d6b4aac6dd0bc7f492b6ca6d0a8f5d5b758a453c5957ab6c0fb7550ddceb53fb

Analysis

max time kernel
13s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 08:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6003cde85cc60263bd71010a26a47e90.exe
Size

2.2MB
MD5

6003cde85cc60263bd71010a26a47e90
SHA1

82b108a3f23c477ddcdc114ba81ef83470f636f0
SHA256

d6b4aac6dd0bc7f492b6ca6d0a8f5d5b758a453c5957ab6c0fb7550ddceb53fb
SHA512

9055d693655bee5fdcc75094b9e57fa3c6020ff687f0a244d6ad8abb0802bc9c71af8742c07f8ed0d22134e1d27c82e3d8ca98e10aa2ec938bb412887ffd513a
SSDEEP

49152:Mt1cS4neHbyfYTOYKPu/gEjiEO5ItDaWmbANr92TDoET96:MtuS4neHvZjiEO5Ih1mbANrkwp

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2160	MSWDM.EXE
1724	MSWDM.EXE
2616	6003CDE85CC60263BD71010A26A47E90.EXE
2644	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2160	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	6003cde85cc60263bd71010a26a47e90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	6003cde85cc60263bd71010a26a47e90.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev6B51.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	6003cde85cc60263bd71010a26a47e90.exe
File opened for modification	C:\Windows\dev6B51.tmp	6003cde85cc60263bd71010a26a47e90.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2160	MSWDM.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1724	2152	6003cde85cc60263bd71010a26a47e90.exe	28
PID 2152 wrote to memory of 1724	2152	6003cde85cc60263bd71010a26a47e90.exe	28
PID 2152 wrote to memory of 1724	2152	6003cde85cc60263bd71010a26a47e90.exe	28
PID 2152 wrote to memory of 1724	2152	6003cde85cc60263bd71010a26a47e90.exe	28
PID 2152 wrote to memory of 2160	2152	6003cde85cc60263bd71010a26a47e90.exe	29
PID 2152 wrote to memory of 2160	2152	6003cde85cc60263bd71010a26a47e90.exe	29
PID 2152 wrote to memory of 2160	2152	6003cde85cc60263bd71010a26a47e90.exe	29
PID 2152 wrote to memory of 2160	2152	6003cde85cc60263bd71010a26a47e90.exe	29
PID 2160 wrote to memory of 2616	2160	MSWDM.EXE	30
PID 2160 wrote to memory of 2616	2160	MSWDM.EXE	30
PID 2160 wrote to memory of 2616	2160	MSWDM.EXE	30
PID 2160 wrote to memory of 2616	2160	MSWDM.EXE	30
PID 2160 wrote to memory of 2616	2160	MSWDM.EXE	30
PID 2160 wrote to memory of 2616	2160	MSWDM.EXE	30
PID 2160 wrote to memory of 2616	2160	MSWDM.EXE	30
PID 2160 wrote to memory of 2644	2160	MSWDM.EXE	31
PID 2160 wrote to memory of 2644	2160	MSWDM.EXE	31
PID 2160 wrote to memory of 2644	2160	MSWDM.EXE	31
PID 2160 wrote to memory of 2644	2160	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\6003cde85cc60263bd71010a26a47e90.exe
"C:\Users\Admin\AppData\Local\Temp\6003cde85cc60263bd71010a26a47e90.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2152
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1724
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev6B51.tmp!C:\Users\Admin\AppData\Local\Temp\6003cde85cc60263bd71010a26a47e90.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\6003CDE85CC60263BD71010A26A47E90.EXE
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev6B51.tmp!C:\Users\Admin\AppData\Local\Temp\6003CDE85CC60263BD71010A26A47E90.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6003CDE85CC60263BD71010A26A47E90.EXE

Filesize
2.2MB

MD5
86c881864731d6dd74572db8c1059036

SHA1
badd58d9c89222919329ecec0ee9c2d589d8290b

SHA256
b6268af18fab12a926c33af998e74272af7822fe7c9fcc3b74e73103f02c2a18

SHA512
492fdd19216e7843ab79de198699284c4468e472622e68cd7cb870329aa7504509370bd7613fa86b671319efeee567613b8b7788af18e0c2e0419fc94454360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6003CDE85CC60263BD71010A26A47E90.EXE

Filesize
2.2MB

MD5
86c881864731d6dd74572db8c1059036

SHA1
badd58d9c89222919329ecec0ee9c2d589d8290b

SHA256
b6268af18fab12a926c33af998e74272af7822fe7c9fcc3b74e73103f02c2a18

SHA512
492fdd19216e7843ab79de198699284c4468e472622e68cd7cb870329aa7504509370bd7613fa86b671319efeee567613b8b7788af18e0c2e0419fc94454360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6003cde85cc60263bd71010a26a47e90.exe

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
1.6MB

MD5
827c6f3f878cde615f3b0b0b6ca9090b

SHA1
353e671f802c7c0a0786d18f890e19ce6ec96689

SHA256
b4b9b8fe5b1f5750f4d61a5d32ae89a989e44df2533e37e1dac467fc29db305a

SHA512
85dbbc89ae6e3fd438c23a71695f4a8775808aa1bd69dae8d02cf0434b057bfa4a3ebab23cd65560222ce823de859e36d006d12bbf84e47ccb1d0b7bc1f62f41

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
827c6f3f878cde615f3b0b0b6ca9090b

SHA1
353e671f802c7c0a0786d18f890e19ce6ec96689

SHA256
b4b9b8fe5b1f5750f4d61a5d32ae89a989e44df2533e37e1dac467fc29db305a

SHA512
85dbbc89ae6e3fd438c23a71695f4a8775808aa1bd69dae8d02cf0434b057bfa4a3ebab23cd65560222ce823de859e36d006d12bbf84e47ccb1d0b7bc1f62f41

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
827c6f3f878cde615f3b0b0b6ca9090b

SHA1
353e671f802c7c0a0786d18f890e19ce6ec96689

SHA256
b4b9b8fe5b1f5750f4d61a5d32ae89a989e44df2533e37e1dac467fc29db305a

SHA512
85dbbc89ae6e3fd438c23a71695f4a8775808aa1bd69dae8d02cf0434b057bfa4a3ebab23cd65560222ce823de859e36d006d12bbf84e47ccb1d0b7bc1f62f41

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
827c6f3f878cde615f3b0b0b6ca9090b

SHA1
353e671f802c7c0a0786d18f890e19ce6ec96689

SHA256
b4b9b8fe5b1f5750f4d61a5d32ae89a989e44df2533e37e1dac467fc29db305a

SHA512
85dbbc89ae6e3fd438c23a71695f4a8775808aa1bd69dae8d02cf0434b057bfa4a3ebab23cd65560222ce823de859e36d006d12bbf84e47ccb1d0b7bc1f62f41

Download Submit
C:\Windows\MSWDM.EXE

Filesize
1.6MB

MD5
827c6f3f878cde615f3b0b0b6ca9090b

SHA1
353e671f802c7c0a0786d18f890e19ce6ec96689

SHA256
b4b9b8fe5b1f5750f4d61a5d32ae89a989e44df2533e37e1dac467fc29db305a

SHA512
85dbbc89ae6e3fd438c23a71695f4a8775808aa1bd69dae8d02cf0434b057bfa4a3ebab23cd65560222ce823de859e36d006d12bbf84e47ccb1d0b7bc1f62f41

Download Submit
C:\Windows\dev6B51.tmp

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
\Users\Admin\AppData\Local\Temp\6003cde85cc60263bd71010a26a47e90.exe

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
memory/1724-18-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2152-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2152-12-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2152-11-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2160-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2160-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2644-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download