b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce

General

Target

b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
Size

76KB
MD5

09206a5702f3f9b40ca5e8fef7cc82c0
SHA1

5cbf21438667bd9e9e3363a26de6706a232ab9f6
SHA256

b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce
SHA512

63c6dcaed8ce4985ec98dd09054a5559ce63a68909f723ef24eb050724f12b05054fc5fefabc1217b4d5e71f997066de51088709eefee3ce3b41202557d3cd8f
SSDEEP

1536:2FbeITsAro5ZNjzFmAa6IBA2oESRU1UmxIyYclkOZB4NgbeG/H4m5u1FaeeW:2FawsA+HjzFmRa2Mpy28C2bD/H4m5u1P

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3732	MSWDM.EXE
2912	MSWDM.EXE
1424	B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE
1492	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zG.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7z.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	MSWDM.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	MSWDM.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	MSWDM.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\devBE4F.tmp	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
File opened for modification	C:\Windows\devBE4F.tmp	MSWDM.EXE
File opened for modification	C:\Windows\dieBE4F.tmp	MSWDM.EXE
File created	C:\Windows\dieBE4F.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2912	MSWDM.EXE
2912	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 3732	344	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	82
PID 344 wrote to memory of 3732	344	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	82
PID 344 wrote to memory of 3732	344	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	82
PID 344 wrote to memory of 2912	344	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	83
PID 344 wrote to memory of 2912	344	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	83
PID 344 wrote to memory of 2912	344	b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe	83
PID 2912 wrote to memory of 1424	2912	MSWDM.EXE	84
PID 2912 wrote to memory of 1424	2912	MSWDM.EXE	84
PID 2912 wrote to memory of 1424	2912	MSWDM.EXE	84
PID 2912 wrote to memory of 1492	2912	MSWDM.EXE	85
PID 2912 wrote to memory of 1492	2912	MSWDM.EXE	85
PID 2912 wrote to memory of 1492	2912	MSWDM.EXE	85

C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe
"C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:344
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:3732
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devBE4F.tmp!C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE
    3⤵
    - Executes dropped EXE
    PID:1424
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devBE4F.tmp!C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE

Filesize
76KB

MD5
5ab5db7608ac8e2a325770fe2015691a

SHA1
eba40d2d41d8270d1e53dbdbad05f2580252c421

SHA256
669f490eddb5ecbb3b765e5a1396bd952e6918e23e241ea052bcf8832b9a2d85

SHA512
e24a8ed9b49d60330cfe79d2f0988c8091d2251f99d95ecb204d1226b802a2c1761e27077b8bfa6f59b7019b3a2b6ea28411a138691a413eeaa181a9078734e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B086DDACA8D33967C55E43E0D5AD49C63E417980687B808AE87AAE163AB952CE.EXE

Filesize
76KB

MD5
5ab5db7608ac8e2a325770fe2015691a

SHA1
eba40d2d41d8270d1e53dbdbad05f2580252c421

SHA256
669f490eddb5ecbb3b765e5a1396bd952e6918e23e241ea052bcf8832b9a2d85

SHA512
e24a8ed9b49d60330cfe79d2f0988c8091d2251f99d95ecb204d1226b802a2c1761e27077b8bfa6f59b7019b3a2b6ea28411a138691a413eeaa181a9078734e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b086ddaca8d33967c55e43e0d5ad49c63e417980687b808ae87aae163ab952ce.exe

Filesize
38KB

MD5
6d787fdf93de266ce25378fb362df011

SHA1
00ed94c8d2041eecc24a69fe99e0fdbb043fafe3

SHA256
72fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5

SHA512
0a2c992eb130d4ef87b4f142fd3f823f514a6724632e985824caf05e69799db99154cac9bc19c8b960ea029f96d09a8586d4117b1052950f8d56df39d0f752f2

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
38KB

MD5
1745587f0e55f4c48528f7553682d5c9

SHA1
fbb3daebded21562ef52fec49b25de46e9ceda21

SHA256
39186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b

SHA512
0c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
1745587f0e55f4c48528f7553682d5c9

SHA1
fbb3daebded21562ef52fec49b25de46e9ceda21

SHA256
39186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b

SHA512
0c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
1745587f0e55f4c48528f7553682d5c9

SHA1
fbb3daebded21562ef52fec49b25de46e9ceda21

SHA256
39186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b

SHA512
0c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518

Download Submit
C:\Windows\MSWDM.EXE

Filesize
38KB

MD5
1745587f0e55f4c48528f7553682d5c9

SHA1
fbb3daebded21562ef52fec49b25de46e9ceda21

SHA256
39186faea2064cc7d76c6d74be6c5aaea1d7e5665133f2f796a8fd507680a50b

SHA512
0c7c7973f679f39cff133202991fc4ff5b124893b02222ed3eb8ea32d09ef9c10b1996b26871a70c07ccb2514497132612e6bed4936e973782ba82f3d1d56518

Download Submit
C:\Windows\devBE4F.tmp

Filesize
38KB

MD5
6d787fdf93de266ce25378fb362df011

SHA1
00ed94c8d2041eecc24a69fe99e0fdbb043fafe3

SHA256
72fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5

SHA512
0a2c992eb130d4ef87b4f142fd3f823f514a6724632e985824caf05e69799db99154cac9bc19c8b960ea029f96d09a8586d4117b1052950f8d56df39d0f752f2

Download Submit
memory/344-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1492-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2912-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2912-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3732-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3732-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing