00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7

General

Target

00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
Size

175KB
MD5

a36af6f6c153f389108c6f75fba0a000
SHA1

ff94af7ab590026001971625b94ec5a12ce16034
SHA256

00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7
SHA512

0af6a54b8821dcac71443d266f0f2c191e35f43827e0381dcd5eede698bb235f101f0fbafc601a2b056eb145e7d09cec6aeca2156f80e04d1cbebd5b300bf4bc
SSDEEP

3072:wQVG4urzuVGp8rojCJ37y1KqPL1/7w6ZZ+Jb29iCsD:woezrKMUyL+J5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1772	MSWDM.EXE
3504	MSWDM.EXE
4780	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	MSWDM.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
File opened for modification	C:\Windows\dev540.tmp	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
File opened for modification	C:\Windows\dev540.tmp	MSWDM.EXE
File opened for modification	C:\Windows\die58E.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3504	MSWDM.EXE
3504	MSWDM.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 1772	4668	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	80
PID 4668 wrote to memory of 1772	4668	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	80
PID 4668 wrote to memory of 1772	4668	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	80
PID 4668 wrote to memory of 3504	4668	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	81
PID 4668 wrote to memory of 3504	4668	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	81
PID 4668 wrote to memory of 3504	4668	00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe	81
PID 3504 wrote to memory of 4780	3504	MSWDM.EXE	82
PID 3504 wrote to memory of 4780	3504	MSWDM.EXE	82
PID 3504 wrote to memory of 4780	3504	MSWDM.EXE	82

C:\Users\Admin\AppData\Local\Temp\00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe
"C:\Users\Admin\AppData\Local\Temp\00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4668
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1772
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev540.tmp!C:\Users\Admin\AppData\Local\Temp\00875b5a08144e28b8fae64a425f7f598fd5c276dec726da780afc2e1aa3e3a7.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev540.tmp!C:\Users\Admin\AppData\Local\Temp\00875B5A08144E28B8FAE64A425F7F598FD5C276DEC726DA780AFC2E1AA3E3A7.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00875B5A08144E28B8FAE64A425F7F598FD5C276DEC726DA780AFC2E1AA3E3A7.EXE

Filesize
175KB

MD5
64b8f209fec2b60c49c4ddfc25ba81e5

SHA1
180851c707b900ef2c1826c50befa5cd9627c2e2

SHA256
510661f77d48f5ef1af0a5484b10797b6c594da79e538250ee6e9865926b061a

SHA512
6ef9e0269244f7342d8f30ea4326a4840e94fa8d5cd7a422258473c4c25e04cc2b70c531265104de64132eca353d3b338c2741539aa49aeaaa17c1cb3e8a32c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00875B5A08144E28B8FAE64A425F7F598FD5C276DEC726DA780AFC2E1AA3E3A7.EXE

Filesize
175KB

MD5
64b8f209fec2b60c49c4ddfc25ba81e5

SHA1
180851c707b900ef2c1826c50befa5cd9627c2e2

SHA256
510661f77d48f5ef1af0a5484b10797b6c594da79e538250ee6e9865926b061a

SHA512
6ef9e0269244f7342d8f30ea4326a4840e94fa8d5cd7a422258473c4c25e04cc2b70c531265104de64132eca353d3b338c2741539aa49aeaaa17c1cb3e8a32c3

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
128KB

MD5
2865f575487ebb3cd3a0feeb69c8c5c1

SHA1
3f4545160bb698cf33b3f497555ca7cafcd3be55

SHA256
faeb4c15832b84805829da3d627a68523224ba5007ceac6b1ebcac9660bb3c6b

SHA512
e23c2eb00413f056e934284f8dae5e3a33f3514d586c0070380656ee676a9ff9160a55aed2bd75b1a5f79e577cc7def2a0aedea5c3db0f1f0a13ce84ce651dd6

Download Submit
C:\Windows\MSWDM.EXE

Filesize
128KB

MD5
2865f575487ebb3cd3a0feeb69c8c5c1

SHA1
3f4545160bb698cf33b3f497555ca7cafcd3be55

SHA256
faeb4c15832b84805829da3d627a68523224ba5007ceac6b1ebcac9660bb3c6b

SHA512
e23c2eb00413f056e934284f8dae5e3a33f3514d586c0070380656ee676a9ff9160a55aed2bd75b1a5f79e577cc7def2a0aedea5c3db0f1f0a13ce84ce651dd6

Download Submit
C:\Windows\MSWDM.EXE

Filesize
128KB

MD5
2865f575487ebb3cd3a0feeb69c8c5c1

SHA1
3f4545160bb698cf33b3f497555ca7cafcd3be55

SHA256
faeb4c15832b84805829da3d627a68523224ba5007ceac6b1ebcac9660bb3c6b

SHA512
e23c2eb00413f056e934284f8dae5e3a33f3514d586c0070380656ee676a9ff9160a55aed2bd75b1a5f79e577cc7def2a0aedea5c3db0f1f0a13ce84ce651dd6

Download Submit
C:\Windows\MSWDM.EXE

Filesize
128KB

MD5
2865f575487ebb3cd3a0feeb69c8c5c1

SHA1
3f4545160bb698cf33b3f497555ca7cafcd3be55

SHA256
faeb4c15832b84805829da3d627a68523224ba5007ceac6b1ebcac9660bb3c6b

SHA512
e23c2eb00413f056e934284f8dae5e3a33f3514d586c0070380656ee676a9ff9160a55aed2bd75b1a5f79e577cc7def2a0aedea5c3db0f1f0a13ce84ce651dd6

Download Submit
C:\Windows\dev540.tmp

Filesize
47KB

MD5
51e1c3c29b536bf2f238dc899f807f49

SHA1
d42bbd9ff653e6c57bdecd5e572cee94cbc5d8c6

SHA256
cdad66faf00bdb8a68425d537c12ceae853ad38dc50ae15cf70080fb34511a8a

SHA512
a011acaf08b7fa7bcf6551d0bebad6ab5fe27af96243f0cbc5836e09b49275a63ed39fdd02301d5cd1af7e8e7fd686f11d91ee80bc49b3e5f1d8c36d908974ad

Download Submit
memory/1772-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1772-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3504-145-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4668-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4668-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4780-143-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing