785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc

General

Target

785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
Size

212KB
MD5

e696fd65a90d2398ab085cd3a2b5c7e2
SHA1

dc7d5cb25e5b14adc925d95e865d77c0127a76b2
SHA256

785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc
SHA512

cde0e806e8cbe938dd754214a0d776dd8e36eb21553cdde54489bb7bf113e34bea0d9c6ab7c67c97f3596e12bb849860e30d47050948354753995a301da2ba48
SSDEEP

3072:HQC/yj5JO3MnSG+VZkswJCMvAiEL9ju1ALw1rv1qUgwqoZNNQGKfHYTomZ:wlj7cMnL+VbwJ1EJjmXmGKgTh

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 7 IoCs

resource	yara_rule
behavioral2/memory/4512-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x000d00000002315a-3.dat	UPX
behavioral2/memory/4512-8-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x00080000000231fc-12.dat	UPX
behavioral2/memory/2644-15-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3280-17-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4396-18-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

pid	Process
4396	MSWDM.EXE
3280	MSWDM.EXE
2644	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
File opened for modification	C:\Windows\dev5331.tmp	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
File opened for modification	C:\Windows\dev5331.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3280	MSWDM.EXE
3280	MSWDM.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4396	4512	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	84
PID 4512 wrote to memory of 4396	4512	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	84
PID 4512 wrote to memory of 4396	4512	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	84
PID 4512 wrote to memory of 3280	4512	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	85
PID 4512 wrote to memory of 3280	4512	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	85
PID 4512 wrote to memory of 3280	4512	785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe	85
PID 3280 wrote to memory of 2644	3280	MSWDM.EXE	86
PID 3280 wrote to memory of 2644	3280	MSWDM.EXE	86
PID 3280 wrote to memory of 2644	3280	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe
"C:\Users\Admin\AppData\Local\Temp\785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4512
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4396
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev5331.tmp!C:\Users\Admin\AppData\Local\Temp\785e77341692e1391336f5a75b664caa6dc6647d9e6b9b0df74d21159c99a7dc.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev5331.tmp!C:\Users\Admin\AppData\Local\Temp\785E77341692E1391336F5A75B664CAA6DC6647D9E6B9B0DF74D21159C99A7DC.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\785E77341692E1391336F5A75B664CAA6DC6647D9E6B9B0DF74D21159C99A7DC.EXE

Filesize
212KB

MD5
a475d3898344783618cc1161f1be75bc

SHA1
22170d1c5c8fec42e76477ec5c65fa76882ea03c

SHA256
349e1ea4f7b514f64c4c710a9176e493038f91a2c775dbadea8c5e8b114a3271

SHA512
c2c6fab1fb8c9baa751dfaa8f54c9508b83ba0592790d22d3e7bf684fc659bb8fcb6606aa9cce9169d3cec0eaa8d90b8a4f0d187977ca2886ddafd05e502c880

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
29c9387f23c164ed635ee6b4b2b243fb

SHA1
cf8c961cbedb5aa3e0a9ec9263b7aa62e2939130

SHA256
05e9a775c3e39e0ed8fc0d61f3e1da1f40aec50d945aa22b477bf13e1ab9b698

SHA512
f39ecc49d8aece2881280996c40393f813fd8929dea46e28bbfb18cb5eb8f6bfa271f2dd71ddeb5cc34d6a4ba94efcb761c0071d6fb2bc40dc0b729cdde65522

Download Submit
C:\Windows\dev5331.tmp

Filesize
164KB

MD5
79ef49f5145a0b66a49bf177fa5fd85f

SHA1
e0db21e02eea22f0da5b44745d1dd0184ddc6ebe

SHA256
c5dc9884a8f458371550e09bd396e5418bf375820a31b9899f6499bf391c7b2e

SHA512
0c9c6cc534ab5f0edb3c86350c743a27d7f5df67a6e568fc18994cfc6f60ba3064c238add45e0df8f56a0390e0f4415603404bc499fdb9124a73b5f106ea97fa

Download Submit
memory/2644-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3280-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4396-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4512-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4512-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads