5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc

General

Target

5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe
Size

4.2MB
MD5

6d48457863ab10ba1ceb9e35348eb6dc
SHA1

3d7d6a66ca988ed07b64d0a9df17abae8df14b8b
SHA256

5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc
SHA512

528ed2d7254f6c77f1d38ca3736cd0645b65945450746800c961e473b1036a85d49f4603b57f3b465f1ffb662357d6987aa0aa102069a6aafed43d7013357b79
SSDEEP

49152:WbU+EgnAj9hg5nfVMsCWtvLBGi90Qq19YnETzehkiYgpgGo/vinpqWsMYhLRCfsQ:WbU+9nfVLb2CToUp8q7

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral2/memory/4452-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x0008000000023209-8.dat	UPX
behavioral2/memory/4136-10-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/2696-11-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4452-7-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x000700000002320e-16.dat	UPX
behavioral2/memory/2308-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/2696-21-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4136-22-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
4136	MSWDM.EXE
2696	MSWDM.EXE
1044	5D254EF975DA48C1E669DF43870F1BB34813046A737F3D0FC5C516E1AF598FBC.EXE
2308	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev7177.tmp	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe
File opened for modification	C:\Windows\dev7177.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	MSWDM.EXE
2696	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4136	4452	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	83
PID 4452 wrote to memory of 4136	4452	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	83
PID 4452 wrote to memory of 4136	4452	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	83
PID 4452 wrote to memory of 2696	4452	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	84
PID 4452 wrote to memory of 2696	4452	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	84
PID 4452 wrote to memory of 2696	4452	5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe	84
PID 2696 wrote to memory of 1044	2696	MSWDM.EXE	86
PID 2696 wrote to memory of 1044	2696	MSWDM.EXE	86
PID 2696 wrote to memory of 2308	2696	MSWDM.EXE	88
PID 2696 wrote to memory of 2308	2696	MSWDM.EXE	88
PID 2696 wrote to memory of 2308	2696	MSWDM.EXE	88

C:\Users\Admin\AppData\Local\Temp\5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe
"C:\Users\Admin\AppData\Local\Temp\5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4452
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4136
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev7177.tmp!C:\Users\Admin\AppData\Local\Temp\5d254ef975da48c1e669df43870f1bb34813046a737f3d0fc5c516e1af598fbc.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\5D254EF975DA48C1E669DF43870F1BB34813046A737F3D0FC5C516E1AF598FBC.EXE
    3⤵
    - Executes dropped EXE
    PID:1044
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev7177.tmp!C:\Users\Admin\AppData\Local\Temp\5D254EF975DA48C1E669DF43870F1BB34813046A737F3D0FC5C516E1AF598FBC.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5D254EF975DA48C1E669DF43870F1BB34813046A737F3D0FC5C516E1AF598FBC.EXE

Filesize
4.2MB

MD5
0523e20a101b56ab648712d080ec599e

SHA1
14895941b418a937c3f46b4d5e3ca88138bd6311

SHA256
634a4412893c692c9d866a484866e44d9f1b8a3b95343f2214b76b87c2bbc17a

SHA512
f377e504907a0c585a714557fb1dc5a54e1a62c0563fb254b6b71edf0ea7e5333dd8fa23283f7600970226f45478fa1bdcfb902925d5a6ac06141bd68c0d0486

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
4.2MB

MD5
8bb45a54fd2d6733b0202a2e3f552d8c

SHA1
221941d097670405ac51a8411ce3ab617af0a53a

SHA256
34402fbb455974a3456657868f67e6c0a0507d1ed160a6d0ad76e2187319f183

SHA512
a239c3f0fa36d0eea7aea2d64694cac2ff34e2082b9c87dc73a5547ad1d2f3ca2c187226ffa144fa2ec03fc0012d357134df8df699e08fd6922a0d0eaad338d0

Download Submit
C:\Windows\dev7177.tmp

Filesize
34KB

MD5
83883e2f33b94d2d3194058713b10cc0

SHA1
d1ace2eaf9a17fcaeba570e52872569ccc1778b8

SHA256
6b36425c11169bb38728bf5124bd8f816f9b5cd7694389de9c05da82d7e58250

SHA512
6ab03f645625fb8389b85e2194740b25f700c0256e86067571afd7bdabd555d26e7ea36b73a189a7fad0a7fe43d5e117a362974641f390da52814accbf3e7892

Download Submit
memory/2308-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2696-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2696-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4136-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4136-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4452-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4452-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads