1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829

Analysis

max time kernel
144s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe
Size

265KB
MD5

1099e0422bf81f1a9b1f98e1136d9c20
SHA1

953c1ece0f3a7be26e0a474a33957d7cb6c9af58
SHA256

1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829
SHA512

4a128635ac1b0b36a93109cd601b60be99f846b7c0f22914b78dbde3976b1c28d0a6feda9889b4dca12e8adeda9094ffe50de6e231a33c50c43f18c3d77c987f
SSDEEP

3072:zaQVG4urzuVGp8rojCJ37Nn9WaHHD/n6ppaWiFZIPmhOF0HFZqTTeTTTfqTTTJTC:OoezrKMU3zn76ppggmhOF0HFZlxT

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1560	MSWDM.EXE
1284	MSWDM.EXE
728	1BF8F824D07D253B587FB6544AD5612F7F05A91F6749591B58345A3EAFE03829.EXE
780	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1284	MSWDM.EXE
1284	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe
File opened for modification	C:\Windows\dev7A01.tmp	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe
File opened for modification	C:\Windows\dev7A01.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1284	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1560	1348	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe	26
PID 1348 wrote to memory of 1560	1348	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe	26
PID 1348 wrote to memory of 1560	1348	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe	26
PID 1348 wrote to memory of 1560	1348	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe	26
PID 1348 wrote to memory of 1284	1348	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe	27
PID 1348 wrote to memory of 1284	1348	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe	27
PID 1348 wrote to memory of 1284	1348	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe	27
PID 1348 wrote to memory of 1284	1348	1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe	27
PID 1284 wrote to memory of 728	1284	MSWDM.EXE	28
PID 1284 wrote to memory of 728	1284	MSWDM.EXE	28
PID 1284 wrote to memory of 728	1284	MSWDM.EXE	28
PID 1284 wrote to memory of 728	1284	MSWDM.EXE	28
PID 1284 wrote to memory of 780	1284	MSWDM.EXE	29
PID 1284 wrote to memory of 780	1284	MSWDM.EXE	29
PID 1284 wrote to memory of 780	1284	MSWDM.EXE	29
PID 1284 wrote to memory of 780	1284	MSWDM.EXE	29

C:\Users\Admin\AppData\Local\Temp\1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe
"C:\Users\Admin\AppData\Local\Temp\1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1348
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1560
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev7A01.tmp!C:\Users\Admin\AppData\Local\Temp\1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\1BF8F824D07D253B587FB6544AD5612F7F05A91F6749591B58345A3EAFE03829.EXE
    3⤵
    - Executes dropped EXE
    PID:728
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev7A01.tmp!C:\Users\Admin\AppData\Local\Temp\1BF8F824D07D253B587FB6544AD5612F7F05A91F6749591B58345A3EAFE03829.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1BF8F824D07D253B587FB6544AD5612F7F05A91F6749591B58345A3EAFE03829.EXE

Filesize
265KB

MD5
a0018e52e3daf76d98282030e4bac1b0

SHA1
babe8a404ea4d1b64b1b584368005099955b9946

SHA256
fc2b72ee0bbfd71de8972a0219c74a5dbf239e7757ac5be5ac4e9e331ffa9eeb

SHA512
d8eb24114ddbee971eb886be5983920e305554376a7843ded1b3c038b2fb29c8fe73eb0b8255d6cb188473e629b437f90c0842ce95637d5240e9f6ea92c7dad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BF8F824D07D253B587FB6544AD5612F7F05A91F6749591B58345A3EAFE03829.EXE

Filesize
265KB

MD5
a0018e52e3daf76d98282030e4bac1b0

SHA1
babe8a404ea4d1b64b1b584368005099955b9946

SHA256
fc2b72ee0bbfd71de8972a0219c74a5dbf239e7757ac5be5ac4e9e331ffa9eeb

SHA512
d8eb24114ddbee971eb886be5983920e305554376a7843ded1b3c038b2fb29c8fe73eb0b8255d6cb188473e629b437f90c0842ce95637d5240e9f6ea92c7dad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
84KB

MD5
01138879034d064894075dc5f847493d

SHA1
d742e3cada48afb8672bbd6606675ac0ea2407df

SHA256
f2db7903830159c12cdc3f6bfcf3d4721e1acf31054a5edb2fe85e177e0cd698

SHA512
cca629554146f6114cebba2537fc46372c622d37fb75af17276c4415526f03c7fd4c192c5c96428be2943dc556671f65c4b322acce75024ad35badb0af83b462

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
01138879034d064894075dc5f847493d

SHA1
d742e3cada48afb8672bbd6606675ac0ea2407df

SHA256
f2db7903830159c12cdc3f6bfcf3d4721e1acf31054a5edb2fe85e177e0cd698

SHA512
cca629554146f6114cebba2537fc46372c622d37fb75af17276c4415526f03c7fd4c192c5c96428be2943dc556671f65c4b322acce75024ad35badb0af83b462

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
01138879034d064894075dc5f847493d

SHA1
d742e3cada48afb8672bbd6606675ac0ea2407df

SHA256
f2db7903830159c12cdc3f6bfcf3d4721e1acf31054a5edb2fe85e177e0cd698

SHA512
cca629554146f6114cebba2537fc46372c622d37fb75af17276c4415526f03c7fd4c192c5c96428be2943dc556671f65c4b322acce75024ad35badb0af83b462

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
01138879034d064894075dc5f847493d

SHA1
d742e3cada48afb8672bbd6606675ac0ea2407df

SHA256
f2db7903830159c12cdc3f6bfcf3d4721e1acf31054a5edb2fe85e177e0cd698

SHA512
cca629554146f6114cebba2537fc46372c622d37fb75af17276c4415526f03c7fd4c192c5c96428be2943dc556671f65c4b322acce75024ad35badb0af83b462

Download Submit
C:\Windows\dev7A01.tmp

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
\Users\Admin\AppData\Local\Temp\1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
\Users\Admin\AppData\Local\Temp\1bf8f824d07d253b587fb6544ad5612f7f05a91f6749591b58345a3eafe03829.exe

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
memory/728-66-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/780-70-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1284-72-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1348-60-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1348-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1560-73-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1560-74-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download