06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f

Analysis

max time kernel
157s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe
Size

45KB
MD5

77bbb5d86a3f66702452bf5c66a38490
SHA1

a7092874e09a407303589a64c8dc5ba5af770863
SHA256

06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f
SHA512

d33b4a144fe02cdad6352e60108dd26026a23fe4a7e664b0097b01d9cfdec2f16e5b26b9dd2a9a9ddee261bc04ca072399b27fd235c415fd2feaa443b06b9f1e
SSDEEP

768:2nFbeItJvR+Argv75ZmqPL2adWfwlmAa6BWRzAZ4qb1nYvSRwAicFoNJX1Z:2FbeITsAro5ZNjzFmAa6IBA2oESRzic8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1820	MSWDM.EXE
2204	MSWDM.EXE
1640	06C39FEFEC146E5CFF15EB739EA0E63796F6EBD52BDA5DB2ECB6966CC4422B9F.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	MSWDM.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\dieED53.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe
File opened for modification	C:\Windows\devED24.tmp	06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe
File opened for modification	C:\Windows\dieED53.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	MSWDM.EXE
2204	MSWDM.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 1820	5028	06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe	82
PID 5028 wrote to memory of 1820	5028	06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe	82
PID 5028 wrote to memory of 1820	5028	06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe	82
PID 5028 wrote to memory of 2204	5028	06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe	83
PID 5028 wrote to memory of 2204	5028	06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe	83
PID 5028 wrote to memory of 2204	5028	06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe	83
PID 2204 wrote to memory of 1640	2204	MSWDM.EXE	84
PID 2204 wrote to memory of 1640	2204	MSWDM.EXE	84

C:\Users\Admin\AppData\Local\Temp\06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe
"C:\Users\Admin\AppData\Local\Temp\06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5028
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1820
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devED24.tmp!C:\Users\Admin\AppData\Local\Temp\06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Users\Admin\AppData\Local\Temp\06C39FEFEC146E5CFF15EB739EA0E63796F6EBD52BDA5DB2ECB6966CC4422B9F.EXE
    3⤵
    - Executes dropped EXE
    PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\06C39FEFEC146E5CFF15EB739EA0E63796F6EBD52BDA5DB2ECB6966CC4422B9F.EXE

Filesize
5KB

MD5
2c6eae9be4207d9b385b11b1bfd7d055

SHA1
41e389a4408578284bd5aba43da770a296067be0

SHA256
c07bc8e6d2c80e18c98fca41752969f2faa7857baf510bfae6b48a80356c8ae3

SHA512
e73911d5772128e2ea9c8b14190ab4f947bb77417b4acc707e79d9898a51c7e8c884e64d4e229cb7adec2409f4774ac63a6f30ba19027d3f02274b190131323a

Download Submit
C:\Users\Admin\AppData\Local\Temp\06c39fefec146e5cff15eb739ea0e63796f6ebd52bda5db2ecb6966cc4422b9f.exe

Filesize
5KB

MD5
2c6eae9be4207d9b385b11b1bfd7d055

SHA1
41e389a4408578284bd5aba43da770a296067be0

SHA256
c07bc8e6d2c80e18c98fca41752969f2faa7857baf510bfae6b48a80356c8ae3

SHA512
e73911d5772128e2ea9c8b14190ab4f947bb77417b4acc707e79d9898a51c7e8c884e64d4e229cb7adec2409f4774ac63a6f30ba19027d3f02274b190131323a

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
40KB

MD5
220bd91e8ef870a94e96555f4b560659

SHA1
99a616cf572308a6de9049844037755b6adf4acf

SHA256
0a7e31b475ef8bd26610c9fab2719fe1d6ab3d06fcb0fea786c6c37b4c7312ee

SHA512
6a255abead13e167b0e26a5a9acf6e731e216f074300a20fa59e7254d593eb0ffe04fef0bc2e321d421573c7e06c3e44eabe493499f7660104fff86cf0d180d4

Download Submit
C:\Windows\MSWDM.EXE

Filesize
40KB

MD5
220bd91e8ef870a94e96555f4b560659

SHA1
99a616cf572308a6de9049844037755b6adf4acf

SHA256
0a7e31b475ef8bd26610c9fab2719fe1d6ab3d06fcb0fea786c6c37b4c7312ee

SHA512
6a255abead13e167b0e26a5a9acf6e731e216f074300a20fa59e7254d593eb0ffe04fef0bc2e321d421573c7e06c3e44eabe493499f7660104fff86cf0d180d4

Download Submit
C:\Windows\MSWDM.EXE

Filesize
40KB

MD5
220bd91e8ef870a94e96555f4b560659

SHA1
99a616cf572308a6de9049844037755b6adf4acf

SHA256
0a7e31b475ef8bd26610c9fab2719fe1d6ab3d06fcb0fea786c6c37b4c7312ee

SHA512
6a255abead13e167b0e26a5a9acf6e731e216f074300a20fa59e7254d593eb0ffe04fef0bc2e321d421573c7e06c3e44eabe493499f7660104fff86cf0d180d4

Download Submit
C:\Windows\devED24.tmp

Filesize
5KB

MD5
2c6eae9be4207d9b385b11b1bfd7d055

SHA1
41e389a4408578284bd5aba43da770a296067be0

SHA256
c07bc8e6d2c80e18c98fca41752969f2faa7857baf510bfae6b48a80356c8ae3

SHA512
e73911d5772128e2ea9c8b14190ab4f947bb77417b4acc707e79d9898a51c7e8c884e64d4e229cb7adec2409f4774ac63a6f30ba19027d3f02274b190131323a

Download Submit
memory/1640-140-0x0000000000000000-mapping.dmp

Download
memory/1640-143-0x00007FFE17010000-0x00007FFE17A46000-memory.dmp

Filesize
10.2MB

Download
memory/1820-133-0x0000000000000000-mapping.dmp

Download
memory/1820-145-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2204-136-0x0000000000000000-mapping.dmp

Download
memory/2204-144-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5028-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5028-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download