ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8

General

Target

ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe
Size

616KB
MD5

ea3da0c95ee2e9ef3a7e9db4433dd78a
SHA1

0b08c605684208be75e58a5199c20e001bdb8676
SHA256

ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8
SHA512

c70f97a4777f16c9561c285f46cbe37ac078d80aba82488ffe77cd09f895046741e48e34a493d18a3824710f975d177bc089b6513193d2f6e5c54ef5d999a47e
SSDEEP

12288:wlbd+Baplw9U+qMi8CtdVldusIh6BBHCHrKZXCktSzIzWpX5y:Wbd+oYTqMi8CtBd2QHCHmTBW5y

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral2/memory/4280-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x000400000001db72-5.dat	UPX
behavioral2/memory/4280-7-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3056-8-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x0007000000023330-18.dat	UPX
behavioral2/memory/3228-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3228-17-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3004-21-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3056-22-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
3056	MSWDM.EXE
3004	MSWDM.EXE
4976	EBFC328A1CCEE1F7035D43AB4948F4F9BFEF02C5D2B328C0DF80F8203BF417A8.EXE
3228	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe
File opened for modification	C:\Windows\dev7C83.tmp	ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe
File opened for modification	C:\Windows\dev7C83.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3004	MSWDM.EXE
3004	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 3056	4280	ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe	94
PID 4280 wrote to memory of 3056	4280	ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe	94
PID 4280 wrote to memory of 3056	4280	ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe	94
PID 4280 wrote to memory of 3004	4280	ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe	95
PID 4280 wrote to memory of 3004	4280	ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe	95
PID 4280 wrote to memory of 3004	4280	ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe	95
PID 3004 wrote to memory of 4976	3004	MSWDM.EXE	96
PID 3004 wrote to memory of 4976	3004	MSWDM.EXE	96
PID 3004 wrote to memory of 3228	3004	MSWDM.EXE	99
PID 3004 wrote to memory of 3228	3004	MSWDM.EXE	99
PID 3004 wrote to memory of 3228	3004	MSWDM.EXE	99

C:\Users\Admin\AppData\Local\Temp\ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe
"C:\Users\Admin\AppData\Local\Temp\ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4280
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3056
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev7C83.tmp!C:\Users\Admin\AppData\Local\Temp\ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\EBFC328A1CCEE1F7035D43AB4948F4F9BFEF02C5D2B328C0DF80F8203BF417A8.EXE
    3⤵
    - Executes dropped EXE
    PID:4976
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev7C83.tmp!C:\Users\Admin\AppData\Local\Temp\EBFC328A1CCEE1F7035D43AB4948F4F9BFEF02C5D2B328C0DF80F8203BF417A8.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2276,i,5672504106535478802,17394903851940863593,262144 --variations-seed-version /prefetch:8
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebfc328a1ccee1f7035d43ab4948f4f9bfef02c5d2b328c0df80f8203bf417a8.exe

Filesize
616KB

MD5
b650eda51f7cb165d47ccb1c63555df8

SHA1
feacf3724aa069bdde7765b100266afebd1d8f72

SHA256
dad532e5d51ea9be9d5fc6f5fdd8e3f501eb29f1dcd2ed4c415070dd3307bd3f

SHA512
302eb5d4beb149703c69c90450393b6af4a726c3a3fd96f70457b9eff9fa45abba66b0857a0aa2dd7424f832fc2ddeb0818b11876d2505766a04760496a74bfe

Download Submit
C:\Windows\MSWDM.EXE

Filesize
48KB

MD5
0f106d5cf3967749fc5a962f6a06df3b

SHA1
253cc6f78acf1d0f3f5cbaf11b67e19f24c55a38

SHA256
c98502529c1b26ee95ba931e121cc28bd47b0c564a9937f754147cc1e5be9595

SHA512
4d4a35119bf16fb0ff7c6c9d52e9c41b7445bebe05fab045520792b61c75063b6ef08419556885206e15237d2c39318a77978f6a36bbdd1cc125f4033539d517

Download Submit
C:\Windows\dev7C83.tmp

Filesize
568KB

MD5
04fb3ae7f05c8bc333125972ba907398

SHA1
df22612647e9404a515d48ebad490349685250de

SHA256
2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef

SHA512
94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2

Download Submit
memory/3004-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3228-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3228-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4280-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4280-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads