770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283

Analysis

max time kernel
144s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 17:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283.exe
Size

80KB
MD5

a25bf6ac1a9da769b6af68ce2332c720
SHA1

1c3e7a25cd4e4050bc22a83bbbdf6d0a39c5b460
SHA256

770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283
SHA512

8e18a4ab01c42ea5ce9e42e6ac6ea96b7a0ca4010e90ff127e0ee0614fa8c6d3cdbb6c9c5a94fba03326901b8e980bac7774f086972e269d316e7a78f60c8ae1
SSDEEP

1536:3STjtALMd6bE9XJuFrvJ70z+EYXnj3WCW2EW5Q+sdguxnSngBNpT/mzNnxPAxEA8:86jI9XJy7r7nj3WCW2EW5Q+Hu54Fx4xm

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c0000000054a8-56.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1036	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1036	1784	770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283.exe	28
PID 1784 wrote to memory of 1036	1784	770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283.exe	28
PID 1784 wrote to memory of 1036	1784	770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283.exe	28
PID 1784 wrote to memory of 1036	1784	770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283.exe	28

C:\Users\Admin\AppData\Local\Temp\770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283.exe
"C:\Users\Admin\AppData\Local\Temp\770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1784
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
a25bf6ac1a9da769b6af68ce2332c720

SHA1
1c3e7a25cd4e4050bc22a83bbbdf6d0a39c5b460

SHA256
770379c375c7f7c417019bab15982dc0280ab78eea7800f7c851f5d6b7148283

SHA512
8e18a4ab01c42ea5ce9e42e6ac6ea96b7a0ca4010e90ff127e0ee0614fa8c6d3cdbb6c9c5a94fba03326901b8e980bac7774f086972e269d316e7a78f60c8ae1

Download Submit
memory/1036-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1036-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1784-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download