aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1

Analysis

max time kernel
144s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
Size

100KB
MD5

a176cfe3c83e5f1514feb2bc490aa490
SHA1

9f239e50f3bbbada000c002dd603f65c2600daf2
SHA256

aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1
SHA512

9e0bd8449562256a3042955b8eccb03490ac5cef84c95840f0587c084485183c677bb592357a56bfc883268884a3126589e0c716992f483d87ada5cfcfb3c9ee
SSDEEP

1536:EaM5QIi+G5qH4u2eziPLRGpzA9RojCJ37S+QjcwuBiJR4:zaQVG4urzuVGp8rojCJ37NScJiJR4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1172	MSWDM.EXE
1948	MSWDM.EXE
1408	AEBBCBE584B2B8D75DC74B6388E4FB0BFF0D3E38A0A496D66147C525687727D1.EXE
1116	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1948	MSWDM.EXE
1948	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
File opened for modification	C:\Windows\dev516B.tmp	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
File opened for modification	C:\Windows\dev516B.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1948	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1172	1584	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	26
PID 1584 wrote to memory of 1172	1584	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	26
PID 1584 wrote to memory of 1172	1584	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	26
PID 1584 wrote to memory of 1172	1584	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	26
PID 1584 wrote to memory of 1948	1584	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	27
PID 1584 wrote to memory of 1948	1584	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	27
PID 1584 wrote to memory of 1948	1584	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	27
PID 1584 wrote to memory of 1948	1584	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	27
PID 1948 wrote to memory of 1408	1948	MSWDM.EXE	28
PID 1948 wrote to memory of 1408	1948	MSWDM.EXE	28
PID 1948 wrote to memory of 1408	1948	MSWDM.EXE	28
PID 1948 wrote to memory of 1408	1948	MSWDM.EXE	28
PID 1948 wrote to memory of 1116	1948	MSWDM.EXE	29
PID 1948 wrote to memory of 1116	1948	MSWDM.EXE	29
PID 1948 wrote to memory of 1116	1948	MSWDM.EXE	29
PID 1948 wrote to memory of 1116	1948	MSWDM.EXE	29

C:\Users\Admin\AppData\Local\Temp\aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
"C:\Users\Admin\AppData\Local\Temp\aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1584
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1172
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev516B.tmp!C:\Users\Admin\AppData\Local\Temp\aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\AEBBCBE584B2B8D75DC74B6388E4FB0BFF0D3E38A0A496D66147C525687727D1.EXE
    3⤵
    - Executes dropped EXE
    PID:1408
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev516B.tmp!C:\Users\Admin\AppData\Local\Temp\AEBBCBE584B2B8D75DC74B6388E4FB0BFF0D3E38A0A496D66147C525687727D1.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AEBBCBE584B2B8D75DC74B6388E4FB0BFF0D3E38A0A496D66147C525687727D1.EXE

Filesize
100KB

MD5
1d6c8aabf913653e54f366e3c0c82d66

SHA1
491e11fc6eaa44c995cbbf615b923e5e55f12b66

SHA256
29d97eec9a21f55f0fdf3b6acba1ff2b189af6768a885cac72c3d2d26facf982

SHA512
02f3f31d88494bc272b736d270cade787831fafb5cff34c52b8feaedecab3ec6ada5e8d8cbfcaa6405421103653452558a00a8d4ea456ea585e641b3f8a5801f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEBBCBE584B2B8D75DC74B6388E4FB0BFF0D3E38A0A496D66147C525687727D1.EXE

Filesize
100KB

MD5
1d6c8aabf913653e54f366e3c0c82d66

SHA1
491e11fc6eaa44c995cbbf615b923e5e55f12b66

SHA256
29d97eec9a21f55f0fdf3b6acba1ff2b189af6768a885cac72c3d2d26facf982

SHA512
02f3f31d88494bc272b736d270cade787831fafb5cff34c52b8feaedecab3ec6ada5e8d8cbfcaa6405421103653452558a00a8d4ea456ea585e641b3f8a5801f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe

Filesize
16KB

MD5
8ad17f33bdcc0ea294e074e0e74cad3b

SHA1
81b4608a3e11a24157e9c22ac45ff1b12d8c476e

SHA256
27d6644771a935ec0547258dff56bbfba151f2addf09c51b1edc6a9a3207d2c5

SHA512
f5337e5edc0386c597d8ae787e6f4a7fdac393d2aee55eb7b3a15cf82d9fb5757724d424aab0959a0c4ebf79c9cdd560d9157295a26edffe39ff6f056a526ded

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
84KB

MD5
f694e5e8addbad27d9509e2b2c85a869

SHA1
4ef8b740ee22c0ca35673fecd676828f293b019e

SHA256
a1e9fd8e6b8ac61c715484760ed3880fe5051bd14066435cf4b778514b86cfe5

SHA512
805701b11e3b165d66144bf8c623adad0174040f74453036b8c5af6e3d3a5cd245346b3343ef6bdb82c67ee826135b71b023581c630dbd72f86af23976436ee0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
f694e5e8addbad27d9509e2b2c85a869

SHA1
4ef8b740ee22c0ca35673fecd676828f293b019e

SHA256
a1e9fd8e6b8ac61c715484760ed3880fe5051bd14066435cf4b778514b86cfe5

SHA512
805701b11e3b165d66144bf8c623adad0174040f74453036b8c5af6e3d3a5cd245346b3343ef6bdb82c67ee826135b71b023581c630dbd72f86af23976436ee0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
f694e5e8addbad27d9509e2b2c85a869

SHA1
4ef8b740ee22c0ca35673fecd676828f293b019e

SHA256
a1e9fd8e6b8ac61c715484760ed3880fe5051bd14066435cf4b778514b86cfe5

SHA512
805701b11e3b165d66144bf8c623adad0174040f74453036b8c5af6e3d3a5cd245346b3343ef6bdb82c67ee826135b71b023581c630dbd72f86af23976436ee0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
f694e5e8addbad27d9509e2b2c85a869

SHA1
4ef8b740ee22c0ca35673fecd676828f293b019e

SHA256
a1e9fd8e6b8ac61c715484760ed3880fe5051bd14066435cf4b778514b86cfe5

SHA512
805701b11e3b165d66144bf8c623adad0174040f74453036b8c5af6e3d3a5cd245346b3343ef6bdb82c67ee826135b71b023581c630dbd72f86af23976436ee0

Download Submit
C:\Windows\dev516B.tmp

Filesize
16KB

MD5
8ad17f33bdcc0ea294e074e0e74cad3b

SHA1
81b4608a3e11a24157e9c22ac45ff1b12d8c476e

SHA256
27d6644771a935ec0547258dff56bbfba151f2addf09c51b1edc6a9a3207d2c5

SHA512
f5337e5edc0386c597d8ae787e6f4a7fdac393d2aee55eb7b3a15cf82d9fb5757724d424aab0959a0c4ebf79c9cdd560d9157295a26edffe39ff6f056a526ded

Download Submit
\Users\Admin\AppData\Local\Temp\aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe

Filesize
16KB

MD5
8ad17f33bdcc0ea294e074e0e74cad3b

SHA1
81b4608a3e11a24157e9c22ac45ff1b12d8c476e

SHA256
27d6644771a935ec0547258dff56bbfba151f2addf09c51b1edc6a9a3207d2c5

SHA512
f5337e5edc0386c597d8ae787e6f4a7fdac393d2aee55eb7b3a15cf82d9fb5757724d424aab0959a0c4ebf79c9cdd560d9157295a26edffe39ff6f056a526ded

Download Submit
\Users\Admin\AppData\Local\Temp\aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe

Filesize
16KB

MD5
8ad17f33bdcc0ea294e074e0e74cad3b

SHA1
81b4608a3e11a24157e9c22ac45ff1b12d8c476e

SHA256
27d6644771a935ec0547258dff56bbfba151f2addf09c51b1edc6a9a3207d2c5

SHA512
f5337e5edc0386c597d8ae787e6f4a7fdac393d2aee55eb7b3a15cf82d9fb5757724d424aab0959a0c4ebf79c9cdd560d9157295a26edffe39ff6f056a526ded

Download Submit
memory/1116-69-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1172-72-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1172-73-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1408-65-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1584-57-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1948-71-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download