9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081

Analysis

max time kernel
145s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 12:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe
Size

241KB
MD5

1570b0c34656b354342c5130292587b0
SHA1

ebd133fe090b2ed43ccd5910545ea79adf6c50b4
SHA256

9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081
SHA512

7c9561a91eb0f58e53f3c0786d712b9d8a347982d6791ffac4f75d6c2168e1fe44a67b4aeca89e51d49c9a377e3743c087566c7d7734d34f39c3715d6346dc7f
SSDEEP

6144:OoezrKMUIw87mZ4wMCIdEbwl2dukIONaY+:Ooe3se7tkNM

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1712	MSWDM.EXE
1456	MSWDM.EXE
1080	9ABF3CBD9D6E53A4B5C58982B6E8A26E8288DE4A3D1FEAAD5C35B9883B01E081.EXE
1408	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1456	MSWDM.EXE
1456	MSWDM.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe
File opened for modification	C:\Windows\dev87E6.tmp	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe
File opened for modification	C:\Windows\dev87E6.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1456	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1712	1452	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe	28
PID 1452 wrote to memory of 1712	1452	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe	28
PID 1452 wrote to memory of 1712	1452	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe	28
PID 1452 wrote to memory of 1712	1452	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe	28
PID 1452 wrote to memory of 1456	1452	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe	29
PID 1452 wrote to memory of 1456	1452	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe	29
PID 1452 wrote to memory of 1456	1452	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe	29
PID 1452 wrote to memory of 1456	1452	9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe	29
PID 1456 wrote to memory of 1080	1456	MSWDM.EXE	30
PID 1456 wrote to memory of 1080	1456	MSWDM.EXE	30
PID 1456 wrote to memory of 1080	1456	MSWDM.EXE	30
PID 1456 wrote to memory of 1080	1456	MSWDM.EXE	30
PID 1456 wrote to memory of 1408	1456	MSWDM.EXE	31
PID 1456 wrote to memory of 1408	1456	MSWDM.EXE	31
PID 1456 wrote to memory of 1408	1456	MSWDM.EXE	31
PID 1456 wrote to memory of 1408	1456	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe
"C:\Users\Admin\AppData\Local\Temp\9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1452
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1712
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev87E6.tmp!C:\Users\Admin\AppData\Local\Temp\9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\9ABF3CBD9D6E53A4B5C58982B6E8A26E8288DE4A3D1FEAAD5C35B9883B01E081.EXE
    3⤵
    - Executes dropped EXE
    PID:1080
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev87E6.tmp!C:\Users\Admin\AppData\Local\Temp\9ABF3CBD9D6E53A4B5C58982B6E8A26E8288DE4A3D1FEAAD5C35B9883B01E081.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9ABF3CBD9D6E53A4B5C58982B6E8A26E8288DE4A3D1FEAAD5C35B9883B01E081.EXE

Filesize
241KB

MD5
f118683dbab81d64a45d8e2bef0d8d97

SHA1
24f98cd3d3033b26e09ad469036273b78f39fcfa

SHA256
8a35230c2c12e38aa1cb68331f0b66dab3d3d4699401c1bb7d3898b134e8dcff

SHA512
a83b13d03da18d378be5a0f06b73e0583f31d5b891d069c6705b0ec90fcbac6fbdecf8f0f9a9f0ff4f2745558f50df6b61931b4f4770cd79b985f017bcae06ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe

Filesize
157KB

MD5
97d3ab120a7c3cf2649953e851f9b7e6

SHA1
cb74a683b76622e431fb84426ed359e5a9eb965c

SHA256
ec00115a9f7640047f3b0eab3590788f972790cf9fa47e6261633bbd2bdda15a

SHA512
acc6509bf6f2e6dd96c6f4c276dcfa1c7cf67238a0c7393c5f288c96a831897218648645f187890e355fcece0b2814b0e60754b6e873b6da59d1344200ca5f74

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
84KB

MD5
d24ba1d2b6658c7bd1e484078c22fd94

SHA1
1eb18ffb0c8f847e0dd5b4bc19b9b3aa4c4bbb75

SHA256
252e232eae2711addfa491384fc299e9b6ed06f40af135898d4ce3865aa526db

SHA512
4ad2d76b43e9e0b84a6d5a57e7a7672692eba0a746e84c128a37559894071b6d7168c3ee2eb3b8899212e871b23ec21c80440c396645981812b5e6415d5dd08d

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
d24ba1d2b6658c7bd1e484078c22fd94

SHA1
1eb18ffb0c8f847e0dd5b4bc19b9b3aa4c4bbb75

SHA256
252e232eae2711addfa491384fc299e9b6ed06f40af135898d4ce3865aa526db

SHA512
4ad2d76b43e9e0b84a6d5a57e7a7672692eba0a746e84c128a37559894071b6d7168c3ee2eb3b8899212e871b23ec21c80440c396645981812b5e6415d5dd08d

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
d24ba1d2b6658c7bd1e484078c22fd94

SHA1
1eb18ffb0c8f847e0dd5b4bc19b9b3aa4c4bbb75

SHA256
252e232eae2711addfa491384fc299e9b6ed06f40af135898d4ce3865aa526db

SHA512
4ad2d76b43e9e0b84a6d5a57e7a7672692eba0a746e84c128a37559894071b6d7168c3ee2eb3b8899212e871b23ec21c80440c396645981812b5e6415d5dd08d

Download Submit
C:\Windows\MSWDM.EXE

Filesize
84KB

MD5
d24ba1d2b6658c7bd1e484078c22fd94

SHA1
1eb18ffb0c8f847e0dd5b4bc19b9b3aa4c4bbb75

SHA256
252e232eae2711addfa491384fc299e9b6ed06f40af135898d4ce3865aa526db

SHA512
4ad2d76b43e9e0b84a6d5a57e7a7672692eba0a746e84c128a37559894071b6d7168c3ee2eb3b8899212e871b23ec21c80440c396645981812b5e6415d5dd08d

Download Submit
C:\Windows\dev87E6.tmp

Filesize
157KB

MD5
97d3ab120a7c3cf2649953e851f9b7e6

SHA1
cb74a683b76622e431fb84426ed359e5a9eb965c

SHA256
ec00115a9f7640047f3b0eab3590788f972790cf9fa47e6261633bbd2bdda15a

SHA512
acc6509bf6f2e6dd96c6f4c276dcfa1c7cf67238a0c7393c5f288c96a831897218648645f187890e355fcece0b2814b0e60754b6e873b6da59d1344200ca5f74

Download Submit
\Users\Admin\AppData\Local\Temp\9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe

Filesize
157KB

MD5
97d3ab120a7c3cf2649953e851f9b7e6

SHA1
cb74a683b76622e431fb84426ed359e5a9eb965c

SHA256
ec00115a9f7640047f3b0eab3590788f972790cf9fa47e6261633bbd2bdda15a

SHA512
acc6509bf6f2e6dd96c6f4c276dcfa1c7cf67238a0c7393c5f288c96a831897218648645f187890e355fcece0b2814b0e60754b6e873b6da59d1344200ca5f74

Download Submit
\Users\Admin\AppData\Local\Temp\9abf3cbd9d6e53a4b5c58982b6e8a26e8288de4a3d1feaad5c35b9883b01e081.exe

Filesize
157KB

MD5
97d3ab120a7c3cf2649953e851f9b7e6

SHA1
cb74a683b76622e431fb84426ed359e5a9eb965c

SHA256
ec00115a9f7640047f3b0eab3590788f972790cf9fa47e6261633bbd2bdda15a

SHA512
acc6509bf6f2e6dd96c6f4c276dcfa1c7cf67238a0c7393c5f288c96a831897218648645f187890e355fcece0b2814b0e60754b6e873b6da59d1344200ca5f74

Download Submit
memory/1080-65-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1408-69-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1452-58-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1456-71-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1712-72-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1712-73-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download