6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf

Analysis

max time kernel
147s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf.exe
Size

80KB
MD5

61912ecec39341a5d810a2cb39376206
SHA1

4bc64f4f4c6d5bc8fdedb606064c0d71d3dc5cba
SHA256

6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf
SHA512

4fc2dcadf1dcd4fb3bd1c7ff72b10e2a2a9d140e053acae1a43a54735ab612a1efa6b7d4c770f3756c0d489501332fcbe55d0b68df59d071f689ba810c8c1db8
SSDEEP

1536:2FbeITsAro5ZNjzFmAa6IBA2oESR5BAfvQYt7mGGB85f:2FawsA+HjzFmRa2M5BAw87mU

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1880	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1880	1884	6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf.exe	27
PID 1884 wrote to memory of 1880	1884	6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf.exe	27
PID 1884 wrote to memory of 1880	1884	6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf.exe	27
PID 1884 wrote to memory of 1880	1884	6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf.exe	27

C:\Users\Admin\AppData\Local\Temp\6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf.exe
"C:\Users\Admin\AppData\Local\Temp\6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1884
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
61912ecec39341a5d810a2cb39376206

SHA1
4bc64f4f4c6d5bc8fdedb606064c0d71d3dc5cba

SHA256
6be6fcbeb0135eba8e1075af2c7ec24a62b4ced56009d9cb43ea0d35adfbdebf

SHA512
4fc2dcadf1dcd4fb3bd1c7ff72b10e2a2a9d140e053acae1a43a54735ab612a1efa6b7d4c770f3756c0d489501332fcbe55d0b68df59d071f689ba810c8c1db8

Download Submit
memory/1880-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1880-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1884-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download