e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a

Analysis

max time kernel
142s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe
Size

96KB
MD5

a00f8bb7f32acba742ddd010975b42b0
SHA1

a69d2116608e070de2e79c304e8938e967b9946f
SHA256

e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a
SHA512

aff61b433f71bc4c1ceea42d1435deccebe0f24b17bef2caaa873f5304abfa5c8a6dfb7b246134bae870024aea57cb546206a15384e577416eca83f050118a9b
SSDEEP

1536:zaYQxWlDtiw/L+5CC6nQXqw4QO/2jIy3v5BW4ntGcKe1R+1EjcwuBiJRs:mYFkkC6nQXqw4L2R/WCtFU18cJiJRs

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000500000000b2d2-55.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-57.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-59.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-67.dat	aspack_v212_v242
behavioral1/files/0x00080000000122df-68.dat	aspack_v212_v242
behavioral1/files/0x00080000000122df-70.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
2036	MSWDM.EXE
1148	MSWDM.EXE
1284	E9392C78BB94A8A602912736110B23BC459F1F0AC18E97F7FDA6B2E52DA5866A.EXE
1684	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1148	MSWDM.EXE
1148	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe
File opened for modification	C:\Windows\dev56E.tmp	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe
File opened for modification	C:\Windows\dev56E.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1148	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2036	2012	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe	27
PID 2012 wrote to memory of 2036	2012	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe	27
PID 2012 wrote to memory of 2036	2012	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe	27
PID 2012 wrote to memory of 2036	2012	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe	27
PID 2012 wrote to memory of 1148	2012	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe	28
PID 2012 wrote to memory of 1148	2012	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe	28
PID 2012 wrote to memory of 1148	2012	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe	28
PID 2012 wrote to memory of 1148	2012	e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe	28
PID 1148 wrote to memory of 1284	1148	MSWDM.EXE	29
PID 1148 wrote to memory of 1284	1148	MSWDM.EXE	29
PID 1148 wrote to memory of 1284	1148	MSWDM.EXE	29
PID 1148 wrote to memory of 1284	1148	MSWDM.EXE	29
PID 1148 wrote to memory of 1684	1148	MSWDM.EXE	30
PID 1148 wrote to memory of 1684	1148	MSWDM.EXE	30
PID 1148 wrote to memory of 1684	1148	MSWDM.EXE	30
PID 1148 wrote to memory of 1684	1148	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe
"C:\Users\Admin\AppData\Local\Temp\e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2012
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2036
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev56E.tmp!C:\Users\Admin\AppData\Local\Temp\e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\E9392C78BB94A8A602912736110B23BC459F1F0AC18E97F7FDA6B2E52DA5866A.EXE
    3⤵
    - Executes dropped EXE
    PID:1284
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev56E.tmp!C:\Users\Admin\AppData\Local\Temp\E9392C78BB94A8A602912736110B23BC459F1F0AC18E97F7FDA6B2E52DA5866A.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E9392C78BB94A8A602912736110B23BC459F1F0AC18E97F7FDA6B2E52DA5866A.EXE

Filesize
96KB

MD5
ba195129531e740f6ec031df1487ecb4

SHA1
f24292b97c5494aea0653dd9ed04f050450bc433

SHA256
80b2f995da8305e446f1f099e13874a3b72e440ef4fdcd19415dd4fcf479c446

SHA512
265173b6fff9e1f42466f128aafb5ccd576831b70bc2403ccdbb3e27c6b90ab19b2a127f90db95775520d14f695a9dabfeeb7efe9e465a6c48303dbcd1a74e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E9392C78BB94A8A602912736110B23BC459F1F0AC18E97F7FDA6B2E52DA5866A.EXE

Filesize
96KB

MD5
ba195129531e740f6ec031df1487ecb4

SHA1
f24292b97c5494aea0653dd9ed04f050450bc433

SHA256
80b2f995da8305e446f1f099e13874a3b72e440ef4fdcd19415dd4fcf479c446

SHA512
265173b6fff9e1f42466f128aafb5ccd576831b70bc2403ccdbb3e27c6b90ab19b2a127f90db95775520d14f695a9dabfeeb7efe9e465a6c48303dbcd1a74e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe

Filesize
16KB

MD5
8ad17f33bdcc0ea294e074e0e74cad3b

SHA1
81b4608a3e11a24157e9c22ac45ff1b12d8c476e

SHA256
27d6644771a935ec0547258dff56bbfba151f2addf09c51b1edc6a9a3207d2c5

SHA512
f5337e5edc0386c597d8ae787e6f4a7fdac393d2aee55eb7b3a15cf82d9fb5757724d424aab0959a0c4ebf79c9cdd560d9157295a26edffe39ff6f056a526ded

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
228d727300bd1f86f468d0c13c218c4e

SHA1
a2704a23a3cb6caa72b0484da5619171c0d80bc5

SHA256
fd96946a7884e82daaa78f18e12c9ca9b0fed8e32a806a706e652442880a87ff

SHA512
652b4e7f3746b2a0c381b054fd23d4b1b1fe442fdccd3bc2df4fae726d7987f88b3077ceb9f62dd775d2474fdef263a8d32fe9f559584c65bf9b0cb697527e51

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
228d727300bd1f86f468d0c13c218c4e

SHA1
a2704a23a3cb6caa72b0484da5619171c0d80bc5

SHA256
fd96946a7884e82daaa78f18e12c9ca9b0fed8e32a806a706e652442880a87ff

SHA512
652b4e7f3746b2a0c381b054fd23d4b1b1fe442fdccd3bc2df4fae726d7987f88b3077ceb9f62dd775d2474fdef263a8d32fe9f559584c65bf9b0cb697527e51

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
228d727300bd1f86f468d0c13c218c4e

SHA1
a2704a23a3cb6caa72b0484da5619171c0d80bc5

SHA256
fd96946a7884e82daaa78f18e12c9ca9b0fed8e32a806a706e652442880a87ff

SHA512
652b4e7f3746b2a0c381b054fd23d4b1b1fe442fdccd3bc2df4fae726d7987f88b3077ceb9f62dd775d2474fdef263a8d32fe9f559584c65bf9b0cb697527e51

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
228d727300bd1f86f468d0c13c218c4e

SHA1
a2704a23a3cb6caa72b0484da5619171c0d80bc5

SHA256
fd96946a7884e82daaa78f18e12c9ca9b0fed8e32a806a706e652442880a87ff

SHA512
652b4e7f3746b2a0c381b054fd23d4b1b1fe442fdccd3bc2df4fae726d7987f88b3077ceb9f62dd775d2474fdef263a8d32fe9f559584c65bf9b0cb697527e51

Download Submit
C:\Windows\dev56E.tmp

Filesize
16KB

MD5
8ad17f33bdcc0ea294e074e0e74cad3b

SHA1
81b4608a3e11a24157e9c22ac45ff1b12d8c476e

SHA256
27d6644771a935ec0547258dff56bbfba151f2addf09c51b1edc6a9a3207d2c5

SHA512
f5337e5edc0386c597d8ae787e6f4a7fdac393d2aee55eb7b3a15cf82d9fb5757724d424aab0959a0c4ebf79c9cdd560d9157295a26edffe39ff6f056a526ded

Download Submit
\Users\Admin\AppData\Local\Temp\e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe

Filesize
16KB

MD5
8ad17f33bdcc0ea294e074e0e74cad3b

SHA1
81b4608a3e11a24157e9c22ac45ff1b12d8c476e

SHA256
27d6644771a935ec0547258dff56bbfba151f2addf09c51b1edc6a9a3207d2c5

SHA512
f5337e5edc0386c597d8ae787e6f4a7fdac393d2aee55eb7b3a15cf82d9fb5757724d424aab0959a0c4ebf79c9cdd560d9157295a26edffe39ff6f056a526ded

Download Submit
\Users\Admin\AppData\Local\Temp\e9392c78bb94a8a602912736110b23bc459f1f0ac18e97f7fda6b2e52da5866a.exe

Filesize
16KB

MD5
8ad17f33bdcc0ea294e074e0e74cad3b

SHA1
81b4608a3e11a24157e9c22ac45ff1b12d8c476e

SHA256
27d6644771a935ec0547258dff56bbfba151f2addf09c51b1edc6a9a3207d2c5

SHA512
f5337e5edc0386c597d8ae787e6f4a7fdac393d2aee55eb7b3a15cf82d9fb5757724d424aab0959a0c4ebf79c9cdd560d9157295a26edffe39ff6f056a526ded

Download Submit
memory/1148-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1284-65-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1684-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2012-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2036-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2036-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download