1f13fde7904d3f0ab3da45355c9911232cacd58f13ecc846e50ec85112ba9cd9

General

Target

846a4b61363cdc49f4309c11cb99c2fd_JC.exe
Size

1.9MB
MD5

846a4b61363cdc49f4309c11cb99c2fd
SHA1

d3c5f1277bd82d195e75f977abf6319e9d336312
SHA256

1f13fde7904d3f0ab3da45355c9911232cacd58f13ecc846e50ec85112ba9cd9
SHA512

a9407a182c5a4dbb9763a4451a820eee8ab6f49dcaa869947ef9318357bbd505bfa6debe1918491f173284632aec438cf0cd686e775253ea88b67730b5bf0627
SSDEEP

49152:MtdcS4neHbyfYTOYKPu/gEjiEO5ItDSTL:MtmS4neHvZjiEO5IhSX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4764	MSWDM.EXE
4528	MSWDM.EXE
5004	846A4B61363CDC49F4309C11CB99C2FD_JC.EXE
1452	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	846a4b61363cdc49f4309c11cb99c2fd_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	846a4b61363cdc49f4309c11cb99c2fd_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	846a4b61363cdc49f4309c11cb99c2fd_JC.exe
File opened for modification	C:\Windows\dev6198.tmp	846a4b61363cdc49f4309c11cb99c2fd_JC.exe
File opened for modification	C:\Windows\dev6198.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4528	MSWDM.EXE
4528	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 4764	4128	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	83
PID 4128 wrote to memory of 4764	4128	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	83
PID 4128 wrote to memory of 4764	4128	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	83
PID 4128 wrote to memory of 4528	4128	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	84
PID 4128 wrote to memory of 4528	4128	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	84
PID 4128 wrote to memory of 4528	4128	846a4b61363cdc49f4309c11cb99c2fd_JC.exe	84
PID 4528 wrote to memory of 5004	4528	MSWDM.EXE	85
PID 4528 wrote to memory of 5004	4528	MSWDM.EXE	85
PID 4528 wrote to memory of 5004	4528	MSWDM.EXE	85
PID 4528 wrote to memory of 1452	4528	MSWDM.EXE	87
PID 4528 wrote to memory of 1452	4528	MSWDM.EXE	87
PID 4528 wrote to memory of 1452	4528	MSWDM.EXE	87

C:\Users\Admin\AppData\Local\Temp\846a4b61363cdc49f4309c11cb99c2fd_JC.exe
"C:\Users\Admin\AppData\Local\Temp\846a4b61363cdc49f4309c11cb99c2fd_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4128
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4764
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev6198.tmp!C:\Users\Admin\AppData\Local\Temp\846a4b61363cdc49f4309c11cb99c2fd_JC.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\846A4B61363CDC49F4309C11CB99C2FD_JC.EXE
    3⤵
    - Executes dropped EXE
    PID:5004
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev6198.tmp!C:\Users\Admin\AppData\Local\Temp\846A4B61363CDC49F4309C11CB99C2FD_JC.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\846A4B61363CDC49F4309C11CB99C2FD_JC.EXE

Filesize
1.9MB

MD5
35fe2f5c9352ea4176046c02efa9c2e1

SHA1
a925b001eca34a926e8fc820f12c34af107491ca

SHA256
4f4d2204a76542dfab6d5b1bfd10a5388e9def7994bb858220c511c8a072f78f

SHA512
1b1740aafc5a79e99b7f764af313e447c1dad65a1c3c93154b366013625d44394d4991d6b0f9de468335498a11547109f5c98d1656ed01c88f5ce752bb283757

Download Submit
C:\Users\Admin\AppData\Local\Temp\846A4B61363CDC49F4309C11CB99C2FD_JC.EXE

Filesize
1.9MB

MD5
35fe2f5c9352ea4176046c02efa9c2e1

SHA1
a925b001eca34a926e8fc820f12c34af107491ca

SHA256
4f4d2204a76542dfab6d5b1bfd10a5388e9def7994bb858220c511c8a072f78f

SHA512
1b1740aafc5a79e99b7f764af313e447c1dad65a1c3c93154b366013625d44394d4991d6b0f9de468335498a11547109f5c98d1656ed01c88f5ce752bb283757

Download Submit
C:\Users\Admin\AppData\Local\Temp\846a4b61363cdc49f4309c11cb99c2fd_JC.exe

Filesize
259KB

MD5
a10bf0e8d40b78c8b0b43a6a6fed9207

SHA1
0999873e46ae4a8f6740aa826773037c94fc5e18

SHA256
3d921cc9c553941d646c34cc6a79259e530c4a7652abcdd4b680e923f45090f6

SHA512
76e0e75288b05de8f71e464c8d23f9d18f785a6abf86b61f388177f044b959fe10363a05fa6031184758ad869ff855d648bf05e32e48531208372e59e354a206

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
d9ae6606cc3902f6c09a9674840f5521

SHA1
e1aa26f18373add4ae99cda746ea002ae1cc14d4

SHA256
79469e811ab35b798687244186827e4305fc1e55f238a5a36ee666b57f352245

SHA512
4f97b185687395855af78debc286851752f648562eb41b1f4dea6b7f157c3ed4302f5e20398348dc1ba69f78df7788611c7367e178a0f636db693d38ab5b43cc

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
d9ae6606cc3902f6c09a9674840f5521

SHA1
e1aa26f18373add4ae99cda746ea002ae1cc14d4

SHA256
79469e811ab35b798687244186827e4305fc1e55f238a5a36ee666b57f352245

SHA512
4f97b185687395855af78debc286851752f648562eb41b1f4dea6b7f157c3ed4302f5e20398348dc1ba69f78df7788611c7367e178a0f636db693d38ab5b43cc

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
d9ae6606cc3902f6c09a9674840f5521

SHA1
e1aa26f18373add4ae99cda746ea002ae1cc14d4

SHA256
79469e811ab35b798687244186827e4305fc1e55f238a5a36ee666b57f352245

SHA512
4f97b185687395855af78debc286851752f648562eb41b1f4dea6b7f157c3ed4302f5e20398348dc1ba69f78df7788611c7367e178a0f636db693d38ab5b43cc

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
d9ae6606cc3902f6c09a9674840f5521

SHA1
e1aa26f18373add4ae99cda746ea002ae1cc14d4

SHA256
79469e811ab35b798687244186827e4305fc1e55f238a5a36ee666b57f352245

SHA512
4f97b185687395855af78debc286851752f648562eb41b1f4dea6b7f157c3ed4302f5e20398348dc1ba69f78df7788611c7367e178a0f636db693d38ab5b43cc

Download Submit
C:\Windows\dev6198.tmp

Filesize
259KB

MD5
a10bf0e8d40b78c8b0b43a6a6fed9207

SHA1
0999873e46ae4a8f6740aa826773037c94fc5e18

SHA256
3d921cc9c553941d646c34cc6a79259e530c4a7652abcdd4b680e923f45090f6

SHA512
76e0e75288b05de8f71e464c8d23f9d18f785a6abf86b61f388177f044b959fe10363a05fa6031184758ad869ff855d648bf05e32e48531208372e59e354a206

Download Submit
memory/1452-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4128-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4128-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4528-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4764-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads