f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027

Analysis

max time kernel
153s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 19:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe
Size

219KB
MD5

419477671fb1cc32457d9aea27ca908c
SHA1

d9b5c57c82bc8c533a2e9637d11b02a6b7c272d6
SHA256

f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027
SHA512

389a0c565282ebae329b9a82dcb4b3b0311956d439f092921fbebf1de965ef28137c6795d9baaf32ac3fbe9ebddfa95de54709eb39794bb6a3c51dd4bc8a10dd
SSDEEP

3072:2FawsA+HjzFmRa2M39WaHHD/n6ppaWiFZIPmhOF0HFZqTTeTTTfqTTTJTTTTTnT7:2wwsXDz68zn76ppggmhOF0HFZlx2

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1304	MSWDM.EXE
1392	MSWDM.EXE
1344	F8FD8188109161EB676DAFFCF57FAA9FBC6C6C6A6DC0C1E527EDE3CB9B8ED027.EXE
1488	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1392	MSWDM.EXE
1392	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev673C.tmp	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe
File opened for modification	C:\Windows\dev673C.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1392	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1304	1148	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe	27
PID 1148 wrote to memory of 1304	1148	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe	27
PID 1148 wrote to memory of 1304	1148	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe	27
PID 1148 wrote to memory of 1304	1148	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe	27
PID 1148 wrote to memory of 1392	1148	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe	28
PID 1148 wrote to memory of 1392	1148	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe	28
PID 1148 wrote to memory of 1392	1148	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe	28
PID 1148 wrote to memory of 1392	1148	f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe	28
PID 1392 wrote to memory of 1344	1392	MSWDM.EXE	29
PID 1392 wrote to memory of 1344	1392	MSWDM.EXE	29
PID 1392 wrote to memory of 1344	1392	MSWDM.EXE	29
PID 1392 wrote to memory of 1344	1392	MSWDM.EXE	29
PID 1392 wrote to memory of 1488	1392	MSWDM.EXE	30
PID 1392 wrote to memory of 1488	1392	MSWDM.EXE	30
PID 1392 wrote to memory of 1488	1392	MSWDM.EXE	30
PID 1392 wrote to memory of 1488	1392	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe
"C:\Users\Admin\AppData\Local\Temp\f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1148
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1304
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev673C.tmp!C:\Users\Admin\AppData\Local\Temp\f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\F8FD8188109161EB676DAFFCF57FAA9FBC6C6C6A6DC0C1E527EDE3CB9B8ED027.EXE
    3⤵
    - Executes dropped EXE
    PID:1344
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev673C.tmp!C:\Users\Admin\AppData\Local\Temp\F8FD8188109161EB676DAFFCF57FAA9FBC6C6C6A6DC0C1E527EDE3CB9B8ED027.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F8FD8188109161EB676DAFFCF57FAA9FBC6C6C6A6DC0C1E527EDE3CB9B8ED027.EXE

Filesize
219KB

MD5
6afca9c1f4ecdcd443b11f52849e6879

SHA1
ef016718909b64a3b9ee0dcdbcffde752299a4cb

SHA256
b1517b59a1acccdc291541089f0764695d459d3c0d1f31625841437a3ea45dc5

SHA512
cc70a21fe2409820e5e71abd48da54701656f9ac99ec28b1844fa2c2e7e6d14979718abf117bfc80940a3749bcfd5bd491c7c4fdef532f889225689c25a1c433

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8FD8188109161EB676DAFFCF57FAA9FBC6C6C6A6DC0C1E527EDE3CB9B8ED027.EXE

Filesize
219KB

MD5
6afca9c1f4ecdcd443b11f52849e6879

SHA1
ef016718909b64a3b9ee0dcdbcffde752299a4cb

SHA256
b1517b59a1acccdc291541089f0764695d459d3c0d1f31625841437a3ea45dc5

SHA512
cc70a21fe2409820e5e71abd48da54701656f9ac99ec28b1844fa2c2e7e6d14979718abf117bfc80940a3749bcfd5bd491c7c4fdef532f889225689c25a1c433

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
38KB

MD5
ab91f2ec8e6a2a328b44def28f1f1074

SHA1
b5d273fcda7c7de51e2d1d37788b010fbd65bb13

SHA256
36d1d595b2067c7fa789db4de9e9b845a25cc024c191c7f0975c20e109cc78a0

SHA512
4cdec30ad81f5dd3269e28dd2fe88ffdd44620edc78ac9acaceba1052170db724aa26e43a8afdf4f6d084a96e4d95cf0f84b97a32ae4fcfde9f930d266ea692a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
ab91f2ec8e6a2a328b44def28f1f1074

SHA1
b5d273fcda7c7de51e2d1d37788b010fbd65bb13

SHA256
36d1d595b2067c7fa789db4de9e9b845a25cc024c191c7f0975c20e109cc78a0

SHA512
4cdec30ad81f5dd3269e28dd2fe88ffdd44620edc78ac9acaceba1052170db724aa26e43a8afdf4f6d084a96e4d95cf0f84b97a32ae4fcfde9f930d266ea692a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
ab91f2ec8e6a2a328b44def28f1f1074

SHA1
b5d273fcda7c7de51e2d1d37788b010fbd65bb13

SHA256
36d1d595b2067c7fa789db4de9e9b845a25cc024c191c7f0975c20e109cc78a0

SHA512
4cdec30ad81f5dd3269e28dd2fe88ffdd44620edc78ac9acaceba1052170db724aa26e43a8afdf4f6d084a96e4d95cf0f84b97a32ae4fcfde9f930d266ea692a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
ab91f2ec8e6a2a328b44def28f1f1074

SHA1
b5d273fcda7c7de51e2d1d37788b010fbd65bb13

SHA256
36d1d595b2067c7fa789db4de9e9b845a25cc024c191c7f0975c20e109cc78a0

SHA512
4cdec30ad81f5dd3269e28dd2fe88ffdd44620edc78ac9acaceba1052170db724aa26e43a8afdf4f6d084a96e4d95cf0f84b97a32ae4fcfde9f930d266ea692a

Download Submit
C:\Windows\dev673C.tmp

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
\Users\Admin\AppData\Local\Temp\f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
\Users\Admin\AppData\Local\Temp\f8fd8188109161eb676daffcf57faa9fbc6c6c6a6dc0c1e527ede3cb9b8ed027.exe

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
memory/1148-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1304-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1304-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1344-65-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1392-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1392-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1488-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download