566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2

Analysis

max time kernel
142s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe
Size

98KB
MD5

131ddc354fe99af6303d7c0fee9d1080
SHA1

81d328ceed08b8c20661b9c23376f3a1947e8c55
SHA256

566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2
SHA512

d4863d8b1a5697083c14d6ae95655b044383f69deb440e7f3036a4144ce35c45879087315c37fe8a8b48219b09ca18a06d9194a79a0ff0d73e609d9dd51442c6
SSDEEP

1536:EaM5QIi+G5qH4u2eziPLRGpzA9RojCJ37S+SYRLTTHqm:zaQVG4urzuVGp8rojCJ37NSWB

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2024	MSWDM.EXE
1984	MSWDM.EXE
1492	566C095A3C181B46C760EECE72548EE39EF9A233C44CF3CA73125C36050728D2.EXE
1732	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1984	MSWDM.EXE
1984	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev50A1.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe
File opened for modification	C:\Windows\dev50A1.tmp	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1984	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2024	1976	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe	26
PID 1976 wrote to memory of 2024	1976	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe	26
PID 1976 wrote to memory of 2024	1976	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe	26
PID 1976 wrote to memory of 2024	1976	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe	26
PID 1976 wrote to memory of 1984	1976	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe	27
PID 1976 wrote to memory of 1984	1976	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe	27
PID 1976 wrote to memory of 1984	1976	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe	27
PID 1976 wrote to memory of 1984	1976	566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe	27
PID 1984 wrote to memory of 1492	1984	MSWDM.EXE	28
PID 1984 wrote to memory of 1492	1984	MSWDM.EXE	28
PID 1984 wrote to memory of 1492	1984	MSWDM.EXE	28
PID 1984 wrote to memory of 1492	1984	MSWDM.EXE	28
PID 1984 wrote to memory of 1732	1984	MSWDM.EXE	29
PID 1984 wrote to memory of 1732	1984	MSWDM.EXE	29
PID 1984 wrote to memory of 1732	1984	MSWDM.EXE	29
PID 1984 wrote to memory of 1732	1984	MSWDM.EXE	29

C:\Users\Admin\AppData\Local\Temp\566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe
"C:\Users\Admin\AppData\Local\Temp\566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1976
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2024
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev50A1.tmp!C:\Users\Admin\AppData\Local\Temp\566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\566C095A3C181B46C760EECE72548EE39EF9A233C44CF3CA73125C36050728D2.EXE
    3⤵
    - Executes dropped EXE
    PID:1492
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev50A1.tmp!C:\Users\Admin\AppData\Local\Temp\566C095A3C181B46C760EECE72548EE39EF9A233C44CF3CA73125C36050728D2.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\566C095A3C181B46C760EECE72548EE39EF9A233C44CF3CA73125C36050728D2.EXE

Filesize
98KB

MD5
9a1cb1a33f104faf4c52128b9e1d7e14

SHA1
aff8fed5afde2ee6a7aaf35bec01882ebc4a089d

SHA256
fa6f28b1f720c05aba98ddaaffff28bc0804806af352a64ae46b45eaeb1346ab

SHA512
1c1d73f6c3d44e129f5a9ea75da4759f935eaa35c66229473e39de34ef73be60e10acfb3b8a69e8d3366eb31c5dfb2ee8478f990c9a738226e6402083ed954d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\566C095A3C181B46C760EECE72548EE39EF9A233C44CF3CA73125C36050728D2.EXE

Filesize
98KB

MD5
9a1cb1a33f104faf4c52128b9e1d7e14

SHA1
aff8fed5afde2ee6a7aaf35bec01882ebc4a089d

SHA256
fa6f28b1f720c05aba98ddaaffff28bc0804806af352a64ae46b45eaeb1346ab

SHA512
1c1d73f6c3d44e129f5a9ea75da4759f935eaa35c66229473e39de34ef73be60e10acfb3b8a69e8d3366eb31c5dfb2ee8478f990c9a738226e6402083ed954d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe

Filesize
14KB

MD5
b7a2fbbeb343cc841bb2a0e846455769

SHA1
591e1dc5e6f73212072db6873ce764a76056e2a7

SHA256
cd5b74669487ecaaf84d55a506aeb007d9be8b69fc392bf4cc752fc257ea6319

SHA512
69478ff8818bfd5df7b62094d49b23110c04bc6e4581c22f04b1fe4177b40cd8b61e9b67350080c6a4642afe7681155f4426546af27b7a66f94abc92e8c8d225

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
84KB

MD5
d2e94479e211cd849bb9293875de28e6

SHA1
4d3070870b135ec8acc42869566f618d0526bcbf

SHA256
cecb1e2ffd9f9371d3b52e2d89539dc58f9cc67af8328696dc6e18c6521fd738

SHA512
84d1367b43b85638d4977c6020a1de7c0afd50ea1d3ac447ae63db966807a154ddc23908954101c53285499a576463482954cfc5f402abfb79b09f002de8959a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
d2e94479e211cd849bb9293875de28e6

SHA1
4d3070870b135ec8acc42869566f618d0526bcbf

SHA256
cecb1e2ffd9f9371d3b52e2d89539dc58f9cc67af8328696dc6e18c6521fd738

SHA512
84d1367b43b85638d4977c6020a1de7c0afd50ea1d3ac447ae63db966807a154ddc23908954101c53285499a576463482954cfc5f402abfb79b09f002de8959a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
d2e94479e211cd849bb9293875de28e6

SHA1
4d3070870b135ec8acc42869566f618d0526bcbf

SHA256
cecb1e2ffd9f9371d3b52e2d89539dc58f9cc67af8328696dc6e18c6521fd738

SHA512
84d1367b43b85638d4977c6020a1de7c0afd50ea1d3ac447ae63db966807a154ddc23908954101c53285499a576463482954cfc5f402abfb79b09f002de8959a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
d2e94479e211cd849bb9293875de28e6

SHA1
4d3070870b135ec8acc42869566f618d0526bcbf

SHA256
cecb1e2ffd9f9371d3b52e2d89539dc58f9cc67af8328696dc6e18c6521fd738

SHA512
84d1367b43b85638d4977c6020a1de7c0afd50ea1d3ac447ae63db966807a154ddc23908954101c53285499a576463482954cfc5f402abfb79b09f002de8959a

Download Submit
C:\Windows\dev50A1.tmp

Filesize
14KB

MD5
b7a2fbbeb343cc841bb2a0e846455769

SHA1
591e1dc5e6f73212072db6873ce764a76056e2a7

SHA256
cd5b74669487ecaaf84d55a506aeb007d9be8b69fc392bf4cc752fc257ea6319

SHA512
69478ff8818bfd5df7b62094d49b23110c04bc6e4581c22f04b1fe4177b40cd8b61e9b67350080c6a4642afe7681155f4426546af27b7a66f94abc92e8c8d225

Download Submit
\Users\Admin\AppData\Local\Temp\566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe

Filesize
14KB

MD5
b7a2fbbeb343cc841bb2a0e846455769

SHA1
591e1dc5e6f73212072db6873ce764a76056e2a7

SHA256
cd5b74669487ecaaf84d55a506aeb007d9be8b69fc392bf4cc752fc257ea6319

SHA512
69478ff8818bfd5df7b62094d49b23110c04bc6e4581c22f04b1fe4177b40cd8b61e9b67350080c6a4642afe7681155f4426546af27b7a66f94abc92e8c8d225

Download Submit
\Users\Admin\AppData\Local\Temp\566c095a3c181b46c760eece72548ee39ef9a233c44cf3ca73125c36050728d2.exe

Filesize
14KB

MD5
b7a2fbbeb343cc841bb2a0e846455769

SHA1
591e1dc5e6f73212072db6873ce764a76056e2a7

SHA256
cd5b74669487ecaaf84d55a506aeb007d9be8b69fc392bf4cc752fc257ea6319

SHA512
69478ff8818bfd5df7b62094d49b23110c04bc6e4581c22f04b1fe4177b40cd8b61e9b67350080c6a4642afe7681155f4426546af27b7a66f94abc92e8c8d225

Download Submit
memory/1492-65-0x0000000000000000-mapping.dmp

Download
memory/1732-67-0x0000000000000000-mapping.dmp

Download
memory/1732-70-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1976-57-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1984-61-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1984-56-0x0000000000000000-mapping.dmp

Download
memory/1984-72-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2024-62-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2024-54-0x0000000000000000-mapping.dmp

Download
memory/2024-73-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download