701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f

General

Target

701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe
Size

167KB
MD5

66fdee022da605b25157e433317c28a0
SHA1

6943b8593b38e133c3cad0ba3cc76597316daf34
SHA256

701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f
SHA512

b1bc5167106370c17e3b5f6691223186f789ad2a344377599b8b5e5cb1d487c76f4f4cfcf238fda47b5e898f089b22ddf69bbcd731ed96f71807e56d379745c7
SSDEEP

3072:zaQVG4urzuVGp8rojCJ37NkWWslb5r8P+0kizv6ODHt/OE9sPK:OoezrKMU7WslyPlxPDHt/OED

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
948	MSWDM.EXE
1436	MSWDM.EXE
816	701C7F127D7A3B1FDF5F86B43984A5A01D9B800E035A81F51F491DE30D331E2F.EXE

Loads dropped DLL 1 IoCs

pid	Process
1436	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe
File opened for modification	C:\Windows\dev6B61.tmp	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1436	MSWDM.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
816	701C7F127D7A3B1FDF5F86B43984A5A01D9B800E035A81F51F491DE30D331E2F.EXE
816	701C7F127D7A3B1FDF5F86B43984A5A01D9B800E035A81F51F491DE30D331E2F.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 948	1756	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe	27
PID 1756 wrote to memory of 948	1756	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe	27
PID 1756 wrote to memory of 948	1756	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe	27
PID 1756 wrote to memory of 948	1756	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe	27
PID 1756 wrote to memory of 1436	1756	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe	28
PID 1756 wrote to memory of 1436	1756	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe	28
PID 1756 wrote to memory of 1436	1756	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe	28
PID 1756 wrote to memory of 1436	1756	701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe	28
PID 1436 wrote to memory of 816	1436	MSWDM.EXE	29
PID 1436 wrote to memory of 816	1436	MSWDM.EXE	29
PID 1436 wrote to memory of 816	1436	MSWDM.EXE	29
PID 1436 wrote to memory of 816	1436	MSWDM.EXE	29

C:\Users\Admin\AppData\Local\Temp\701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe
"C:\Users\Admin\AppData\Local\Temp\701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1756
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:948
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev6B61.tmp!C:\Users\Admin\AppData\Local\Temp\701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\701C7F127D7A3B1FDF5F86B43984A5A01D9B800E035A81F51F491DE30D331E2F.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\701C7F127D7A3B1FDF5F86B43984A5A01D9B800E035A81F51F491DE30D331E2F.EXE

Filesize
83KB

MD5
f3bbbb20275c5225821f2e01efa0a539

SHA1
fb72080666964aa8b288f5885fc3e4989c15c11d

SHA256
d84a1b31ed6d0905f1d4a30eebda0a226f254ec1000f00cea4aea304ffff8209

SHA512
3ccbcdb975fb219cc20752ca053335c0fe1576a9be04c17b42bfe15ba0ae7bd78d3feb5195cdfa35f85d6881489c38a43660ac72282a9f2c0d2ed5fb07ec0743

Download Submit
C:\Users\Admin\AppData\Local\Temp\701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe

Filesize
83KB

MD5
f3bbbb20275c5225821f2e01efa0a539

SHA1
fb72080666964aa8b288f5885fc3e4989c15c11d

SHA256
d84a1b31ed6d0905f1d4a30eebda0a226f254ec1000f00cea4aea304ffff8209

SHA512
3ccbcdb975fb219cc20752ca053335c0fe1576a9be04c17b42bfe15ba0ae7bd78d3feb5195cdfa35f85d6881489c38a43660ac72282a9f2c0d2ed5fb07ec0743

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
84KB

MD5
9aac113a417f53e966e8445a5a24ecc5

SHA1
37bfa9aa6dc1275c0d1a40383404b16c74603039

SHA256
df8ddf723b330e82f795d7f5588c1ad0cd2c80759c14806d2813f25cf7b71374

SHA512
322cb3f1eb39d4ecf65fd583f409e9c1ffaf06579c8988b11087d0abfc9d32dc1e855ef936a4f95f6efc3e770df08d18794f172245c76ef954e59e46f5b64b9f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
9aac113a417f53e966e8445a5a24ecc5

SHA1
37bfa9aa6dc1275c0d1a40383404b16c74603039

SHA256
df8ddf723b330e82f795d7f5588c1ad0cd2c80759c14806d2813f25cf7b71374

SHA512
322cb3f1eb39d4ecf65fd583f409e9c1ffaf06579c8988b11087d0abfc9d32dc1e855ef936a4f95f6efc3e770df08d18794f172245c76ef954e59e46f5b64b9f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
9aac113a417f53e966e8445a5a24ecc5

SHA1
37bfa9aa6dc1275c0d1a40383404b16c74603039

SHA256
df8ddf723b330e82f795d7f5588c1ad0cd2c80759c14806d2813f25cf7b71374

SHA512
322cb3f1eb39d4ecf65fd583f409e9c1ffaf06579c8988b11087d0abfc9d32dc1e855ef936a4f95f6efc3e770df08d18794f172245c76ef954e59e46f5b64b9f

Download Submit
C:\Windows\dev6B61.tmp

Filesize
83KB

MD5
f3bbbb20275c5225821f2e01efa0a539

SHA1
fb72080666964aa8b288f5885fc3e4989c15c11d

SHA256
d84a1b31ed6d0905f1d4a30eebda0a226f254ec1000f00cea4aea304ffff8209

SHA512
3ccbcdb975fb219cc20752ca053335c0fe1576a9be04c17b42bfe15ba0ae7bd78d3feb5195cdfa35f85d6881489c38a43660ac72282a9f2c0d2ed5fb07ec0743

Download Submit
\Users\Admin\AppData\Local\Temp\701c7f127d7a3b1fdf5f86b43984a5a01d9b800e035a81f51f491de30d331e2f.exe

Filesize
83KB

MD5
f3bbbb20275c5225821f2e01efa0a539

SHA1
fb72080666964aa8b288f5885fc3e4989c15c11d

SHA256
d84a1b31ed6d0905f1d4a30eebda0a226f254ec1000f00cea4aea304ffff8209

SHA512
3ccbcdb975fb219cc20752ca053335c0fe1576a9be04c17b42bfe15ba0ae7bd78d3feb5195cdfa35f85d6881489c38a43660ac72282a9f2c0d2ed5fb07ec0743

Download Submit
memory/816-67-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/948-65-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/948-69-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1436-66-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1756-59-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1756-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing