7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55

Analysis

max time kernel
144s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
Size

797KB
MD5

4407cd47bc68ccab2e958f5016ccd330
SHA1

cad523447c6d14fa44d3e5e6e70e602420ff4b12
SHA256

7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55
SHA512

06f5f6f522dcd12152d6be6d25c51c5a732af7a0df280ad56f03f300e9e9c187bb2829cff2bc3c0f84eb93a2c84802135218d0c39a1b1fa346001ba8dd844c5c
SSDEEP

24576:woe3sDKnxYaXJi2Y3MpbwnCvzb4cbmYdTyVD7:w9sDkYOMwwnMb4PmyVn

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1188	MSWDM.EXE
1948	MSWDM.EXE
968	7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE
1972	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1948	MSWDM.EXE
1948	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
File opened for modification	C:\Windows\dev1E4B.tmp	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
File opened for modification	C:\Windows\dev1E4B.tmp	MSWDM.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1948	MSWDM.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
968	7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
968	7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1188	1532	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	27
PID 1532 wrote to memory of 1188	1532	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	27
PID 1532 wrote to memory of 1188	1532	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	27
PID 1532 wrote to memory of 1188	1532	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	27
PID 1532 wrote to memory of 1948	1532	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	28
PID 1532 wrote to memory of 1948	1532	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	28
PID 1532 wrote to memory of 1948	1532	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	28
PID 1532 wrote to memory of 1948	1532	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	28
PID 1948 wrote to memory of 968	1948	MSWDM.EXE	29
PID 1948 wrote to memory of 968	1948	MSWDM.EXE	29
PID 1948 wrote to memory of 968	1948	MSWDM.EXE	29
PID 1948 wrote to memory of 968	1948	MSWDM.EXE	29
PID 1948 wrote to memory of 1972	1948	MSWDM.EXE	30
PID 1948 wrote to memory of 1972	1948	MSWDM.EXE	30
PID 1948 wrote to memory of 1972	1948	MSWDM.EXE	30
PID 1948 wrote to memory of 1972	1948	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
"C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1532
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1188
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1E4B.tmp!C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:968
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1E4B.tmp!C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE

Filesize
80KB

MD5
c227284e3308661150f07c9f98f0033b

SHA1
ee20dab910e7a1234f6f8298dc02d8510ee6f44c

SHA256
98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

SHA512
3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE

Filesize
797KB

MD5
18d2059ce8c0b483b8b4e15c9ab2ad2f

SHA1
369867c614b7dd5e6cc365bf4ee179e9fc9de029

SHA256
ee612511358bee0f7c52af013e915f8c86ab5f0ca31db7b39d44527fc7103714

SHA512
df3997c0bb2658f3e3a374fcff9daee66ee8fca7023b849c72bbf91d63207be0abca0d37a626336e0415ae1a2789f4277f905633973966117a770657152c7ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe

Filesize
717KB

MD5
169c293ce9460a05646d17dc6aa2fb2c

SHA1
f0c018d61e844447dcc5a5734e1edff4997e59d5

SHA256
a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

SHA512
7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
c227284e3308661150f07c9f98f0033b

SHA1
ee20dab910e7a1234f6f8298dc02d8510ee6f44c

SHA256
98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

SHA512
3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
c227284e3308661150f07c9f98f0033b

SHA1
ee20dab910e7a1234f6f8298dc02d8510ee6f44c

SHA256
98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

SHA512
3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
c227284e3308661150f07c9f98f0033b

SHA1
ee20dab910e7a1234f6f8298dc02d8510ee6f44c

SHA256
98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

SHA512
3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
c227284e3308661150f07c9f98f0033b

SHA1
ee20dab910e7a1234f6f8298dc02d8510ee6f44c

SHA256
98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

SHA512
3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

Download Submit
C:\Windows\dev1E4B.tmp

Filesize
717KB

MD5
169c293ce9460a05646d17dc6aa2fb2c

SHA1
f0c018d61e844447dcc5a5734e1edff4997e59d5

SHA256
a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

SHA512
7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

Download Submit
\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe

Filesize
717KB

MD5
169c293ce9460a05646d17dc6aa2fb2c

SHA1
f0c018d61e844447dcc5a5734e1edff4997e59d5

SHA256
a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

SHA512
7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

Download Submit
\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe

Filesize
717KB

MD5
169c293ce9460a05646d17dc6aa2fb2c

SHA1
f0c018d61e844447dcc5a5734e1edff4997e59d5

SHA256
a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

SHA512
7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

Download Submit
memory/968-65-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1188-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1188-75-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1532-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1948-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1972-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download