785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc

General

Target

785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
Size

212KB
MD5

e696fd65a90d2398ab085cd3a2b5c7e2
SHA1

dc7d5cb25e5b14adc925d95e865d77c0127a76b2
SHA256

785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc
SHA512

cde0e806e8cbe938dd754214a0d776dd8e36eb21553cdde54489bb7bf113e34bea0d9c6ab7c67c97f3596e12bb849860e30d47050948354753995a301da2ba48
SSDEEP

3072:HQC/yj5JO3MnSG+VZkswJCMvAiEL9ju1ALw1rv1qUgwqoZNNQGKfHYTomZ:wlj7cMnL+VbwJ1EJjmXmGKgTh

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral1/memory/2888-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2888-11-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x000600000001208c-15.dat	UPX
behavioral1/memory/2964-20-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2988-26-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x0008000000014187-28.dat	UPX
behavioral1/memory/2180-27-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2180-29-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2964-30-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

pid	Process
2964	MSWDM.EXE
2180	MSWDM.EXE
2988	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
File opened for modification	C:\Windows\dev2A1C.tmp	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
File opened for modification	C:\Windows\dev2A1C.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2180	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2964	2888	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	28
PID 2888 wrote to memory of 2964	2888	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	28
PID 2888 wrote to memory of 2964	2888	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	28
PID 2888 wrote to memory of 2964	2888	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	28
PID 2888 wrote to memory of 2180	2888	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	29
PID 2888 wrote to memory of 2180	2888	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	29
PID 2888 wrote to memory of 2180	2888	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	29
PID 2888 wrote to memory of 2180	2888	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	29
PID 2180 wrote to memory of 2988	2180	MSWDM.EXE	30
PID 2180 wrote to memory of 2988	2180	MSWDM.EXE	30
PID 2180 wrote to memory of 2988	2180	MSWDM.EXE	30
PID 2180 wrote to memory of 2988	2180	MSWDM.EXE	30

C:\Users\Admin\AppData\Local\Temp\785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
"C:\Users\Admin\AppData\Local\Temp\785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2888
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2964
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev2A1C.tmp!C:\Users\Admin\AppData\Local\Temp\785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev2A1C.tmp!C:\Users\Admin\AppData\Local\Temp\785E77341692E1391336F5A75B664CAA6DC6647D9E6B9B0DF74D21159C99A7DC.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\785E77341692E1391336F5A75B664CAA6DC6647D9E6B9B0DF74D21159C99A7DC.EXE

Filesize
212KB

MD5
4ce0e242d839003cfbad49aeef2f3bba

SHA1
cab49f99b3c56e13c31f07cba8b8d2af354c430f

SHA256
3418d021d7025a83148e5fb8742aae0299948d8dc24c98aa613270e77bf99c30

SHA512
d4129e271bde3262ebf2515f73a41718b693080e70fb8a5ce21ecfca6e30a6ec7b8c8f8fbbf70236c3b0fe41d19a81897a0301bc2cf128a945ee633ecf03f790

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
47KB

MD5
29c9387f23c164ed635ee6b4b2b243fb

SHA1
cf8c961cbedb5aa3e0a9ec9263b7aa62e2939130

SHA256
05e9a775c3e39e0ed8fc0d61f3e1da1f40aec50d945aa22b477bf13e1ab9b698

SHA512
f39ecc49d8aece2881280996c40393f813fd8929dea46e28bbfb18cb5eb8f6bfa271f2dd71ddeb5cc34d6a4ba94efcb761c0071d6fb2bc40dc0b729cdde65522

Download Submit
C:\Windows\dev2A1C.tmp

Filesize
164KB

MD5
79ef49f5145a0b66a49bf177fa5fd85f

SHA1
e0db21e02eea22f0da5b44745d1dd0184ddc6ebe

SHA256
c5dc9884a8f458371550e09bd396e5418bf375820a31b9899f6499bf391c7b2e

SHA512
0c9c6cc534ab5f0edb3c86350c743a27d7f5df67a6e568fc18994cfc6f60ba3064c238add45e0df8f56a0390e0f4415603404bc499fdb9124a73b5f106ea97fa

Download Submit
memory/2180-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2180-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2180-24-0x00000000003C0000-0x00000000003DB000-memory.dmp

Filesize
108KB

Download
memory/2888-17-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2888-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2888-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2888-13-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/2964-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2964-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads