c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155

General

Target

c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
Size

156KB
MD5

a09bdd634c41cd21c6ea2a9903e48280
SHA1

c549574b6d345eae259b1f0b08c1c394703cbf18
SHA256

c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155
SHA512

4e1ab723db1045907aec53caabcf72342015115b2efc4a46f16140924b66ed42ea3377870e4810eae3c18e4a4628229490c6782e4f63488e8fb8f833d01aa608
SSDEEP

3072:86jI9XJy7rRAolpnyhcqPL1/7w6ZAs+VBKL:fUZyWolpnyhFQVk

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000022e1e-134.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e1e-137.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e1e-135.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e1e-144.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e1b-145.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e1b-147.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
4364	MSWDM.EXE
5116	MSWDM.EXE
5052	C8DD5A5B3E5976858D09F687E8D851FAD4E6EA914D4F467276F5719B2D5B3155.EXE
4992	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	MSWDM.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev9385.tmp	MSWDM.EXE
File created	C:\Windows\die93B4.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
File opened for modification	C:\Windows\dev9385.tmp	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
File opened for modification	C:\Windows\die93B4.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5116	MSWDM.EXE
5116	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 4364	1428	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	83
PID 1428 wrote to memory of 4364	1428	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	83
PID 1428 wrote to memory of 4364	1428	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	83
PID 1428 wrote to memory of 5116	1428	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	84
PID 1428 wrote to memory of 5116	1428	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	84
PID 1428 wrote to memory of 5116	1428	c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe	84
PID 5116 wrote to memory of 5052	5116	MSWDM.EXE	85
PID 5116 wrote to memory of 5052	5116	MSWDM.EXE	85
PID 5116 wrote to memory of 5052	5116	MSWDM.EXE	85
PID 5116 wrote to memory of 4992	5116	MSWDM.EXE	86
PID 5116 wrote to memory of 4992	5116	MSWDM.EXE	86
PID 5116 wrote to memory of 4992	5116	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe
"C:\Users\Admin\AppData\Local\Temp\c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1428
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4364
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev9385.tmp!C:\Users\Admin\AppData\Local\Temp\c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\C8DD5A5B3E5976858D09F687E8D851FAD4E6EA914D4F467276F5719B2D5B3155.EXE
    3⤵
    - Executes dropped EXE
    PID:5052
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev9385.tmp!C:\Users\Admin\AppData\Local\Temp\C8DD5A5B3E5976858D09F687E8D851FAD4E6EA914D4F467276F5719B2D5B3155.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C8DD5A5B3E5976858D09F687E8D851FAD4E6EA914D4F467276F5719B2D5B3155.EXE

Filesize
156KB

MD5
75b156a33308f2af5e6c00cf609219fb

SHA1
b879314b6888db579f12a490f47b141b88525be1

SHA256
0702a18bf3e8672d51221ffbc1c75cba6bbcdf9f17af41bdc27d66d6d3fcff26

SHA512
248134b341877217794ab4d43d85ea2eca558e71d77bde67d31122b288e9dc48139e1cb339fa60f811600ce8757128b0b192ea943220b622f90c385558f1a48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8DD5A5B3E5976858D09F687E8D851FAD4E6EA914D4F467276F5719B2D5B3155.EXE

Filesize
156KB

MD5
75b156a33308f2af5e6c00cf609219fb

SHA1
b879314b6888db579f12a490f47b141b88525be1

SHA256
0702a18bf3e8672d51221ffbc1c75cba6bbcdf9f17af41bdc27d66d6d3fcff26

SHA512
248134b341877217794ab4d43d85ea2eca558e71d77bde67d31122b288e9dc48139e1cb339fa60f811600ce8757128b0b192ea943220b622f90c385558f1a48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8dd5a5b3e5976858d09f687e8d851fad4e6ea914d4f467276f5719b2d5b3155.exe

Filesize
76KB

MD5
f8a069e7d2bb8868cea4def627cde6e9

SHA1
25f64b33dd8d98766e12272aab10f6c44cd00d0f

SHA256
5af3085b3970bb90679b1afd187b10b98ae4551d7962448b79b2f2def151f3eb

SHA512
67ebcd7bd7f2fa224f82762e80f21d27b41a217f07572b278261a2163d55b5e22f1f47522670e3ef570dd4e70a8fc70a84eb3a8e4a3087f34fa6e2cec6ef2985

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
51ffd84d0056bbe31486979a150c91df

SHA1
d7773afd81dc28b58223a3400dde3c92db9c4916

SHA256
9d39d2016f5e76bb681f4ff7b5be03e5b1f4ca63863c656e70e393b5ee687939

SHA512
2286390e7567bf672e8d0a86086dbcd3ed7d6bc3e760fdef73f3a1b40eb4ea676dc7dfad64b38c9573bcfb17c958c157164be787d1574aa7b814f7641412fc76

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
51ffd84d0056bbe31486979a150c91df

SHA1
d7773afd81dc28b58223a3400dde3c92db9c4916

SHA256
9d39d2016f5e76bb681f4ff7b5be03e5b1f4ca63863c656e70e393b5ee687939

SHA512
2286390e7567bf672e8d0a86086dbcd3ed7d6bc3e760fdef73f3a1b40eb4ea676dc7dfad64b38c9573bcfb17c958c157164be787d1574aa7b814f7641412fc76

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
51ffd84d0056bbe31486979a150c91df

SHA1
d7773afd81dc28b58223a3400dde3c92db9c4916

SHA256
9d39d2016f5e76bb681f4ff7b5be03e5b1f4ca63863c656e70e393b5ee687939

SHA512
2286390e7567bf672e8d0a86086dbcd3ed7d6bc3e760fdef73f3a1b40eb4ea676dc7dfad64b38c9573bcfb17c958c157164be787d1574aa7b814f7641412fc76

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
51ffd84d0056bbe31486979a150c91df

SHA1
d7773afd81dc28b58223a3400dde3c92db9c4916

SHA256
9d39d2016f5e76bb681f4ff7b5be03e5b1f4ca63863c656e70e393b5ee687939

SHA512
2286390e7567bf672e8d0a86086dbcd3ed7d6bc3e760fdef73f3a1b40eb4ea676dc7dfad64b38c9573bcfb17c958c157164be787d1574aa7b814f7641412fc76

Download Submit
C:\Windows\dev9385.tmp

Filesize
76KB

MD5
f8a069e7d2bb8868cea4def627cde6e9

SHA1
25f64b33dd8d98766e12272aab10f6c44cd00d0f

SHA256
5af3085b3970bb90679b1afd187b10b98ae4551d7962448b79b2f2def151f3eb

SHA512
67ebcd7bd7f2fa224f82762e80f21d27b41a217f07572b278261a2163d55b5e22f1f47522670e3ef570dd4e70a8fc70a84eb3a8e4a3087f34fa6e2cec6ef2985

Download Submit
memory/1428-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1428-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4364-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4992-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5116-142-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5116-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing