f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446

General

Target

f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
Size

124KB
MD5

47d773852541ef438a17e8b811c3a3b0
SHA1

a54c207ce56e821e60fafef9c19da922f944ead8
SHA256

f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446
SHA512

a7bcd7892f6d492ee6dc67f41c0be8c0b88ed7a803862514ae7899589690f219d7acf33213e3798b02de33151fa4c055c200f21edd2e923f4f51a97a2886a5aa
SSDEEP

3072:2FawsA+HjzFmRa2MZBUdghqnq3VAWdg2o9btHaUtilt81+:2wwsXDz6GBUAqq3VAWdHo9btHaCG

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXEF78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXEMSWDM.EXE

pid process

4804 MSWDM.EXE
384 MSWDM.EXE
4968 F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
4884 MSWDM.EXE

pid	process
4804	MSWDM.EXE
384	MSWDM.EXE
4968	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
4884	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSWDM.EXEf78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe

Drops file in Program Files directory 64 IoCs

Processes:

MSWDM.EXE

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	MSWDM.EXE

Drops file in Windows directory 5 IoCs

Processes:

f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exeMSWDM.EXEMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
File opened for modification	C:\Windows\devDCF7.tmp	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
File opened for modification	C:\Windows\devDCF7.tmp	MSWDM.EXE
File opened for modification	C:\Windows\dieDD26.tmp	MSWDM.EXE
File created	C:\Windows\dieDD26.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

384 MSWDM.EXE
384 MSWDM.EXE

pid	process
384	MSWDM.EXE
384	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exeMSWDM.EXE

description	pid	process	target process
PID 2580 wrote to memory of 4804	2580	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 2580 wrote to memory of 4804	2580	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 2580 wrote to memory of 4804	2580	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 2580 wrote to memory of 384	2580	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 2580 wrote to memory of 384	2580	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 2580 wrote to memory of 384	2580	f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe	MSWDM.EXE
PID 384 wrote to memory of 4968	384	MSWDM.EXE	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
PID 384 wrote to memory of 4968	384	MSWDM.EXE	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
PID 384 wrote to memory of 4968	384	MSWDM.EXE	F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
PID 384 wrote to memory of 4884	384	MSWDM.EXE	MSWDM.EXE
PID 384 wrote to memory of 4884	384	MSWDM.EXE	MSWDM.EXE
PID 384 wrote to memory of 4884	384	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
"C:\Users\Admin\AppData\Local\Temp\f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2580

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4804

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\devDCF7.tmp!C:\Users\Admin\AppData\Local\Temp\f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
3⤵
- Executes dropped EXE
PID:4968

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\devDCF7.tmp!C:\Users\Admin\AppData\Local\Temp\F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
Filesize
124KB

MD5
f4d084ca8ce3e34c4dade8632448426b

SHA1
c613213594537868591d59153423663c5df65a56

SHA256
e8f1566c9c541cee1c4a034b6febff3b4fe11349a3ff9e3c0d10defd6bf05208

SHA512
0875ecf6aec76dd7d67d3ce032127a9337c8225c7064af2189b07b958f7000cd182357acec6a3c42b5918502c26488683c0831df2f458e7f68bab7fcb36891c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F78024811317A2181B47A8EAD0D1FBFFAB570F98551228EC3D484DF1D9BE4446.EXE
Filesize
124KB

MD5
f4d084ca8ce3e34c4dade8632448426b

SHA1
c613213594537868591d59153423663c5df65a56

SHA256
e8f1566c9c541cee1c4a034b6febff3b4fe11349a3ff9e3c0d10defd6bf05208

SHA512
0875ecf6aec76dd7d67d3ce032127a9337c8225c7064af2189b07b958f7000cd182357acec6a3c42b5918502c26488683c0831df2f458e7f68bab7fcb36891c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f78024811317a2181b47a8ead0d1fbffab570f98551228ec3d484df1d9be4446.exe
Filesize
44KB

MD5
c8de98949730f36119f92ac428cc01d0

SHA1
c2e5ee6419285e4a4632d8a396898c3ce0ec8ebe

SHA256
6ce17dba32a7cf26f2f6061e78e3cbd240a19d8ba5ace3dcfb04d1c1ddc954f1

SHA512
9c11740e24e76041b41e51bf2ad8727d89fdf6b31de70f7943ce45b7a6bb8a777fd2e0217b124510632e9e9ce1afe8cb7a95e86406fec9bd7971d3c7f8250c58

Download Submit
C:\WINDOWS\MSWDM.EXE
Filesize
80KB

MD5
f9f1a0cb6d352a37e0b688b397c2cf37

SHA1
b1367b57e2291705e272ed0b478b4088be427099

SHA256
086c69d4e35117548b4f603f0bbf3c9e03f4d9e8690c7ade89857c00d28b74d4

SHA512
f69a1a729a26909aaecc6f994da94e70193998e3c37bc7ce54594fb4f431d59b54cbf9f6931181d276d9588c8c6d5a7a4705b5ff758acd138a5cacecb1109602

Download Submit
C:\Windows\MSWDM.EXE
Filesize
80KB

MD5
f9f1a0cb6d352a37e0b688b397c2cf37

SHA1
b1367b57e2291705e272ed0b478b4088be427099

SHA256
086c69d4e35117548b4f603f0bbf3c9e03f4d9e8690c7ade89857c00d28b74d4

SHA512
f69a1a729a26909aaecc6f994da94e70193998e3c37bc7ce54594fb4f431d59b54cbf9f6931181d276d9588c8c6d5a7a4705b5ff758acd138a5cacecb1109602

Download Submit
C:\Windows\MSWDM.EXE
Filesize
80KB

MD5
f9f1a0cb6d352a37e0b688b397c2cf37

SHA1
b1367b57e2291705e272ed0b478b4088be427099

SHA256
086c69d4e35117548b4f603f0bbf3c9e03f4d9e8690c7ade89857c00d28b74d4

SHA512
f69a1a729a26909aaecc6f994da94e70193998e3c37bc7ce54594fb4f431d59b54cbf9f6931181d276d9588c8c6d5a7a4705b5ff758acd138a5cacecb1109602

Download Submit
C:\Windows\MSWDM.EXE
Filesize
80KB

MD5
f9f1a0cb6d352a37e0b688b397c2cf37

SHA1
b1367b57e2291705e272ed0b478b4088be427099

SHA256
086c69d4e35117548b4f603f0bbf3c9e03f4d9e8690c7ade89857c00d28b74d4

SHA512
f69a1a729a26909aaecc6f994da94e70193998e3c37bc7ce54594fb4f431d59b54cbf9f6931181d276d9588c8c6d5a7a4705b5ff758acd138a5cacecb1109602

Download Submit
C:\Windows\devDCF7.tmp
Filesize
44KB

MD5
c8de98949730f36119f92ac428cc01d0

SHA1
c2e5ee6419285e4a4632d8a396898c3ce0ec8ebe

SHA256
6ce17dba32a7cf26f2f6061e78e3cbd240a19d8ba5ace3dcfb04d1c1ddc954f1

SHA512
9c11740e24e76041b41e51bf2ad8727d89fdf6b31de70f7943ce45b7a6bb8a777fd2e0217b124510632e9e9ce1afe8cb7a95e86406fec9bd7971d3c7f8250c58

Download Submit
memory/384-134-0x0000000000000000-mapping.dmp

Download
memory/384-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/384-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2580-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4804-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4804-132-0x0000000000000000-mapping.dmp

Download
memory/4804-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4884-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4884-143-0x0000000000000000-mapping.dmp

Download
memory/4968-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads