f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446

Analysis

max time kernel
130s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
Size

124KB
MD5

47d773852541ef438a17e8b811c3a3b0
SHA1

a54c207ce56e821e60fafef9c19da922f944ead8
SHA256

f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446
SHA512

a7bcd7892f6d492ee6dc67f41c0be8c0b88ed7a803862514ae7899589690f219d7acf33213e3798b02de33151fa4c055c200f21edd2e923f4f51a97a2886a5aa
SSDEEP

3072:2FawsA+HjzFmRa2MZBUdghqnq3VAWdg2o9btHaUtilt81+:2wwsXDz6GBUAqq3VAWdHo9btHaCG

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXEF78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXEMSWDM.EXE

pid process

1896 MSWDM.EXE
892 MSWDM.EXE
556 F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
524 MSWDM.EXE
Loads dropped DLL 1 IoCs

Processes:

MSWDM.EXE

pid process

892 MSWDM.EXE

pid	process
1896	MSWDM.EXE
892	MSWDM.EXE
556	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
524	MSWDM.EXE

pid	process
892	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exeMSWDM.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe

Drops file in Windows directory 3 IoCs

Processes:

MSWDM.EXEf78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe

description	ioc	process
File opened for modification	C:\Windows\devC70.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
File opened for modification	C:\Windows\devC70.tmp	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

892 MSWDM.EXE

pid	process
892	MSWDM.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exeMSWDM.EXE

description	pid	process	target process
PID 1892 wrote to memory of 1896	1892	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 1892 wrote to memory of 1896	1892	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 1892 wrote to memory of 1896	1892	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 1892 wrote to memory of 1896	1892	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 1892 wrote to memory of 892	1892	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 1892 wrote to memory of 892	1892	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 1892 wrote to memory of 892	1892	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 1892 wrote to memory of 892	1892	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 892 wrote to memory of 556	892	MSWDM.EXE	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
PID 892 wrote to memory of 556	892	MSWDM.EXE	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
PID 892 wrote to memory of 556	892	MSWDM.EXE	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
PID 892 wrote to memory of 556	892	MSWDM.EXE	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
PID 892 wrote to memory of 556	892	MSWDM.EXE	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
PID 892 wrote to memory of 556	892	MSWDM.EXE	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
PID 892 wrote to memory of 556	892	MSWDM.EXE	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
PID 892 wrote to memory of 524	892	MSWDM.EXE	MSWDM.EXE
PID 892 wrote to memory of 524	892	MSWDM.EXE	MSWDM.EXE
PID 892 wrote to memory of 524	892	MSWDM.EXE	MSWDM.EXE
PID 892 wrote to memory of 524	892	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
"C:\Users\Admin\AppData\Local\Temp\f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1892

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1896

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\devC70.tmp!C:\Users\Admin\AppData\Local\Temp\f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
3⤵
- Executes dropped EXE
PID:556

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\devC70.tmp!C:\Users\Admin\AppData\Local\Temp\F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
Filesize
124KB

MD5
a9266476a209c877a0187c15eee64ef0

SHA1
26515a5e576daaccba58f01d6aac4e6272d08fc0

SHA256
623df8b1ef5946a80a31755a321c4f34ed20c47a4f876a32729d14beed4bdeba

SHA512
9e9e74755f85ba12ead6d5ecfe8566de06adb5397ccb36e56082ab4bcf5712dcb703751506c763ff08cf4a1390c5736f7d873e59029618cd1fe63b3e32de2772

Download Submit
C:\Users\Admin\AppData\Local\Temp\f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
Filesize
44KB

MD5
c8de98949730f36119f92ac428cc01d0

SHA1
c2e5ee6419285e4a4632d8a396898c3ce0ec8ebe

SHA256
6ce17dba32a7cf26f2f6061e78e3cbd240a19d8ba5ace3dcfb04d1c1ddc954f1

SHA512
9c11740e24e76041b41e51bf2ad8727d89fdf6b31de70f7943ce45b7a6bb8a777fd2e0217b124510632e9e9ce1afe8cb7a95e86406fec9bd7971d3c7f8250c58

Download Submit
C:\WINDOWS\MSWDM.EXE
Filesize
80KB

MD5
f9f1a0cb6d352a37e0b688b397c2cf37

SHA1
b1367b57e2291705e272ed0b478b4088be427099

SHA256
086c69d4e35117548b4f603f0bbf3c9e03f4d9e8690c7ade89857c00d28b74d4

SHA512
f69a1a729a26909aaecc6f994da94e70193998e3c37bc7ce54594fb4f431d59b54cbf9f6931181d276d9588c8c6d5a7a4705b5ff758acd138a5cacecb1109602

Download Submit
C:\Windows\MSWDM.EXE
Filesize
80KB

MD5
f9f1a0cb6d352a37e0b688b397c2cf37

SHA1
b1367b57e2291705e272ed0b478b4088be427099

SHA256
086c69d4e35117548b4f603f0bbf3c9e03f4d9e8690c7ade89857c00d28b74d4

SHA512
f69a1a729a26909aaecc6f994da94e70193998e3c37bc7ce54594fb4f431d59b54cbf9f6931181d276d9588c8c6d5a7a4705b5ff758acd138a5cacecb1109602

Download Submit
C:\Windows\MSWDM.EXE
Filesize
80KB

MD5
f9f1a0cb6d352a37e0b688b397c2cf37

SHA1
b1367b57e2291705e272ed0b478b4088be427099

SHA256
086c69d4e35117548b4f603f0bbf3c9e03f4d9e8690c7ade89857c00d28b74d4

SHA512
f69a1a729a26909aaecc6f994da94e70193998e3c37bc7ce54594fb4f431d59b54cbf9f6931181d276d9588c8c6d5a7a4705b5ff758acd138a5cacecb1109602

Download Submit
C:\Windows\MSWDM.EXE
Filesize
80KB

MD5
f9f1a0cb6d352a37e0b688b397c2cf37

SHA1
b1367b57e2291705e272ed0b478b4088be427099

SHA256
086c69d4e35117548b4f603f0bbf3c9e03f4d9e8690c7ade89857c00d28b74d4

SHA512
f69a1a729a26909aaecc6f994da94e70193998e3c37bc7ce54594fb4f431d59b54cbf9f6931181d276d9588c8c6d5a7a4705b5ff758acd138a5cacecb1109602

Download Submit
C:\Windows\devC70.tmp
Filesize
44KB

MD5
c8de98949730f36119f92ac428cc01d0

SHA1
c2e5ee6419285e4a4632d8a396898c3ce0ec8ebe

SHA256
6ce17dba32a7cf26f2f6061e78e3cbd240a19d8ba5ace3dcfb04d1c1ddc954f1

SHA512
9c11740e24e76041b41e51bf2ad8727d89fdf6b31de70f7943ce45b7a6bb8a777fd2e0217b124510632e9e9ce1afe8cb7a95e86406fec9bd7971d3c7f8250c58

Download Submit
\Users\Admin\AppData\Local\Temp\f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
Filesize
44KB

MD5
c8de98949730f36119f92ac428cc01d0

SHA1
c2e5ee6419285e4a4632d8a396898c3ce0ec8ebe

SHA256
6ce17dba32a7cf26f2f6061e78e3cbd240a19d8ba5ace3dcfb04d1c1ddc954f1

SHA512
9c11740e24e76041b41e51bf2ad8727d89fdf6b31de70f7943ce45b7a6bb8a777fd2e0217b124510632e9e9ce1afe8cb7a95e86406fec9bd7971d3c7f8250c58

Download Submit
memory/524-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/524-64-0x0000000000000000-mapping.dmp

Download
memory/556-62-0x0000000000000000-mapping.dmp

Download
memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/892-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1892-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1896-54-0x0000000000000000-mapping.dmp

Download
memory/1896-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1896-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download