5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc

General

Target

5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe
Size

4.2MB
MD5

6d48457863ab10ba1ceb9e35348eb6dc
SHA1

3d7d6a66ca988ed07b64d0a9df17abae8df14b8b
SHA256

5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc
SHA512

528ed2d7254f6c77f1d38ca3736cd0645b65945450746800c961e473b1036a85d49f4603b57f3b465f1ffb662357d6987aa0aa102069a6aafed43d7013357b79
SSDEEP

49152:WbU+EgnAj9hg5nfVMsCWtvLBGi90Qq19YnETzehkiYgpgGo/vinpqWsMYhLRCfsQ:WbU+9nfVLb2CToUp8q7

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x000c0000000122de-13.dat	UPX
behavioral1/memory/2872-12-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2496-18-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2600-20-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x000b000000015598-26.dat	UPX
behavioral1/memory/2644-30-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2600-32-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2496-33-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
2496	MSWDM.EXE
2600	MSWDM.EXE
2608	5D254EF975DA48C1E669DF43870F1BB34813046A737F3D0FC5C516E1AF598FBC.EXE
2644	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2600	MSWDM.EXE
2516	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev41D1.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe
File opened for modification	C:\Windows\dev41D1.tmp	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2600	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2496	2872	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	28
PID 2872 wrote to memory of 2496	2872	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	28
PID 2872 wrote to memory of 2496	2872	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	28
PID 2872 wrote to memory of 2496	2872	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	28
PID 2872 wrote to memory of 2600	2872	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	29
PID 2872 wrote to memory of 2600	2872	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	29
PID 2872 wrote to memory of 2600	2872	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	29
PID 2872 wrote to memory of 2600	2872	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	29
PID 2600 wrote to memory of 2608	2600	MSWDM.EXE	30
PID 2600 wrote to memory of 2608	2600	MSWDM.EXE	30
PID 2600 wrote to memory of 2608	2600	MSWDM.EXE	30
PID 2600 wrote to memory of 2608	2600	MSWDM.EXE	30
PID 2600 wrote to memory of 2644	2600	MSWDM.EXE	32
PID 2600 wrote to memory of 2644	2600	MSWDM.EXE	32
PID 2600 wrote to memory of 2644	2600	MSWDM.EXE	32
PID 2600 wrote to memory of 2644	2600	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe
"C:\Users\Admin\AppData\Local\Temp\5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2872
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2496
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev41D1.tmp!C:\Users\Admin\AppData\Local\Temp\5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\5D254EF975DA48C1E669DF43870F1BB34813046A737F3D0FC5C516E1AF598FBC.EXE
    3⤵
    - Executes dropped EXE
    PID:2608
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev41D1.tmp!C:\Users\Admin\AppData\Local\Temp\5D254EF975DA48C1E669DF43870F1BB34813046A737F3D0FC5C516E1AF598FBC.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5D254EF975DA48C1E669DF43870F1BB34813046A737F3D0FC5C516E1AF598FBC.EXE

Filesize
4.2MB

MD5
a4935c00df5c1bbadc8329d1b41976a6

SHA1
855784732419a0233bb9575beb862dcf9d77d45a

SHA256
1da94674dc0d0979097aa1e680642a263f6a377f694fced366490fd42612e9f3

SHA512
c0066b6004b49eb57a533d9a476559237f861e3c9e6d1b4a0dd9ff0246f7f71f6119ca2772c4a8397b5ab3d73f3afceb4477e1bfd72f75f22eea915a0abe98c7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
4.2MB

MD5
8bb45a54fd2d6733b0202a2e3f552d8c

SHA1
221941d097670405ac51a8411ce3ab617af0a53a

SHA256
34402fbb455974a3456657868f67e6c0a0507d1ed160a6d0ad76e2187319f183

SHA512
a239c3f0fa36d0eea7aea2d64694cac2ff34e2082b9c87dc73a5547ad1d2f3ca2c187226ffa144fa2ec03fc0012d357134df8df699e08fd6922a0d0eaad338d0

Download Submit
C:\Windows\dev41D1.tmp

Filesize
34KB

MD5
83883e2f33b94d2d3194058713b10cc0

SHA1
d1ace2eaf9a17fcaeba570e52872569ccc1778b8

SHA256
6b36425c11169bb38728bf5124bd8f816f9b5cd7694389de9c05da82d7e58250

SHA512
6ab03f645625fb8389b85e2194740b25f700c0256e86067571afd7bdabd555d26e7ea36b73a189a7fad0a7fe43d5e117a362974641f390da52814accbf3e7892

Download Submit
memory/2496-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2496-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2600-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2600-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2644-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-17-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/2872-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-8-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/2872-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-35-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads