eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b

General

Target

eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
Size

311KB
MD5

977e0bcc5005532e772979593262f9f4
SHA1

50e847ca2fdad9d4b4cd3c3148989aade8b3acbb
SHA256

eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b
SHA512

2806fb66f6f55d510f672f70d1f5a2680c1faa70f4421816a9df526ba3c13803fa8be6ce4f5e24fc0892c3f643a8d753bf6e14ae8e29158ef46957e596d58038
SSDEEP

3072:HQC/yj5JO3MnSG+Hu54Fx4xE8pLRkgUA1nQZwFGVO4Mqg+WDF:wlj7cMnL+OEXOLRp1nQ4QLs

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral1/memory/2936-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x000c00000001450b-5.dat	UPX
behavioral1/memory/2936-12-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/1680-15-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/1732-32-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x0010000000014b12-30.dat	UPX
behavioral1/memory/2672-29-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2672-24-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/1680-33-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
1680	MSWDM.EXE
1732	MSWDM.EXE
3044	EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE
2672	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
1732	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
File opened for modification	C:\Windows\dev13BF.tmp	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
File opened for modification	C:\Windows\dev13BF.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1732	MSWDM.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1680	2936	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	28
PID 2936 wrote to memory of 1680	2936	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	28
PID 2936 wrote to memory of 1680	2936	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	28
PID 2936 wrote to memory of 1680	2936	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	28
PID 2936 wrote to memory of 1732	2936	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	29
PID 2936 wrote to memory of 1732	2936	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	29
PID 2936 wrote to memory of 1732	2936	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	29
PID 2936 wrote to memory of 1732	2936	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	29
PID 1732 wrote to memory of 3044	1732	MSWDM.EXE	30
PID 1732 wrote to memory of 3044	1732	MSWDM.EXE	30
PID 1732 wrote to memory of 3044	1732	MSWDM.EXE	30
PID 1732 wrote to memory of 3044	1732	MSWDM.EXE	30
PID 1732 wrote to memory of 3044	1732	MSWDM.EXE	30
PID 1732 wrote to memory of 3044	1732	MSWDM.EXE	30
PID 1732 wrote to memory of 3044	1732	MSWDM.EXE	30
PID 1732 wrote to memory of 2672	1732	MSWDM.EXE	31
PID 1732 wrote to memory of 2672	1732	MSWDM.EXE	31
PID 1732 wrote to memory of 2672	1732	MSWDM.EXE	31
PID 1732 wrote to memory of 2672	1732	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
"C:\Users\Admin\AppData\Local\Temp\eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2936
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1680
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev13BF.tmp!C:\Users\Admin\AppData\Local\Temp\eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE
    3⤵
    - Executes dropped EXE
    PID:3044
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev13BF.tmp!C:\Users\Admin\AppData\Local\Temp\EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE

Filesize
311KB

MD5
82b4bcf5dff9ad9ec63d24cfeff17de0

SHA1
a1901b8aae1ac260583a1d22250b75521d5d838d

SHA256
ae42814f7e3395b777f36c61ebaeddb556a191dbfba16c5481b34fd317107743

SHA512
def55d81d85c548a3b2ce7c2b13cb2f4f95ab54ccb58cab9134f8051c23716af1863d3908702f74358f62e1e0721ca1cf6fed846ff4c03ba54e631d7e7b35421

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
c0a13d8c5d6be0da0ba14bd33b85796c

SHA1
e7e587443835ee91ad94bb0dfdd455154f5f4601

SHA256
c0b7ba4c7b2f95c9ba4f9456dc998c95a65985bd0e4a81db6ae67fc68cfad932

SHA512
f76f6af92aedc1092e437438df9fe44af60908c56e52cc3ae7148252fbc7d846171f725e2f8427de450237db22ce0a8519f75888ed74db1c9646188ace499524

Download Submit
C:\Windows\dev13BF.tmp

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
memory/1680-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1680-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1732-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2672-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2672-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads