f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30

General

Target

f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe
Size

327KB
MD5

4496103fd2f55102cd6c4bcadd9172e0
SHA1

82f977e9b2bb2c5aa8ebdd662bc37dba2dcd6626
SHA256

f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30
SHA512

b5df7f8f186363276b5eb1c9b054fce2db2c74f5352bf31483a63a81c9a16c1be126f3b1f3aa0df0f5a85575431a9c6c59b1df6893e82a09798ce45b014cbbc1
SSDEEP

6144:fUZyAj8olritKpGmgXIaik9gvrmQGfMcIZnpYAHIe+cg/fpi:xiEKGLXIJkwrmrrIZpYAHnkY

Score

8^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\MSWDM.EXE	aspack_v212_v242
C:\WINDOWS\MSWDM.EXE	aspack_v212_v242
C:\Windows\MSWDM.EXE	aspack_v212_v242
C:\Windows\MSWDM.EXE	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\F4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXE	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\F4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXE	aspack_v212_v242

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXEF4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXEMSWDM.EXE

pid process

1980 MSWDM.EXE
260 MSWDM.EXE
4352 F4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXE
3720 MSWDM.EXE

pid	process
1980	MSWDM.EXE
260	MSWDM.EXE
4352	F4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXE
3720	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe

Drops file in Program Files directory 33 IoCs

Processes:

MSWDM.EXE

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7z.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	MSWDM.EXE

Drops file in Windows directory 5 IoCs

Processes:

f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exeMSWDM.EXEMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe
File opened for modification	C:\Windows\dev46BD.tmp	f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe
File opened for modification	C:\Windows\die46CD.tmp	MSWDM.EXE
File opened for modification	C:\Windows\dev46BD.tmp	MSWDM.EXE
File created	C:\Windows\die46CD.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

260 MSWDM.EXE
260 MSWDM.EXE

pid	process
260	MSWDM.EXE
260	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exeMSWDM.EXE

description	pid	process	target process
PID 4004 wrote to memory of 1980	4004	f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe	MSWDM.EXE
PID 4004 wrote to memory of 1980	4004	f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe	MSWDM.EXE
PID 4004 wrote to memory of 1980	4004	f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe	MSWDM.EXE
PID 4004 wrote to memory of 260	4004	f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe	MSWDM.EXE
PID 4004 wrote to memory of 260	4004	f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe	MSWDM.EXE
PID 4004 wrote to memory of 260	4004	f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe	MSWDM.EXE
PID 260 wrote to memory of 4352	260	MSWDM.EXE	F4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXE
PID 260 wrote to memory of 4352	260	MSWDM.EXE	F4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXE
PID 260 wrote to memory of 4352	260	MSWDM.EXE	F4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXE
PID 260 wrote to memory of 3720	260	MSWDM.EXE	MSWDM.EXE
PID 260 wrote to memory of 3720	260	MSWDM.EXE	MSWDM.EXE
PID 260 wrote to memory of 3720	260	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe
"C:\Users\Admin\AppData\Local\Temp\f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4004

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1980

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev46BD.tmp!C:\Users\Admin\AppData\Local\Temp\f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:260

C:\Users\Admin\AppData\Local\Temp\F4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXE
3⤵
- Executes dropped EXE
PID:4352

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev46BD.tmp!C:\Users\Admin\AppData\Local\Temp\F4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXE
Filesize
327KB

MD5
0134c6d70b6183584681f22a30d02e01

SHA1
bd79f8327ac0dfc65df0053a65cf5164fbc15f17

SHA256
3a13ec3511e0fd43894c1cfd0b7befab27153d5babd3754bccef6a0e3f401417

SHA512
1f6b69b78d4ae3c45119e5278931d56202e4f94c1347b688a5bf2cb2563801b7575389651a627ee82b024c7f8c190ca8e75889ff68b5e914f7b63e5ac65fe116

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4AC9A4E862DC709D615A9B04078C7CA0B558C0DFC30857C6A5840401C2D7E30.EXE
Filesize
327KB

MD5
0134c6d70b6183584681f22a30d02e01

SHA1
bd79f8327ac0dfc65df0053a65cf5164fbc15f17

SHA256
3a13ec3511e0fd43894c1cfd0b7befab27153d5babd3754bccef6a0e3f401417

SHA512
1f6b69b78d4ae3c45119e5278931d56202e4f94c1347b688a5bf2cb2563801b7575389651a627ee82b024c7f8c190ca8e75889ff68b5e914f7b63e5ac65fe116

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4ac9a4e862dc709d615a9b04078c7ca0b558c0dfc30857c6a5840401c2d7e30.exe
Filesize
288KB

MD5
e5f457e3d89281b97b099a757b4d9577

SHA1
aa8a49a5cfff30f5cdd23a7659b1c3ecdc734711

SHA256
ebcfea076a3bdca680525b5ce11e7d918cf574f800971a4ddd081f5a6069f0b8

SHA512
ffbb2880e10084c187a8dd3c42198782bc50a24886b2a8ee523b4c70a2dbb0b46ee1aa799f44bdd5129935d9d12b3c09e9566278b2f088ede8a39c6ec203663e

Download Submit
C:\WINDOWS\MSWDM.EXE
Filesize
39KB

MD5
e6c8169d9fede4b2d048dbdd73092edb

SHA1
78598f0fa85df9082a51d44a8b8b658492bd6e09

SHA256
3979f973a1a576bb9645e7269ad606cd093b8a20802fc2634249dc8285a54bd2

SHA512
8fa68956fd436bcb66845eb59a8e38838402304243a2670992c684b543885118a3ca232b7b2c166c649f528c533a7197fd42d72a954557aee816b51774c3a055

Download Submit
C:\Windows\MSWDM.EXE
Filesize
39KB

MD5
e6c8169d9fede4b2d048dbdd73092edb

SHA1
78598f0fa85df9082a51d44a8b8b658492bd6e09

SHA256
3979f973a1a576bb9645e7269ad606cd093b8a20802fc2634249dc8285a54bd2

SHA512
8fa68956fd436bcb66845eb59a8e38838402304243a2670992c684b543885118a3ca232b7b2c166c649f528c533a7197fd42d72a954557aee816b51774c3a055

Download Submit
C:\Windows\MSWDM.EXE
Filesize
39KB

MD5
e6c8169d9fede4b2d048dbdd73092edb

SHA1
78598f0fa85df9082a51d44a8b8b658492bd6e09

SHA256
3979f973a1a576bb9645e7269ad606cd093b8a20802fc2634249dc8285a54bd2

SHA512
8fa68956fd436bcb66845eb59a8e38838402304243a2670992c684b543885118a3ca232b7b2c166c649f528c533a7197fd42d72a954557aee816b51774c3a055

Download Submit
C:\Windows\MSWDM.EXE
Filesize
39KB

MD5
e6c8169d9fede4b2d048dbdd73092edb

SHA1
78598f0fa85df9082a51d44a8b8b658492bd6e09

SHA256
3979f973a1a576bb9645e7269ad606cd093b8a20802fc2634249dc8285a54bd2

SHA512
8fa68956fd436bcb66845eb59a8e38838402304243a2670992c684b543885118a3ca232b7b2c166c649f528c533a7197fd42d72a954557aee816b51774c3a055

Download Submit
C:\Windows\dev46BD.tmp
Filesize
288KB

MD5
e5f457e3d89281b97b099a757b4d9577

SHA1
aa8a49a5cfff30f5cdd23a7659b1c3ecdc734711

SHA256
ebcfea076a3bdca680525b5ce11e7d918cf574f800971a4ddd081f5a6069f0b8

SHA512
ffbb2880e10084c187a8dd3c42198782bc50a24886b2a8ee523b4c70a2dbb0b46ee1aa799f44bdd5129935d9d12b3c09e9566278b2f088ede8a39c6ec203663e

Download Submit
memory/260-136-0x0000000000000000-mapping.dmp

Download
memory/260-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/260-143-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1980-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1980-142-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1980-133-0x0000000000000000-mapping.dmp

Download
memory/3720-144-0x0000000000000000-mapping.dmp

Download
memory/3720-147-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4004-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4004-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4352-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads