aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1

General

Target

aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
Size

100KB
MD5

a176cfe3c83e5f1514feb2bc490aa490
SHA1

9f239e50f3bbbada000c002dd603f65c2600daf2
SHA256

aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1
SHA512

9e0bd8449562256a3042955b8eccb03490ac5cef84c95840f0587c084485183c677bb592357a56bfc883268884a3126589e0c716992f483d87ada5cfcfb3c9ee
SSDEEP

1536:EaM5QIi+G5qH4u2eziPLRGpzA9RojCJ37S+QjcwuBiJR4:zaQVG4urzuVGp8rojCJ37NScJiJR4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4528	MSWDM.EXE
2360	MSWDM.EXE
3900	AEBBCBE584B2B8D75DC74B6388E4FB0BFF0D3E38A0A496D66147C525687727D1.EXE
2348	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7z.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	MSWDM.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
File opened for modification	C:\Windows\dev109B.tmp	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
File opened for modification	C:\Windows\dev109B.tmp	MSWDM.EXE
File opened for modification	C:\Windows\die10BA.tmp	MSWDM.EXE
File created	C:\Windows\die10BA.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2360	MSWDM.EXE
2360	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4528	4224	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	81
PID 4224 wrote to memory of 4528	4224	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	81
PID 4224 wrote to memory of 4528	4224	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	81
PID 4224 wrote to memory of 2360	4224	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	82
PID 4224 wrote to memory of 2360	4224	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	82
PID 4224 wrote to memory of 2360	4224	aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe	82
PID 2360 wrote to memory of 3900	2360	MSWDM.EXE	83
PID 2360 wrote to memory of 3900	2360	MSWDM.EXE	83
PID 2360 wrote to memory of 3900	2360	MSWDM.EXE	83
PID 2360 wrote to memory of 2348	2360	MSWDM.EXE	84
PID 2360 wrote to memory of 2348	2360	MSWDM.EXE	84
PID 2360 wrote to memory of 2348	2360	MSWDM.EXE	84

C:\Users\Admin\AppData\Local\Temp\aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe
"C:\Users\Admin\AppData\Local\Temp\aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4224
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4528
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev109B.tmp!C:\Users\Admin\AppData\Local\Temp\aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\AEBBCBE584B2B8D75DC74B6388E4FB0BFF0D3E38A0A496D66147C525687727D1.EXE
    3⤵
    - Executes dropped EXE
    PID:3900
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev109B.tmp!C:\Users\Admin\AppData\Local\Temp\AEBBCBE584B2B8D75DC74B6388E4FB0BFF0D3E38A0A496D66147C525687727D1.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AEBBCBE584B2B8D75DC74B6388E4FB0BFF0D3E38A0A496D66147C525687727D1.EXE

Filesize
100KB

MD5
ece5271d394319410eca3657830ad3e5

SHA1
21231ca16c4efaf9d66e353b4b4673478e021bbf

SHA256
a4527a3889bcd5c4b79ae8862549b97b884c0de6c4e3c073761b1f67f2b2eceb

SHA512
01a3ff46278f0aec50d25db9045955bb5bc2c33e1d973a29e9274a0ab6df423610c2c0a7980366498b36aa4649899a35d868d743c3b6c55b8d1438cbc88627e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEBBCBE584B2B8D75DC74B6388E4FB0BFF0D3E38A0A496D66147C525687727D1.EXE

Filesize
100KB

MD5
ece5271d394319410eca3657830ad3e5

SHA1
21231ca16c4efaf9d66e353b4b4673478e021bbf

SHA256
a4527a3889bcd5c4b79ae8862549b97b884c0de6c4e3c073761b1f67f2b2eceb

SHA512
01a3ff46278f0aec50d25db9045955bb5bc2c33e1d973a29e9274a0ab6df423610c2c0a7980366498b36aa4649899a35d868d743c3b6c55b8d1438cbc88627e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aebbcbe584b2b8d75dc74b6388e4fb0bff0d3e38a0a496d66147c525687727d1.exe

Filesize
16KB

MD5
8ad17f33bdcc0ea294e074e0e74cad3b

SHA1
81b4608a3e11a24157e9c22ac45ff1b12d8c476e

SHA256
27d6644771a935ec0547258dff56bbfba151f2addf09c51b1edc6a9a3207d2c5

SHA512
f5337e5edc0386c597d8ae787e6f4a7fdac393d2aee55eb7b3a15cf82d9fb5757724d424aab0959a0c4ebf79c9cdd560d9157295a26edffe39ff6f056a526ded

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
84KB

MD5
f694e5e8addbad27d9509e2b2c85a869

SHA1
4ef8b740ee22c0ca35673fecd676828f293b019e

SHA256
a1e9fd8e6b8ac61c715484760ed3880fe5051bd14066435cf4b778514b86cfe5

SHA512
805701b11e3b165d66144bf8c623adad0174040f74453036b8c5af6e3d3a5cd245346b3343ef6bdb82c67ee826135b71b023581c630dbd72f86af23976436ee0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
f694e5e8addbad27d9509e2b2c85a869

SHA1
4ef8b740ee22c0ca35673fecd676828f293b019e

SHA256
a1e9fd8e6b8ac61c715484760ed3880fe5051bd14066435cf4b778514b86cfe5

SHA512
805701b11e3b165d66144bf8c623adad0174040f74453036b8c5af6e3d3a5cd245346b3343ef6bdb82c67ee826135b71b023581c630dbd72f86af23976436ee0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
f694e5e8addbad27d9509e2b2c85a869

SHA1
4ef8b740ee22c0ca35673fecd676828f293b019e

SHA256
a1e9fd8e6b8ac61c715484760ed3880fe5051bd14066435cf4b778514b86cfe5

SHA512
805701b11e3b165d66144bf8c623adad0174040f74453036b8c5af6e3d3a5cd245346b3343ef6bdb82c67ee826135b71b023581c630dbd72f86af23976436ee0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
f694e5e8addbad27d9509e2b2c85a869

SHA1
4ef8b740ee22c0ca35673fecd676828f293b019e

SHA256
a1e9fd8e6b8ac61c715484760ed3880fe5051bd14066435cf4b778514b86cfe5

SHA512
805701b11e3b165d66144bf8c623adad0174040f74453036b8c5af6e3d3a5cd245346b3343ef6bdb82c67ee826135b71b023581c630dbd72f86af23976436ee0

Download Submit
C:\Windows\dev109B.tmp

Filesize
16KB

MD5
8ad17f33bdcc0ea294e074e0e74cad3b

SHA1
81b4608a3e11a24157e9c22ac45ff1b12d8c476e

SHA256
27d6644771a935ec0547258dff56bbfba151f2addf09c51b1edc6a9a3207d2c5

SHA512
f5337e5edc0386c597d8ae787e6f4a7fdac393d2aee55eb7b3a15cf82d9fb5757724d424aab0959a0c4ebf79c9cdd560d9157295a26edffe39ff6f056a526ded

Download Submit
memory/2348-145-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2360-147-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4224-138-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4224-132-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4528-148-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4528-149-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing