"C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\NVIDIA.exe"1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color e2⤵PID:1320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:4436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:3768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1036
-