6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0

Analysis

max time kernel
143s
max time network
61s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe
Size

241KB
MD5

1c7ff99d9613fa67612576b2a279b6d0
SHA1

e027c0d1263eb793ec756302fdd3ba4097be4c25
SHA256

6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0
SHA512

cdc7298865bacbf90211b492793466cab480415bf63fee0ac491e5b6c47a3e4dcb65db06560f6349cdf6942202e1d98e36100abc4ce0780b1b3cd1ddf4ef0951
SSDEEP

6144:OoezrKMUuw87mZ4wMCIdEbwl2dukIONaYQ:Ooe3ae7tkNC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1052	MSWDM.EXE
2036	MSWDM.EXE
1056	6065204287347C365940B616A04A86269ECB958A96992F857955A9A89284EDC0.EXE
1744	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2036	MSWDM.EXE
2036	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe
File opened for modification	C:\Windows\devF46E.tmp	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe
File opened for modification	C:\Windows\devF46E.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2036	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1052	1772	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe	28
PID 1772 wrote to memory of 1052	1772	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe	28
PID 1772 wrote to memory of 1052	1772	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe	28
PID 1772 wrote to memory of 1052	1772	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe	28
PID 1772 wrote to memory of 2036	1772	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe	29
PID 1772 wrote to memory of 2036	1772	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe	29
PID 1772 wrote to memory of 2036	1772	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe	29
PID 1772 wrote to memory of 2036	1772	6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe	29
PID 2036 wrote to memory of 1056	2036	MSWDM.EXE	30
PID 2036 wrote to memory of 1056	2036	MSWDM.EXE	30
PID 2036 wrote to memory of 1056	2036	MSWDM.EXE	30
PID 2036 wrote to memory of 1056	2036	MSWDM.EXE	30
PID 2036 wrote to memory of 1744	2036	MSWDM.EXE	31
PID 2036 wrote to memory of 1744	2036	MSWDM.EXE	31
PID 2036 wrote to memory of 1744	2036	MSWDM.EXE	31
PID 2036 wrote to memory of 1744	2036	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe
"C:\Users\Admin\AppData\Local\Temp\6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1772
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1052
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devF46E.tmp!C:\Users\Admin\AppData\Local\Temp\6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\6065204287347C365940B616A04A86269ECB958A96992F857955A9A89284EDC0.EXE
    3⤵
    - Executes dropped EXE
    PID:1056
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devF46E.tmp!C:\Users\Admin\AppData\Local\Temp\6065204287347C365940B616A04A86269ECB958A96992F857955A9A89284EDC0.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6065204287347C365940B616A04A86269ECB958A96992F857955A9A89284EDC0.EXE

Filesize
241KB

MD5
7af592013dbec348655d27533addd3b0

SHA1
0f6580341f57eb84ec303de5b4eabedc12f5dba6

SHA256
e9680587c0ca5705588db168d046f7b101f71174618b1c10ada2343b7c8de814

SHA512
2b1723815055c992b8738666d90eb5ab688fe54d967e6111bd5b00e8518204639a0799b95343a1f51dce6e4deabab2bfa836e282e138f01d3860f564501cb45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6065204287347C365940B616A04A86269ECB958A96992F857955A9A89284EDC0.EXE

Filesize
241KB

MD5
7af592013dbec348655d27533addd3b0

SHA1
0f6580341f57eb84ec303de5b4eabedc12f5dba6

SHA256
e9680587c0ca5705588db168d046f7b101f71174618b1c10ada2343b7c8de814

SHA512
2b1723815055c992b8738666d90eb5ab688fe54d967e6111bd5b00e8518204639a0799b95343a1f51dce6e4deabab2bfa836e282e138f01d3860f564501cb45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe

Filesize
157KB

MD5
97d3ab120a7c3cf2649953e851f9b7e6

SHA1
cb74a683b76622e431fb84426ed359e5a9eb965c

SHA256
ec00115a9f7640047f3b0eab3590788f972790cf9fa47e6261633bbd2bdda15a

SHA512
acc6509bf6f2e6dd96c6f4c276dcfa1c7cf67238a0c7393c5f288c96a831897218648645f187890e355fcece0b2814b0e60754b6e873b6da59d1344200ca5f74

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
84KB

MD5
d5bc3209fa6741e1f22b45a985cbe290

SHA1
9197b23004b598541dfc1f8c0059b6d347d9adfe

SHA256
9b2b821ca548847fb9ef7b1f4edbd09fe4eefd6e6f743fff19d5c59f724e7aa7

SHA512
b1f0743a6ec43975e522c881efb41fa942f4419ef4727fef16d39fe9afd81eb6177a68bb46a2be7b363b6b87d5019e7433ec22b605acd926784a6febc48d6a46

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
d5bc3209fa6741e1f22b45a985cbe290

SHA1
9197b23004b598541dfc1f8c0059b6d347d9adfe

SHA256
9b2b821ca548847fb9ef7b1f4edbd09fe4eefd6e6f743fff19d5c59f724e7aa7

SHA512
b1f0743a6ec43975e522c881efb41fa942f4419ef4727fef16d39fe9afd81eb6177a68bb46a2be7b363b6b87d5019e7433ec22b605acd926784a6febc48d6a46

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
d5bc3209fa6741e1f22b45a985cbe290

SHA1
9197b23004b598541dfc1f8c0059b6d347d9adfe

SHA256
9b2b821ca548847fb9ef7b1f4edbd09fe4eefd6e6f743fff19d5c59f724e7aa7

SHA512
b1f0743a6ec43975e522c881efb41fa942f4419ef4727fef16d39fe9afd81eb6177a68bb46a2be7b363b6b87d5019e7433ec22b605acd926784a6febc48d6a46

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
d5bc3209fa6741e1f22b45a985cbe290

SHA1
9197b23004b598541dfc1f8c0059b6d347d9adfe

SHA256
9b2b821ca548847fb9ef7b1f4edbd09fe4eefd6e6f743fff19d5c59f724e7aa7

SHA512
b1f0743a6ec43975e522c881efb41fa942f4419ef4727fef16d39fe9afd81eb6177a68bb46a2be7b363b6b87d5019e7433ec22b605acd926784a6febc48d6a46

Download Submit
C:\Windows\devF46E.tmp

Filesize
157KB

MD5
97d3ab120a7c3cf2649953e851f9b7e6

SHA1
cb74a683b76622e431fb84426ed359e5a9eb965c

SHA256
ec00115a9f7640047f3b0eab3590788f972790cf9fa47e6261633bbd2bdda15a

SHA512
acc6509bf6f2e6dd96c6f4c276dcfa1c7cf67238a0c7393c5f288c96a831897218648645f187890e355fcece0b2814b0e60754b6e873b6da59d1344200ca5f74

Download Submit
\Users\Admin\AppData\Local\Temp\6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe

Filesize
157KB

MD5
97d3ab120a7c3cf2649953e851f9b7e6

SHA1
cb74a683b76622e431fb84426ed359e5a9eb965c

SHA256
ec00115a9f7640047f3b0eab3590788f972790cf9fa47e6261633bbd2bdda15a

SHA512
acc6509bf6f2e6dd96c6f4c276dcfa1c7cf67238a0c7393c5f288c96a831897218648645f187890e355fcece0b2814b0e60754b6e873b6da59d1344200ca5f74

Download Submit
\Users\Admin\AppData\Local\Temp\6065204287347c365940b616a04a86269ecb958a96992f857955a9a89284edc0.exe

Filesize
157KB

MD5
97d3ab120a7c3cf2649953e851f9b7e6

SHA1
cb74a683b76622e431fb84426ed359e5a9eb965c

SHA256
ec00115a9f7640047f3b0eab3590788f972790cf9fa47e6261633bbd2bdda15a

SHA512
acc6509bf6f2e6dd96c6f4c276dcfa1c7cf67238a0c7393c5f288c96a831897218648645f187890e355fcece0b2814b0e60754b6e873b6da59d1344200ca5f74

Download Submit
memory/1052-72-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1052-73-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1056-65-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1744-69-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1772-57-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2036-71-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download