1f13fde7904d3f0ab3da45355c9911232cacd58f13ecc846e50ec85112ba9cd9

Analysis

max time kernel
32s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

846a4b61363cdc49f4309c11cb99c2fd_JC.exe
Size

1.9MB
MD5

846a4b61363cdc49f4309c11cb99c2fd
SHA1

d3c5f1277bd82d195e75f977abf6319e9d336312
SHA256

1f13fde7904d3f0ab3da45355c9911232cacd58f13ecc846e50ec85112ba9cd9
SHA512

a9407a182c5a4dbb9763a4451a820eee8ab6f49dcaa869947ef9318357bbd505bfa6debe1918491f173284632aec438cf0cd686e775253ea88b67730b5bf0627
SSDEEP

49152:MtdcS4neHbyfYTOYKPu/gEjiEO5ItDSTL:MtmS4neHvZjiEO5IhSX

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1848	MSWDM.EXE
1724	MSWDM.EXE
3028	846A4B61363CDC49F4309C11CB99C2FD_JC.EXE
2620	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
1848	MSWDM.EXE
1848	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	846a4b61363cdc49f4309c11cb99c2fd_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	846a4b61363cdc49f4309c11cb99c2fd_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\devAC46.tmp	846a4b61363cdc49f4309c11cb99c2fd_JC.exe
File opened for modification	C:\Windows\devAC46.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	846a4b61363cdc49f4309c11cb99c2fd_JC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1848	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1724	2060	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	28
PID 2060 wrote to memory of 1724	2060	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	28
PID 2060 wrote to memory of 1724	2060	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	28
PID 2060 wrote to memory of 1724	2060	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	28
PID 2060 wrote to memory of 1848	2060	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	29
PID 2060 wrote to memory of 1848	2060	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	29
PID 2060 wrote to memory of 1848	2060	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	29
PID 2060 wrote to memory of 1848	2060	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	29
PID 1848 wrote to memory of 3028	1848	MSWDM.EXE	30
PID 1848 wrote to memory of 3028	1848	MSWDM.EXE	30
PID 1848 wrote to memory of 3028	1848	MSWDM.EXE	30
PID 1848 wrote to memory of 3028	1848	MSWDM.EXE	30
PID 1848 wrote to memory of 2620	1848	MSWDM.EXE	32
PID 1848 wrote to memory of 2620	1848	MSWDM.EXE	32
PID 1848 wrote to memory of 2620	1848	MSWDM.EXE	32
PID 1848 wrote to memory of 2620	1848	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\846a4b61363cdc49f4309c11cb99c2fd_JC.exe
"C:\Users\Admin\AppData\Local\Temp\846a4b61363cdc49f4309c11cb99c2fd_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2060
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1724
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devAC46.tmp!C:\Users\Admin\AppData\Local\Temp\846a4b61363cdc49f4309c11cb99c2fd_JC.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\846A4B61363CDC49F4309C11CB99C2FD_JC.EXE
    3⤵
    - Executes dropped EXE
    PID:3028
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devAC46.tmp!C:\Users\Admin\AppData\Local\Temp\846A4B61363CDC49F4309C11CB99C2FD_JC.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\846A4B61363CDC49F4309C11CB99C2FD_JC.EXE

Filesize
1.9MB

MD5
80bb245681cfa84d1f1b01b9fbc1b63e

SHA1
f4172bc935fda0c845da47dd9d6535adf72d1a6a

SHA256
33597b65931322a88a687d3fe68383ba81608abfa7a09fa0e614425799700c54

SHA512
04c38bd96935fdd38d840ecbe7544de3794176c387daf5622841b4ad86e58af90aa1afe11bb18496fb62160e71470e8b007d63b2f0c88b211b0512dd797bbaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\846A4B61363CDC49F4309C11CB99C2FD_JC.EXE

Filesize
1.9MB

MD5
80bb245681cfa84d1f1b01b9fbc1b63e

SHA1
f4172bc935fda0c845da47dd9d6535adf72d1a6a

SHA256
33597b65931322a88a687d3fe68383ba81608abfa7a09fa0e614425799700c54

SHA512
04c38bd96935fdd38d840ecbe7544de3794176c387daf5622841b4ad86e58af90aa1afe11bb18496fb62160e71470e8b007d63b2f0c88b211b0512dd797bbaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\846a4b61363cdc49f4309c11cb99c2fd_JC.exe

Filesize
259KB

MD5
a10bf0e8d40b78c8b0b43a6a6fed9207

SHA1
0999873e46ae4a8f6740aa826773037c94fc5e18

SHA256
3d921cc9c553941d646c34cc6a79259e530c4a7652abcdd4b680e923f45090f6

SHA512
76e0e75288b05de8f71e464c8d23f9d18f785a6abf86b61f388177f044b959fe10363a05fa6031184758ad869ff855d648bf05e32e48531208372e59e354a206

Download Submit
C:\Users\Admin\AppData\Local\Temp\846a4b61363cdc49f4309c11cb99c2fd_JC.exe

Filesize
259KB

MD5
a10bf0e8d40b78c8b0b43a6a6fed9207

SHA1
0999873e46ae4a8f6740aa826773037c94fc5e18

SHA256
3d921cc9c553941d646c34cc6a79259e530c4a7652abcdd4b680e923f45090f6

SHA512
76e0e75288b05de8f71e464c8d23f9d18f785a6abf86b61f388177f044b959fe10363a05fa6031184758ad869ff855d648bf05e32e48531208372e59e354a206

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
d9ae6606cc3902f6c09a9674840f5521

SHA1
e1aa26f18373add4ae99cda746ea002ae1cc14d4

SHA256
79469e811ab35b798687244186827e4305fc1e55f238a5a36ee666b57f352245

SHA512
4f97b185687395855af78debc286851752f648562eb41b1f4dea6b7f157c3ed4302f5e20398348dc1ba69f78df7788611c7367e178a0f636db693d38ab5b43cc

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
d9ae6606cc3902f6c09a9674840f5521

SHA1
e1aa26f18373add4ae99cda746ea002ae1cc14d4

SHA256
79469e811ab35b798687244186827e4305fc1e55f238a5a36ee666b57f352245

SHA512
4f97b185687395855af78debc286851752f648562eb41b1f4dea6b7f157c3ed4302f5e20398348dc1ba69f78df7788611c7367e178a0f636db693d38ab5b43cc

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
d9ae6606cc3902f6c09a9674840f5521

SHA1
e1aa26f18373add4ae99cda746ea002ae1cc14d4

SHA256
79469e811ab35b798687244186827e4305fc1e55f238a5a36ee666b57f352245

SHA512
4f97b185687395855af78debc286851752f648562eb41b1f4dea6b7f157c3ed4302f5e20398348dc1ba69f78df7788611c7367e178a0f636db693d38ab5b43cc

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
d9ae6606cc3902f6c09a9674840f5521

SHA1
e1aa26f18373add4ae99cda746ea002ae1cc14d4

SHA256
79469e811ab35b798687244186827e4305fc1e55f238a5a36ee666b57f352245

SHA512
4f97b185687395855af78debc286851752f648562eb41b1f4dea6b7f157c3ed4302f5e20398348dc1ba69f78df7788611c7367e178a0f636db693d38ab5b43cc

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
d9ae6606cc3902f6c09a9674840f5521

SHA1
e1aa26f18373add4ae99cda746ea002ae1cc14d4

SHA256
79469e811ab35b798687244186827e4305fc1e55f238a5a36ee666b57f352245

SHA512
4f97b185687395855af78debc286851752f648562eb41b1f4dea6b7f157c3ed4302f5e20398348dc1ba69f78df7788611c7367e178a0f636db693d38ab5b43cc

Download Submit
C:\Windows\devAC46.tmp

Filesize
259KB

MD5
a10bf0e8d40b78c8b0b43a6a6fed9207

SHA1
0999873e46ae4a8f6740aa826773037c94fc5e18

SHA256
3d921cc9c553941d646c34cc6a79259e530c4a7652abcdd4b680e923f45090f6

SHA512
76e0e75288b05de8f71e464c8d23f9d18f785a6abf86b61f388177f044b959fe10363a05fa6031184758ad869ff855d648bf05e32e48531208372e59e354a206

Download Submit
\Users\Admin\AppData\Local\Temp\846a4b61363cdc49f4309c11cb99c2fd_JC.exe

Filesize
259KB

MD5
a10bf0e8d40b78c8b0b43a6a6fed9207

SHA1
0999873e46ae4a8f6740aa826773037c94fc5e18

SHA256
3d921cc9c553941d646c34cc6a79259e530c4a7652abcdd4b680e923f45090f6

SHA512
76e0e75288b05de8f71e464c8d23f9d18f785a6abf86b61f388177f044b959fe10363a05fa6031184758ad869ff855d648bf05e32e48531208372e59e354a206

Download Submit
\Users\Admin\AppData\Local\Temp\846a4b61363cdc49f4309c11cb99c2fd_JC.exe

Filesize
259KB

MD5
a10bf0e8d40b78c8b0b43a6a6fed9207

SHA1
0999873e46ae4a8f6740aa826773037c94fc5e18

SHA256
3d921cc9c553941d646c34cc6a79259e530c4a7652abcdd4b680e923f45090f6

SHA512
76e0e75288b05de8f71e464c8d23f9d18f785a6abf86b61f388177f044b959fe10363a05fa6031184758ad869ff855d648bf05e32e48531208372e59e354a206

Download Submit
memory/1724-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1724-36-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1848-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1848-34-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2060-7-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2060-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2060-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2060-14-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2060-35-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2620-32-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download