b09633f6e63b2135aa363390018284dfa2efb50475e3bdcbe4c0cc834894ed2c

General

Target

NEAS.93d0169c877e83f546cffe39f72c36e0.exe
Size

1.2MB
MD5

93d0169c877e83f546cffe39f72c36e0
SHA1

541b9c7b8b9a76dd2a72ffaed32b71c9acd31e54
SHA256

b09633f6e63b2135aa363390018284dfa2efb50475e3bdcbe4c0cc834894ed2c
SHA512

8c9e7d0e3e8252bf763d805f123da9991095c6e7a63a7a9e91718eb513fb9f754ef35af8616067b60ba1fe01f7a85c72499c4334244519e8f9a4e34eed4dd9f2
SSDEEP

24576:M51xVcS9in6bxcqbF8fYTOYKbDurSUQNh:MtVcS4neHbyfYTOYKPu/A

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2808	MSWDM.EXE
2288	MSWDM.EXE
3472	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	NEAS.93d0169c877e83f546cffe39f72c36e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	NEAS.93d0169c877e83f546cffe39f72c36e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	NEAS.93d0169c877e83f546cffe39f72c36e0.exe
File opened for modification	C:\Windows\dev1E70.tmp	NEAS.93d0169c877e83f546cffe39f72c36e0.exe
File opened for modification	C:\Windows\dev1E70.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2288	MSWDM.EXE
2288	MSWDM.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2808	2900	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	93
PID 2900 wrote to memory of 2808	2900	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	93
PID 2900 wrote to memory of 2808	2900	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	93
PID 2900 wrote to memory of 2288	2900	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	94
PID 2900 wrote to memory of 2288	2900	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	94
PID 2900 wrote to memory of 2288	2900	NEAS.93d0169c877e83f546cffe39f72c36e0.exe	94
PID 2288 wrote to memory of 3472	2288	MSWDM.EXE	95
PID 2288 wrote to memory of 3472	2288	MSWDM.EXE	95
PID 2288 wrote to memory of 3472	2288	MSWDM.EXE	95

C:\Users\Admin\AppData\Local\Temp\NEAS.93d0169c877e83f546cffe39f72c36e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.93d0169c877e83f546cffe39f72c36e0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2900
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2808
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1E70.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.93d0169c877e83f546cffe39f72c36e0.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1E70.tmp!C:\Users\Admin\AppData\Local\Temp\NEAS.93D0169C877E83F546CFFE39F72C36E0.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.93D0169C877E83F546CFFE39F72C36E0.EXE

Filesize
1.2MB

MD5
eea01a1d567ff399b5dd5cea78790ae7

SHA1
2dae2ec8ad652e588e18ecd8af218103f9cb4472

SHA256
5a5e98e9d3e2d54c04f40f1b7479b16f12caa7d21a01b300d1b6e166328025a8

SHA512
76bbed40b589961211c89e7122543c97a149bab6000e0cf601542983f23ea4c8f9767004386a26f6af629b95fa0568834952e56e15806e72827a414eecacb0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.93D0169C877E83F546CFFE39F72C36E0.EXE

Filesize
1.2MB

MD5
eea01a1d567ff399b5dd5cea78790ae7

SHA1
2dae2ec8ad652e588e18ecd8af218103f9cb4472

SHA256
5a5e98e9d3e2d54c04f40f1b7479b16f12caa7d21a01b300d1b6e166328025a8

SHA512
76bbed40b589961211c89e7122543c97a149bab6000e0cf601542983f23ea4c8f9767004386a26f6af629b95fa0568834952e56e15806e72827a414eecacb0a0

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.2MB

MD5
c746d1dcd448faee36b083b8c00e6fa7

SHA1
62ae1b659f285b43ba1121ce8032c5a51073b12c

SHA256
8f4025b57ebeca9b974ec03f1a7f43fe06421f8aaac8f64cdd7b9c24c98a2813

SHA512
184fd6856c2db71f3c62c07af2fc140b9d9d94306f48505d471a46ccab8bd0a0c90da420c8d3b1139de4adc80c92bb684cdd555cecd779be78c04d952dd7d7a7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.2MB

MD5
c746d1dcd448faee36b083b8c00e6fa7

SHA1
62ae1b659f285b43ba1121ce8032c5a51073b12c

SHA256
8f4025b57ebeca9b974ec03f1a7f43fe06421f8aaac8f64cdd7b9c24c98a2813

SHA512
184fd6856c2db71f3c62c07af2fc140b9d9d94306f48505d471a46ccab8bd0a0c90da420c8d3b1139de4adc80c92bb684cdd555cecd779be78c04d952dd7d7a7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.2MB

MD5
c746d1dcd448faee36b083b8c00e6fa7

SHA1
62ae1b659f285b43ba1121ce8032c5a51073b12c

SHA256
8f4025b57ebeca9b974ec03f1a7f43fe06421f8aaac8f64cdd7b9c24c98a2813

SHA512
184fd6856c2db71f3c62c07af2fc140b9d9d94306f48505d471a46ccab8bd0a0c90da420c8d3b1139de4adc80c92bb684cdd555cecd779be78c04d952dd7d7a7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.2MB

MD5
c746d1dcd448faee36b083b8c00e6fa7

SHA1
62ae1b659f285b43ba1121ce8032c5a51073b12c

SHA256
8f4025b57ebeca9b974ec03f1a7f43fe06421f8aaac8f64cdd7b9c24c98a2813

SHA512
184fd6856c2db71f3c62c07af2fc140b9d9d94306f48505d471a46ccab8bd0a0c90da420c8d3b1139de4adc80c92bb684cdd555cecd779be78c04d952dd7d7a7

Download Submit
C:\Windows\dev1E70.tmp

Filesize
162B

MD5
380bbf4d7bdac05d2248b49c4188cd92

SHA1
ae83ef83ebe684eab30ab3ca431e4f84994fd60f

SHA256
b97278e320af9d3d990703fd1af322e7c4b568a92f6a736149c1648b2f07a7c2

SHA512
06fe7a78b558b7581b52f8d65a6a8a62338a429e550c91ad4ba5cc3f445da83ee86b99e5c7dfbd9bbfcc12895215d2a329756dc6b24ef8313f70658abc08db15

Download Submit
memory/2288-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2808-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2900-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2900-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3472-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads