f00a122f4916b8321190e523b42045079198a7fcad9391979feb9670e3738a68

General

Target

4e79b405d732cdeeb72e4b466dde2ff9.exe
Size

148KB
MD5

4e79b405d732cdeeb72e4b466dde2ff9
SHA1

66a88fd8ab89265cc4808da3109985a6249b8155
SHA256

f00a122f4916b8321190e523b42045079198a7fcad9391979feb9670e3738a68
SHA512

5a9b15dcef67858a1fa99647d354393331a78a3739f14e0686f54e7c0bd648d5cbffd98377ca95e8525fcee493b40084fe83bd819cdceda5c4f2cd42a7041d7c
SSDEEP

3072:WcX93xwq19gL2SjGojCJa7ESlp6S6RAGfosrlhVBMj:WcNhJgX9zE46SSfDl6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2608	MSWDM.EXE
3032	MSWDM.EXE
1204	4E79B405D732CDEEB72E4B466DDE2FF9.EXE
2340	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
3032	MSWDM.EXE
3032	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	4e79b405d732cdeeb72e4b466dde2ff9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	4e79b405d732cdeeb72e4b466dde2ff9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	4e79b405d732cdeeb72e4b466dde2ff9.exe
File opened for modification	C:\Windows\dev1287.tmp	4e79b405d732cdeeb72e4b466dde2ff9.exe
File opened for modification	C:\Windows\dev1287.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3032	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2608	2148	4e79b405d732cdeeb72e4b466dde2ff9.exe	28
PID 2148 wrote to memory of 2608	2148	4e79b405d732cdeeb72e4b466dde2ff9.exe	28
PID 2148 wrote to memory of 2608	2148	4e79b405d732cdeeb72e4b466dde2ff9.exe	28
PID 2148 wrote to memory of 2608	2148	4e79b405d732cdeeb72e4b466dde2ff9.exe	28
PID 2148 wrote to memory of 3032	2148	4e79b405d732cdeeb72e4b466dde2ff9.exe	29
PID 2148 wrote to memory of 3032	2148	4e79b405d732cdeeb72e4b466dde2ff9.exe	29
PID 2148 wrote to memory of 3032	2148	4e79b405d732cdeeb72e4b466dde2ff9.exe	29
PID 2148 wrote to memory of 3032	2148	4e79b405d732cdeeb72e4b466dde2ff9.exe	29
PID 3032 wrote to memory of 1204	3032	MSWDM.EXE	30
PID 3032 wrote to memory of 1204	3032	MSWDM.EXE	30
PID 3032 wrote to memory of 1204	3032	MSWDM.EXE	30
PID 3032 wrote to memory of 1204	3032	MSWDM.EXE	30
PID 3032 wrote to memory of 2340	3032	MSWDM.EXE	31
PID 3032 wrote to memory of 2340	3032	MSWDM.EXE	31
PID 3032 wrote to memory of 2340	3032	MSWDM.EXE	31
PID 3032 wrote to memory of 2340	3032	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\4e79b405d732cdeeb72e4b466dde2ff9.exe
"C:\Users\Admin\AppData\Local\Temp\4e79b405d732cdeeb72e4b466dde2ff9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2148
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2608
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1287.tmp!C:\Users\Admin\AppData\Local\Temp\4e79b405d732cdeeb72e4b466dde2ff9.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\4E79B405D732CDEEB72E4B466DDE2FF9.EXE
    3⤵
    - Executes dropped EXE
    PID:1204
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1287.tmp!C:\Users\Admin\AppData\Local\Temp\4E79B405D732CDEEB72E4B466DDE2FF9.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4E79B405D732CDEEB72E4B466DDE2FF9.EXE

Filesize
148KB

MD5
e62617c1567ceb83f6f972d6f28e3ede

SHA1
2d7f40c3469f2a69e38f9e1614e3775d2cf9933e

SHA256
603d374841c03ed1f8591e3ddd8f58e135bf2710fca49c39352fbbf43f06ca11

SHA512
e9c0e462fa3e509664ad6670d60c59617c10e7fd504678c2ec9ec8840a683bc33af3af18545de971e4ebf8154398f5d6e8229f0b0577ea9b2357f043056da780

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e79b405d732cdeeb72e4b466dde2ff9.exe

Filesize
2KB

MD5
d754afcabf57fbc1dc44bd28fc64797c

SHA1
6c6bdb2abc95aa01fc4244eba357459e19851d20

SHA256
f564b1db10fa9df868e678968737ca63ec1dca4e9eac545cf4e211f6b1a7ad8f

SHA512
5861e4173629933cdf00dcbd49a1090b72ae2c75d2d10d89b7bd6adb4b24adc1a771e02384c3eda8aa2ef667ab6e4bc848b7f5eb0951f6034b02e9907e2f79b4

Download Submit
C:\Windows\MSWDM.EXE

Filesize
64KB

MD5
325cb27fbd092b813dd35af514632cea

SHA1
e417533dcee04661a34c01c4d7410c5a51a6cd90

SHA256
f0c2fbf36923c8a3a22432fb711e1dda7030385fd721bd6f8f9796f4a6cd59f3

SHA512
a58ac9ed984023032924867d9ed522e464480a59db69ee11b98b2f042d1de482fdf35888673600852876300d53d73cfde3fb910fb1f1c7e4f7c507e1bf6e84ce

Download Submit
C:\Windows\dev1287.tmp

Filesize
84KB

MD5
c1a3315ab5820f9588b17fca285dd46c

SHA1
f9f5d1d895946e34fad7d5af32de5afd1a5df7bc

SHA256
d8119ebe9c7c364b8e646f5c63a1fde4bcf6183e54bc4759c61147d4fd098fa3

SHA512
9ad95ca6094d539640df19ec3e32101403e7f50241dea5e6d0713afade6e7b948e94256ac48474a787d0eee1723f9504bab80a357e619ae0740d9a61a6c789c7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads