00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7

General

Target

00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
Size

175KB
MD5

a36af6f6c153f389108c6f75fba0a000
SHA1

ff94af7ab590026001971625b94ec5a12ce16034
SHA256

00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7
SHA512

0af6a54b8821dcac71443d266f0f2c191e35f43827e0381dcd5eede698bb235f101f0fbafc601a2b056eb145e7d09cec6aeca2156f80e04d1cbebd5b300bf4bc
SSDEEP

3072:wQVG4urzuVGp8rojCJ37y1KqPL1/7w6ZZ+Jb29iCsD:woezrKMUyL+J5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
944	MSWDM.EXE
1732	MSWDM.EXE
1360	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
File opened for modification	C:\Windows\dev76F5.tmp	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
File opened for modification	C:\Windows\dev76F5.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1732	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 944	1900	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	28
PID 1900 wrote to memory of 944	1900	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	28
PID 1900 wrote to memory of 944	1900	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	28
PID 1900 wrote to memory of 944	1900	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	28
PID 1900 wrote to memory of 1732	1900	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	29
PID 1900 wrote to memory of 1732	1900	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	29
PID 1900 wrote to memory of 1732	1900	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	29
PID 1900 wrote to memory of 1732	1900	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	29
PID 1732 wrote to memory of 1360	1732	MSWDM.EXE	30
PID 1732 wrote to memory of 1360	1732	MSWDM.EXE	30
PID 1732 wrote to memory of 1360	1732	MSWDM.EXE	30
PID 1732 wrote to memory of 1360	1732	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
"C:\Users\Admin\AppData\Local\Temp\00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:944
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev76F5.tmp!C:\Users\Admin\AppData\Local\Temp\00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev76F5.tmp!C:\Users\Admin\AppData\Local\Temp\00875B5A08144E28B8FAE64A425F7F598FD5C276DEC726DA780AFC2E1AA3E3A7.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00875B5A08144E28B8FAE64A425F7F598FD5C276DEC726DA780AFC2E1AA3E3A7.EXE

Filesize
175KB

MD5
705556461527afa95caa9a875cef9d14

SHA1
7952dc1c66c057f1b0c4576ce29e7de48d4effe6

SHA256
de070ecbb9ddec788ed7537ba61ee064eb0d302f33821ca2c501751c3e4152d2

SHA512
4126696fc6d22847acd39fb345680e52cd9ce0c8074fbf4f3ee79d2da46cb9dd4d25b541f58d3d9cc72b7d6fac15ba9586e93d7c5548b5636e5b9dab023d4c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00875B5A08144E28B8FAE64A425F7F598FD5C276DEC726DA780AFC2E1AA3E3A7.EXE

Filesize
175KB

MD5
705556461527afa95caa9a875cef9d14

SHA1
7952dc1c66c057f1b0c4576ce29e7de48d4effe6

SHA256
de070ecbb9ddec788ed7537ba61ee064eb0d302f33821ca2c501751c3e4152d2

SHA512
4126696fc6d22847acd39fb345680e52cd9ce0c8074fbf4f3ee79d2da46cb9dd4d25b541f58d3d9cc72b7d6fac15ba9586e93d7c5548b5636e5b9dab023d4c5d

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
128KB

MD5
2865f575487ebb3cd3a0feeb69c8c5c1

SHA1
3f4545160bb698cf33b3f497555ca7cafcd3be55

SHA256
faeb4c15832b84805829da3d627a68523224ba5007ceac6b1ebcac9660bb3c6b

SHA512
e23c2eb00413f056e934284f8dae5e3a33f3514d586c0070380656ee676a9ff9160a55aed2bd75b1a5f79e577cc7def2a0aedea5c3db0f1f0a13ce84ce651dd6

Download Submit
C:\Windows\MSWDM.EXE

Filesize
128KB

MD5
2865f575487ebb3cd3a0feeb69c8c5c1

SHA1
3f4545160bb698cf33b3f497555ca7cafcd3be55

SHA256
faeb4c15832b84805829da3d627a68523224ba5007ceac6b1ebcac9660bb3c6b

SHA512
e23c2eb00413f056e934284f8dae5e3a33f3514d586c0070380656ee676a9ff9160a55aed2bd75b1a5f79e577cc7def2a0aedea5c3db0f1f0a13ce84ce651dd6

Download Submit
C:\Windows\MSWDM.EXE

Filesize
128KB

MD5
2865f575487ebb3cd3a0feeb69c8c5c1

SHA1
3f4545160bb698cf33b3f497555ca7cafcd3be55

SHA256
faeb4c15832b84805829da3d627a68523224ba5007ceac6b1ebcac9660bb3c6b

SHA512
e23c2eb00413f056e934284f8dae5e3a33f3514d586c0070380656ee676a9ff9160a55aed2bd75b1a5f79e577cc7def2a0aedea5c3db0f1f0a13ce84ce651dd6

Download Submit
C:\Windows\MSWDM.EXE

Filesize
128KB

MD5
2865f575487ebb3cd3a0feeb69c8c5c1

SHA1
3f4545160bb698cf33b3f497555ca7cafcd3be55

SHA256
faeb4c15832b84805829da3d627a68523224ba5007ceac6b1ebcac9660bb3c6b

SHA512
e23c2eb00413f056e934284f8dae5e3a33f3514d586c0070380656ee676a9ff9160a55aed2bd75b1a5f79e577cc7def2a0aedea5c3db0f1f0a13ce84ce651dd6

Download Submit
C:\Windows\dev76F5.tmp

Filesize
47KB

MD5
51e1c3c29b536bf2f238dc899f807f49

SHA1
d42bbd9ff653e6c57bdecd5e572cee94cbc5d8c6

SHA256
cdad66faf00bdb8a68425d537c12ceae853ad38dc50ae15cf70080fb34511a8a

SHA512
a011acaf08b7fa7bcf6551d0bebad6ab5fe27af96243f0cbc5836e09b49275a63ed39fdd02301d5cd1af7e8e7fd686f11d91ee80bc49b3e5f1d8c36d908974ad

Download Submit
memory/944-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/944-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1360-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1732-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1900-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing