b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce

Analysis

max time kernel
142s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
Size

76KB
MD5

09206a5702f3f9b40ca5e8fef7cc82c0
SHA1

5cbf21438667bd9e9e3363a26de6706a232ab9f6
SHA256

b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce
SHA512

63c6dcaed8ce4985ec98dd09054a5559ce63a68909f723ef24eb050724f12b05054fc5fefabc1217b4d5e71f997066de51088709eefee3ce3b41202557d3cd8f
SSDEEP

1536:2FbeITsAro5ZNjzFmAa6IBA2oESRU1UmxIyYclkOZB4NgbeG/H4m5u1FaeeW:2FawsA+HjzFmRa2Mpy28C2bD/H4m5u1P

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1048	MSWDM.EXE
1148	MSWDM.EXE
1100	B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE
1688	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1148	MSWDM.EXE
1148	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
File opened for modification	C:\Windows\dev11DC.tmp	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
File opened for modification	C:\Windows\dev11DC.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1148	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1048	1456	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	27
PID 1456 wrote to memory of 1048	1456	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	27
PID 1456 wrote to memory of 1048	1456	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	27
PID 1456 wrote to memory of 1048	1456	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	27
PID 1456 wrote to memory of 1148	1456	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	28
PID 1456 wrote to memory of 1148	1456	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	28
PID 1456 wrote to memory of 1148	1456	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	28
PID 1456 wrote to memory of 1148	1456	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	28
PID 1148 wrote to memory of 1100	1148	MSWDM.EXE	29
PID 1148 wrote to memory of 1100	1148	MSWDM.EXE	29
PID 1148 wrote to memory of 1100	1148	MSWDM.EXE	29
PID 1148 wrote to memory of 1100	1148	MSWDM.EXE	29
PID 1148 wrote to memory of 1688	1148	MSWDM.EXE	30
PID 1148 wrote to memory of 1688	1148	MSWDM.EXE	30
PID 1148 wrote to memory of 1688	1148	MSWDM.EXE	30
PID 1148 wrote to memory of 1688	1148	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
"C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1456
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1048
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev11DC.tmp!C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE
    3⤵
    - Executes dropped EXE
    PID:1100
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev11DC.tmp!C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE

Filesize
76KB

MD5
4f7b1a3d86c2bd4ab788a43762a95bd4

SHA1
b5fd870fc06fb1bd89290301a36cbe880ca0b435

SHA256
0779265f953d1762074f429ff8b279f8aeb0ad36f6ea2dfdf55508a95d574008

SHA512
5a757e44bd416d67c6a404c4fc1056ccd2bbb66ba40375de70545c501e2bdd6c945e97d0eded325474ee38faadf97490164599080b37a71a206ec90d0166f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE

Filesize
76KB

MD5
4f7b1a3d86c2bd4ab788a43762a95bd4

SHA1
b5fd870fc06fb1bd89290301a36cbe880ca0b435

SHA256
0779265f953d1762074f429ff8b279f8aeb0ad36f6ea2dfdf55508a95d574008

SHA512
5a757e44bd416d67c6a404c4fc1056ccd2bbb66ba40375de70545c501e2bdd6c945e97d0eded325474ee38faadf97490164599080b37a71a206ec90d0166f9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe

Filesize
38KB

MD5
6d787fdf93de266ce25378fb362df011

SHA1
00ed94c8d2041eecc24a69fe99e0fdbb043fafe3

SHA256
72fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5

SHA512
0a2c992eb130d4ef87b4f142fd3f823f514a6724632e985824caf05e69799db99154cac9bc19c8b960ea029f96d09a8586d4117b1052950f8d56df39d0f752f2

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
38KB

MD5
1745587f0e55f4c48528f7553682d5c9

SHA1
fbb3daebded21562ef52fec49b25de46e9ceda21

SHA256
39186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b

SHA512
0c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
1745587f0e55f4c48528f7553682d5c9

SHA1
fbb3daebded21562ef52fec49b25de46e9ceda21

SHA256
39186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b

SHA512
0c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
1745587f0e55f4c48528f7553682d5c9

SHA1
fbb3daebded21562ef52fec49b25de46e9ceda21

SHA256
39186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b

SHA512
0c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
1745587f0e55f4c48528f7553682d5c9

SHA1
fbb3daebded21562ef52fec49b25de46e9ceda21

SHA256
39186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b

SHA512
0c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518

Download Submit
C:\Windows\dev11DC.tmp

Filesize
38KB

MD5
6d787fdf93de266ce25378fb362df011

SHA1
00ed94c8d2041eecc24a69fe99e0fdbb043fafe3

SHA256
72fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5

SHA512
0a2c992eb130d4ef87b4f142fd3f823f514a6724632e985824caf05e69799db99154cac9bc19c8b960ea029f96d09a8586d4117b1052950f8d56df39d0f752f2

Download Submit
\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe

Filesize
38KB

MD5
6d787fdf93de266ce25378fb362df011

SHA1
00ed94c8d2041eecc24a69fe99e0fdbb043fafe3

SHA256
72fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5

SHA512
0a2c992eb130d4ef87b4f142fd3f823f514a6724632e985824caf05e69799db99154cac9bc19c8b960ea029f96d09a8586d4117b1052950f8d56df39d0f752f2

Download Submit
\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe

Filesize
38KB

MD5
6d787fdf93de266ce25378fb362df011

SHA1
00ed94c8d2041eecc24a69fe99e0fdbb043fafe3

SHA256
72fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5

SHA512
0a2c992eb130d4ef87b4f142fd3f823f514a6724632e985824caf05e69799db99154cac9bc19c8b960ea029f96d09a8586d4117b1052950f8d56df39d0f752f2

Download Submit
memory/1048-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1048-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1100-65-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1148-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1148-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1456-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1688-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download