d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655

General

Target

d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
Size

219KB
MD5

127b5374bddd4454fd7030f6ff055fd0
SHA1

d460bbb2f26470b695ce468142b05f8ac45a8443
SHA256

d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655
SHA512

8d9df8c40553d072e3f64bed91caf2a64dc2d2d22b61227d766c3cddbdf7252f1c236ddb8bd5b5ebac93657fcc5d5e89928e3b50d4a0b289c3b91476c2caf1f8
SSDEEP

3072:2FawsA+HjzFmRa2MJ9WaHHD/n6ppaWiFZIPmhOF0HFZqTTeTTTfqTTTJTTTTTnTo:2wwsXDz6izn76ppggmhOF0HFZlxZ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4632	MSWDM.EXE
3704	MSWDM.EXE
3296	D0520FA76A59C5DACD9457D65AEEDF12D435F23D476449F9C23043157F1C6655.EXE
2852	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	MSWDM.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
File opened for modification	C:\Windows\devE9CE.tmp	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
File opened for modification	C:\Windows\dieE9EE.tmp	MSWDM.EXE
File opened for modification	C:\Windows\devE9CE.tmp	MSWDM.EXE
File created	C:\Windows\dieE9EE.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3704	MSWDM.EXE
3704	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 4632	1824	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	82
PID 1824 wrote to memory of 4632	1824	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	82
PID 1824 wrote to memory of 4632	1824	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	82
PID 1824 wrote to memory of 3704	1824	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	83
PID 1824 wrote to memory of 3704	1824	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	83
PID 1824 wrote to memory of 3704	1824	d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe	83
PID 3704 wrote to memory of 3296	3704	MSWDM.EXE	84
PID 3704 wrote to memory of 3296	3704	MSWDM.EXE	84
PID 3704 wrote to memory of 3296	3704	MSWDM.EXE	84
PID 3704 wrote to memory of 2852	3704	MSWDM.EXE	85
PID 3704 wrote to memory of 2852	3704	MSWDM.EXE	85
PID 3704 wrote to memory of 2852	3704	MSWDM.EXE	85

C:\Users\Admin\AppData\Local\Temp\d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe
"C:\Users\Admin\AppData\Local\Temp\d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1824
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4632
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devE9CE.tmp!C:\Users\Admin\AppData\Local\Temp\d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\D0520FA76A59C5DACD9457D65AEEDF12D435F23D476449F9C23043157F1C6655.EXE
    3⤵
    - Executes dropped EXE
    PID:3296
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devE9CE.tmp!C:\Users\Admin\AppData\Local\Temp\D0520FA76A59C5DACD9457D65AEEDF12D435F23D476449F9C23043157F1C6655.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D0520FA76A59C5DACD9457D65AEEDF12D435F23D476449F9C23043157F1C6655.EXE

Filesize
219KB

MD5
fd30d56bde3d19778c3abacc77d4977a

SHA1
5edcef4ad9c984ffba33c5c0ea46d137edc623b6

SHA256
1d778ba5146f10603a18c8e58b91d830937e5949dfdda49dff3fd65cc96d6268

SHA512
12dffecf523c7cefeabb5a2d4609c49456d4efb54f9c26294daeeb9a310d85036dcfe6306a4743f08897d572692e343412fed422aefa48d38889269a7ca25812

Download Submit
C:\Users\Admin\AppData\Local\Temp\D0520FA76A59C5DACD9457D65AEEDF12D435F23D476449F9C23043157F1C6655.EXE

Filesize
219KB

MD5
fd30d56bde3d19778c3abacc77d4977a

SHA1
5edcef4ad9c984ffba33c5c0ea46d137edc623b6

SHA256
1d778ba5146f10603a18c8e58b91d830937e5949dfdda49dff3fd65cc96d6268

SHA512
12dffecf523c7cefeabb5a2d4609c49456d4efb54f9c26294daeeb9a310d85036dcfe6306a4743f08897d572692e343412fed422aefa48d38889269a7ca25812

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0520fa76a59c5dacd9457d65aeedf12d435f23d476449f9c23043157f1c6655.exe

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
38KB

MD5
a57fbaeb4b7393775a79b77db58941fb

SHA1
f03c8177ad0ae0e5e3fd01172f1db48f37566ae5

SHA256
e86dfbdd2f4a548a3d54f9d72c68914b63779c04cbf149bc59ccb6f36412eac7

SHA512
70082de1be2b013caaa75e48a9d037e03cc5f7e8f0c12761035e5268d6c66fde6cfb151d924ba9383a23c14feebe3b8df8cbb1d6bcbe61da076a6dc98433a92f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
a57fbaeb4b7393775a79b77db58941fb

SHA1
f03c8177ad0ae0e5e3fd01172f1db48f37566ae5

SHA256
e86dfbdd2f4a548a3d54f9d72c68914b63779c04cbf149bc59ccb6f36412eac7

SHA512
70082de1be2b013caaa75e48a9d037e03cc5f7e8f0c12761035e5268d6c66fde6cfb151d924ba9383a23c14feebe3b8df8cbb1d6bcbe61da076a6dc98433a92f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
a57fbaeb4b7393775a79b77db58941fb

SHA1
f03c8177ad0ae0e5e3fd01172f1db48f37566ae5

SHA256
e86dfbdd2f4a548a3d54f9d72c68914b63779c04cbf149bc59ccb6f36412eac7

SHA512
70082de1be2b013caaa75e48a9d037e03cc5f7e8f0c12761035e5268d6c66fde6cfb151d924ba9383a23c14feebe3b8df8cbb1d6bcbe61da076a6dc98433a92f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
a57fbaeb4b7393775a79b77db58941fb

SHA1
f03c8177ad0ae0e5e3fd01172f1db48f37566ae5

SHA256
e86dfbdd2f4a548a3d54f9d72c68914b63779c04cbf149bc59ccb6f36412eac7

SHA512
70082de1be2b013caaa75e48a9d037e03cc5f7e8f0c12761035e5268d6c66fde6cfb151d924ba9383a23c14feebe3b8df8cbb1d6bcbe61da076a6dc98433a92f

Download Submit
C:\Windows\devE9CE.tmp

Filesize
181KB

MD5
e9c2bc594e99b189442e1ba1354dc24b

SHA1
03dad0b158fd8465f0c0fa17e5cc86d1f146d6f2

SHA256
0cced26bf4d19270123541c053354ec4cae018abb80c5aaae9ad62be258ed623

SHA512
4bd78693cced42c13f6025c1cca53b2d3bc0687d5a93054464a01dcdfa1a4e324b8a54733c1faa258a4bf88d55baaa4cb44fd3ee41ca84ae9c679d3fe3464e79

Download Submit
memory/1824-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1824-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2852-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2852-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3704-141-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3704-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4632-140-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4632-151-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing