7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55

General

Target

7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
Size

797KB
MD5

4407cd47bc68ccab2e958f5016ccd330
SHA1

cad523447c6d14fa44d3e5e6e70e602420ff4b12
SHA256

7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55
SHA512

06f5f6f522dcd12152d6be6d25c51c5a732af7a0df280ad56f03f300e9e9c187bb2829cff2bc3c0f84eb93a2c84802135218d0c39a1b1fa346001ba8dd844c5c
SSDEEP

24576:woe3sDKnxYaXJi2Y3MpbwnCvzb4cbmYdTyVD7:w9sDkYOMwwnMb4PmyVn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2248	MSWDM.EXE
820	MSWDM.EXE
2496	7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE
4712	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	MSWDM.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
File opened for modification	C:\Windows\dev79F7.tmp	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
File opened for modification	C:\Windows\die7A36.tmp	MSWDM.EXE
File opened for modification	C:\Windows\dev79F7.tmp	MSWDM.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
820	MSWDM.EXE
820	MSWDM.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2496	7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2496	7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2248	2100	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	82
PID 2100 wrote to memory of 2248	2100	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	82
PID 2100 wrote to memory of 2248	2100	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	82
PID 2100 wrote to memory of 820	2100	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	83
PID 2100 wrote to memory of 820	2100	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	83
PID 2100 wrote to memory of 820	2100	7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe	83
PID 820 wrote to memory of 2496	820	MSWDM.EXE	84
PID 820 wrote to memory of 2496	820	MSWDM.EXE	84
PID 820 wrote to memory of 2496	820	MSWDM.EXE	84
PID 820 wrote to memory of 4712	820	MSWDM.EXE	85
PID 820 wrote to memory of 4712	820	MSWDM.EXE	85
PID 820 wrote to memory of 4712	820	MSWDM.EXE	85

C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe
"C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2100
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2248
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev79F7.tmp!C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2496
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev79F7.tmp!C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4712

Network

DNS

97.97.242.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.97.242.52.in-addr.arpa

IN PTR

Response
DNS

7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

Remote address:

8.8.8.8:53

Request

7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

IN PTR

Response

52.109.8.45:443

40 B
1
93.184.221.240:80

322 B
7
93.184.220.29:80

322 B
7

10.127.255.255:78

MSWDM.EXE

46 B
1
10.255.255.255:78

MSWDM.EXE

46 B
1
10.127.0.255:78

MSWDM.EXE

46 B
1
8.8.8.8:53

97.97.242.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.97.242.52.in-addr.arpa
8.8.8.8:53

7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

dns

118 B
204 B
1
1

DNS Request

7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE

Filesize
797KB

MD5
625b450e02f10583e7ec3e75056b17fd

SHA1
e518125eddb35a4e7178cc3120e49f6803c00b66

SHA256
0501c5d0e8cf3067f7cc2a5ecb1d4b4bd1ecc3bbe54edd670100b8813df0e3c2

SHA512
6c1869ebb858ff8ae4e5cee4cd4e46d2da65f479d7eeccd4866cea12b69f1d5fa95b0d62d87cbe9fd3ea241def939d982c74a67fd94ef7f7bee3802baa5917b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B5D1315863813A2D3CC0E9AD079D57643BFC4B812521AB600DFFDFAABA34C55.EXE

Filesize
797KB

MD5
625b450e02f10583e7ec3e75056b17fd

SHA1
e518125eddb35a4e7178cc3120e49f6803c00b66

SHA256
0501c5d0e8cf3067f7cc2a5ecb1d4b4bd1ecc3bbe54edd670100b8813df0e3c2

SHA512
6c1869ebb858ff8ae4e5cee4cd4e46d2da65f479d7eeccd4866cea12b69f1d5fa95b0d62d87cbe9fd3ea241def939d982c74a67fd94ef7f7bee3802baa5917b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b5d1315863813a2d3cc0e9ad079d57643bfc4b812521ab600dffdfaaba34c55.exe

Filesize
717KB

MD5
169c293ce9460a05646d17dc6aa2fb2c

SHA1
f0c018d61e844447dcc5a5734e1edff4997e59d5

SHA256
a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

SHA512
7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
c227284e3308661150f07c9f98f0033b

SHA1
ee20dab910e7a1234f6f8298dc02d8510ee6f44c

SHA256
98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

SHA512
3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
c227284e3308661150f07c9f98f0033b

SHA1
ee20dab910e7a1234f6f8298dc02d8510ee6f44c

SHA256
98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

SHA512
3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
c227284e3308661150f07c9f98f0033b

SHA1
ee20dab910e7a1234f6f8298dc02d8510ee6f44c

SHA256
98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

SHA512
3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
c227284e3308661150f07c9f98f0033b

SHA1
ee20dab910e7a1234f6f8298dc02d8510ee6f44c

SHA256
98bdc651519a954c06cadd73fd1f0130b07ebb8949def9fb36b767d8bdd71a0b

SHA512
3fce29dfadd871268a03e90610b8d7b0815b7ce881ca74b05b6fabceb96602decdf031292d98f8b362381be0eb4b7bafdabf5acdafab72d1500741ad559ca5a0

Download Submit
C:\Windows\dev79F7.tmp

Filesize
717KB

MD5
169c293ce9460a05646d17dc6aa2fb2c

SHA1
f0c018d61e844447dcc5a5734e1edff4997e59d5

SHA256
a7acecc562ee9c9ffbfba51bb5963a2e0c1a8fa9a5b6a8309988a5bcd48e70e6

SHA512
7c2e9ff8e3cce6873acc54276ede5db07d4936628e49199c2d1a308d912774370ffea17bbb3f1582c5f713328a17251064c58486e3434cb92b7498d46dbd901f

Download Submit
memory/820-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/820-142-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2100-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2248-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2248-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4712-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing