d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d

General

Target

d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe
Size

278KB
MD5

673ba724d68011f4c92874383a4c880e
SHA1

fd6bfaf8be52c7ba10fbba599ee48f5b88b852ef
SHA256

d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d
SHA512

eb9e607a2007281d7e05df313fa7797f54997fdc94f9102cec6038ed8b0d51673309b44b36169b7a36c3566d4399e1e792d97972f92d97c7c3d63af6414c0a27
SSDEEP

6144:wlj7cMnL+OEX7deKzC/leySe8AIqpoHbnDns1ND9Y:wlbL+b/VyV8hEoHbI3i

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral1/memory/2340-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2332-18-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x000b000000012256-5.dat	UPX
behavioral1/memory/1296-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2340-12-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/1296-32-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x0011000000014318-31.dat	UPX
behavioral1/memory/2648-29-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2332-33-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
2332	MSWDM.EXE
1296	MSWDM.EXE
2552	D5F8D5FD24B023AE639FCB67CCD64E105C2955533381E25BD2F257795801A95D.EXE
2648	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
1296	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe
File opened for modification	C:\Windows\dev1C66.tmp	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe
File opened for modification	C:\Windows\dev1C66.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1296	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2332	2340	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe	28
PID 2340 wrote to memory of 2332	2340	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe	28
PID 2340 wrote to memory of 2332	2340	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe	28
PID 2340 wrote to memory of 2332	2340	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe	28
PID 2340 wrote to memory of 1296	2340	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe	29
PID 2340 wrote to memory of 1296	2340	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe	29
PID 2340 wrote to memory of 1296	2340	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe	29
PID 2340 wrote to memory of 1296	2340	d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe	29
PID 1296 wrote to memory of 2552	1296	MSWDM.EXE	30
PID 1296 wrote to memory of 2552	1296	MSWDM.EXE	30
PID 1296 wrote to memory of 2552	1296	MSWDM.EXE	30
PID 1296 wrote to memory of 2552	1296	MSWDM.EXE	30
PID 1296 wrote to memory of 2648	1296	MSWDM.EXE	31
PID 1296 wrote to memory of 2648	1296	MSWDM.EXE	31
PID 1296 wrote to memory of 2648	1296	MSWDM.EXE	31
PID 1296 wrote to memory of 2648	1296	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe
"C:\Users\Admin\AppData\Local\Temp\d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2340
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2332
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1C66.tmp!C:\Users\Admin\AppData\Local\Temp\d5f8d5fd24b023ae639fcb67ccd64e105c2955533381e25bd2f257795801a95d.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\D5F8D5FD24B023AE639FCB67CCD64E105C2955533381E25BD2F257795801A95D.EXE
    3⤵
    - Executes dropped EXE
    PID:2552
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1C66.tmp!C:\Users\Admin\AppData\Local\Temp\D5F8D5FD24B023AE639FCB67CCD64E105C2955533381E25BD2F257795801A95D.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D5F8D5FD24B023AE639FCB67CCD64E105C2955533381E25BD2F257795801A95D.EXE

Filesize
278KB

MD5
4844587becc6845b1392b65df9303f91

SHA1
0e27e4bfac540f164ac9d44eb1bf7a0fd271c12b

SHA256
874cb3975c586190b0f5c809e3d60137875d6d95dc30b9703fa6791cbf5315db

SHA512
3054baf290023cc21f277f9d2b8527db89d89de9c8fa279174804479ffbfa44d9c0214eba08864a3461f7cf9b56466cef7b3a2dd01b3b217bcd5574eefcba1db

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
cbdca767c9edc21917e56ab846f609b3

SHA1
5de65ff67fe6cf19645e225a2a92c601f5f116d6

SHA256
6145afa2e6f036a3cd727dfcbf5afee3c785cce880e9e731a2e028d825ac12df

SHA512
dd32955a29f82fabed003ecb60d84f7fbe04a5064b76f9f0802aa1fcf0ba6f90572870ccdda515d9dac2c85baeb8f0874afe6ff3b0d77dc0b15282b911e5990b

Download Submit
C:\Windows\dev1C66.tmp

Filesize
198KB

MD5
e133c2d85cff4edd7fe8e8f0f8be6cdb

SHA1
b8269209ebb6fe44bc50dab35f97b0ae244701b4

SHA256
6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d

SHA512
701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

Download Submit
memory/1296-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1296-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1296-30-0x0000000000350000-0x000000000036B000-memory.dmp

Filesize
108KB

Download
memory/2332-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2332-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2340-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2340-15-0x0000000000320000-0x000000000033B000-memory.dmp

Filesize
108KB

Download
memory/2340-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2340-7-0x0000000000320000-0x000000000033B000-memory.dmp

Filesize
108KB

Download
memory/2340-35-0x0000000000320000-0x000000000033B000-memory.dmp

Filesize
108KB

Download
memory/2648-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads