ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4

General

Target

ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe
Size

82KB
MD5

40bc7e9445bed84d8287dbdde3b0c086
SHA1

3523bdb476785bf5a892bc96955ac6037b8bc7a9
SHA256

ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4
SHA512

5d9a87aa85cca65d3f6906c02eab3237cf60699b8329653ac66e9dd3ddf09118c5b67c5c9f3dd30c769b5b92078de7781ebbf8286bfcfa44e1479b95183c9282
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FaG+so07QBsPZEWRfXAE4f:HQC/yj5JO3MnaG+ebPRfw3f

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral2/memory/4108-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x0003000000022898-3.dat	UPX
behavioral2/memory/4108-8-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4576-10-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3332-11-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x00070000000231e1-18.dat	UPX
behavioral2/memory/2296-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3332-21-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4576-22-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
4576	MSWDM.EXE
3332	MSWDM.EXE
2312	CA29990DAE8030EE58DB58E0A46ECA56B02F8E5ABDD96755C78C3D5EF5E712A4.EXE
2296	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe
File opened for modification	C:\Windows\devE9B4.tmp	ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe
File opened for modification	C:\Windows\devE9B4.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3332	MSWDM.EXE
3332	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 4576	4108	ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe	89
PID 4108 wrote to memory of 4576	4108	ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe	89
PID 4108 wrote to memory of 4576	4108	ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe	89
PID 4108 wrote to memory of 3332	4108	ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe	90
PID 4108 wrote to memory of 3332	4108	ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe	90
PID 4108 wrote to memory of 3332	4108	ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe	90
PID 3332 wrote to memory of 2312	3332	MSWDM.EXE	91
PID 3332 wrote to memory of 2312	3332	MSWDM.EXE	91
PID 3332 wrote to memory of 2312	3332	MSWDM.EXE	91
PID 3332 wrote to memory of 2296	3332	MSWDM.EXE	93
PID 3332 wrote to memory of 2296	3332	MSWDM.EXE	93
PID 3332 wrote to memory of 2296	3332	MSWDM.EXE	93

C:\Users\Admin\AppData\Local\Temp\ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe
"C:\Users\Admin\AppData\Local\Temp\ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4108
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4576
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devE9B4.tmp!C:\Users\Admin\AppData\Local\Temp\ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Users\Admin\AppData\Local\Temp\CA29990DAE8030EE58DB58E0A46ECA56B02F8E5ABDD96755C78C3D5EF5E712A4.EXE
    3⤵
    - Executes dropped EXE
    PID:2312
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devE9B4.tmp!C:\Users\Admin\AppData\Local\Temp\CA29990DAE8030EE58DB58E0A46ECA56B02F8E5ABDD96755C78C3D5EF5E712A4.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ca29990dae8030ee58db58e0a46eca56b02f8e5abdd96755c78c3d5ef5e712a4.exe

Filesize
82KB

MD5
5fb412810bd351d0baea9bea5d57b474

SHA1
e42fcfdeae5207b07a7e3beb4bce71a51af1c600

SHA256
4e63fedb11bb11a6a9c47b347d8b0fd7fe2f1490114e6345062df1d4db6a1173

SHA512
d476b964411f8fcd2431b6c0644fb9692ab584af2e817f0bd233c3052dad3c6c74d2f8920ae10783b1a8abdca31c9dac89a545e644ea3740c2feac39532347e0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
0b68b857a7e40217c3dc0fbccd74c48c

SHA1
8eca09de54246a76db602e9bb2e7447ed8861bae

SHA256
8891f8c76109255aff00be5f3ee7fe70a781371158d83f25ebf15d1a0fa7a22c

SHA512
eed10fb03056f0760046505b06e378b697821ab37179e751168f1e2c9a92d0f0b318a8189618f9929a8f5b65c4f986dd3fcac5514ce398ee371ade5c8143f9dd

Download Submit
C:\Windows\devE9B4.tmp

Filesize
35KB

MD5
2c66df25d30b2ea67ab2fd18f3058fd8

SHA1
ae92d355903d25afb6113c3bae6a40305e5857f9

SHA256
4f7262d45f0b95840d41511d3658281080a3a66e2d59541b5e52acf887b9b6bb

SHA512
5275be29af642a6220fc9930c3daccb0e74c8989d4d2ac573fae8465d96e501532d19130786d673f75f171ab7a2b55984673d5ccba37972ff5c3c9e3dfadac79

Download Submit
memory/2296-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3332-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3332-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4108-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4108-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4576-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4576-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads