Analysis Overview
SHA256
25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d
Threat Level: Known bad
The file 25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:28
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:28
Reported
2024-04-07 19:31
Platform
win7-20240221-en
Max time kernel
10s
Max time network
123s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\MSWDM.EXE | C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe | N/A |
| File opened for modification | C:\Windows\dev1120.tmp | C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe | N/A |
| File opened for modification | C:\Windows\dev1120.tmp | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe
"C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe"
C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev1120.tmp!C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe! !
C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev1120.tmp!C:\Users\Admin\AppData\Local\Temp\25EE0B105E4C21A438CB62EE4E56F52269CBE4695DDD5A0C21F71B9CC7E27F6D.EXE!
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:78 | udp | |
| N/A | 10.255.255.255:78 | udp | |
| N/A | 10.127.0.255:78 | udp |
Files
memory/2988-0-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\dev1120.tmp
| MD5 | f36a271706edd23c94956afb56981184 |
| SHA1 | d0e81797317bca2676587ff9d01d744b233ad5ec |
| SHA256 | 103035a32e7893d702ced974faa4434828bc03b0cc54d1b2e1205a2f2575e7c9 |
| SHA512 | 9acc2a4273a10f3fce1d41f4c59b98f1d84c590fd0eedf410a6c7d830acf441bc0bd38084fa37f18330b9e85d49a14730364f9e2539dc08388c823b524b39524 |
C:\WINDOWS\MSWDM.EXE
| MD5 | 26128499bdcd8db4aa4173761b14a2ca |
| SHA1 | 7ef11bdf86292a39f325df59a85bc0da13846c73 |
| SHA256 | d25b28ddf61a8b53bc7104b8b5b289d8f16eb69d4e3b73fc6a83c6dd59a86137 |
| SHA512 | 7e1764350bf3bea0fea204cc960f3dda00c3625a19b60565b98505f9163a911f6449b15ece9bd635c832746a26d0ad7c9498d05eea5d6b28c60a581256083602 |
memory/2324-19-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1652-18-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2988-13-0x0000000000250000-0x000000000026B000-memory.dmp
memory/2988-12-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2988-8-0x0000000000250000-0x000000000026B000-memory.dmp
memory/2324-38-0x0000000000260000-0x000000000027B000-memory.dmp
memory/2544-44-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2324-46-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\25EE0B105E4C21A438CB62EE4E56F52269CBE4695DDD5A0C21F71B9CC7E27F6D.EXE
| MD5 | 37adf3fb4feca2f094acfd05999b706c |
| SHA1 | 3f3c761becd8a510a9c65970db077792f77ebda2 |
| SHA256 | 2d850494c28c78b208ec84a70c63fce1705433b81c9ec9606045ee64b667d762 |
| SHA512 | a3dae201dcf7e470900400f3567044bc901caedd024ac3868ee602c2b7cbca6f05d21a5300fc9187da2a0159e43d89e1891f34d087e6164ff288c63a2189f1e8 |
memory/2544-42-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1652-47-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2988-48-0x0000000000250000-0x000000000026B000-memory.dmp
memory/2544-50-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:28
Reported
2024-04-07 19:31
Platform
win10v2004-20240319-en
Max time kernel
24s
Max time network
157s
Command Line
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" | C:\WINDOWS\MSWDM.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\MSWDM.EXE | C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe | N/A |
| File opened for modification | C:\Windows\devBF39.tmp | C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe | N/A |
| File opened for modification | C:\Windows\devBF39.tmp | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
| N/A | N/A | C:\WINDOWS\MSWDM.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe
"C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe"
C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\devBF39.tmp!C:\Users\Admin\AppData\Local\Temp\25ee0b105e4c21a438cb62ee4e56f52269cbe4695ddd5a0c21f71b9cc7e27f6d.exe! !
C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\devBF39.tmp!C:\Users\Admin\AppData\Local\Temp\25EE0B105E4C21A438CB62EE4E56F52269CBE4695DDD5A0C21F71B9CC7E27F6D.EXE!
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5020 --field-trial-handle=2268,i,4334050275411101233,11484630688883830558,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| N/A | 10.127.255.255:78 | udp | |
| N/A | 10.255.255.255:78 | udp | |
| N/A | 10.127.0.255:78 | udp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 255.255.255.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| GB | 13.105.221.16:443 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
memory/4072-0-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\MSWDM.EXE
| MD5 | 26128499bdcd8db4aa4173761b14a2ca |
| SHA1 | 7ef11bdf86292a39f325df59a85bc0da13846c73 |
| SHA256 | d25b28ddf61a8b53bc7104b8b5b289d8f16eb69d4e3b73fc6a83c6dd59a86137 |
| SHA512 | 7e1764350bf3bea0fea204cc960f3dda00c3625a19b60565b98505f9163a911f6449b15ece9bd635c832746a26d0ad7c9498d05eea5d6b28c60a581256083602 |
C:\Windows\devBF39.tmp
| MD5 | f36a271706edd23c94956afb56981184 |
| SHA1 | d0e81797317bca2676587ff9d01d744b233ad5ec |
| SHA256 | 103035a32e7893d702ced974faa4434828bc03b0cc54d1b2e1205a2f2575e7c9 |
| SHA512 | 9acc2a4273a10f3fce1d41f4c59b98f1d84c590fd0eedf410a6c7d830acf441bc0bd38084fa37f18330b9e85d49a14730364f9e2539dc08388c823b524b39524 |
memory/4660-10-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4072-8-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\25EE0B105E4C21A438CB62EE4E56F52269CBE4695DDD5A0C21F71B9CC7E27F6D.EXE
| MD5 | 2af364403d70021e8901d43ec6e98d48 |
| SHA1 | 447c9304a41161cd3486cd57adbc1abd4e848644 |
| SHA256 | b416b67e0fd4b103a7f47e49a319bd78638954511ee901e086a33b911e014ec7 |
| SHA512 | 98aca72024b12a1cb7b3917ddde38b5ef1120e8d0132cd1b78e0083e787711d6afd45e1062befcdc01cbec69ea69047d2f02fe7dcb2e713b3daf52b54c5e47e0 |
memory/1456-24-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4660-26-0x0000000000400000-0x000000000041B000-memory.dmp
memory/404-27-0x0000000000400000-0x000000000041B000-memory.dmp