eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b

General

Target

eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
Size

311KB
MD5

977e0bcc5005532e772979593262f9f4
SHA1

50e847ca2fdad9d4b4cd3c3148989aade8b3acbb
SHA256

eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b
SHA512

2806fb66f6f55d510f672f70d1f5a2680c1faa70f4421816a9df526ba3c13803fa8be6ce4f5e24fc0892c3f643a8d753bf6e14ae8e29158ef46957e596d58038
SSDEEP

3072:HQC/yj5JO3MnSG+Hu54Fx4xE8pLRkgUA1nQZwFGVO4Mqg+WDF:wlj7cMnL+OEXOLRp1nQ4QLs

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 10 IoCs

resource	yara_rule
behavioral2/memory/3900-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x000c000000023b41-3.dat	UPX
behavioral2/memory/4832-12-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3900-9-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/1196-10-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/2772-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x000b000000023b98-17.dat	UPX
behavioral2/memory/2772-22-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4832-25-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/1196-26-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
1196	MSWDM.EXE
4832	MSWDM.EXE
3232	EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE
2772	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev3A79.tmp	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
File opened for modification	C:\Windows\dev3A79.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4832	MSWDM.EXE
4832	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 1196	3900	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	84
PID 3900 wrote to memory of 1196	3900	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	84
PID 3900 wrote to memory of 1196	3900	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	84
PID 3900 wrote to memory of 4832	3900	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	85
PID 3900 wrote to memory of 4832	3900	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	85
PID 3900 wrote to memory of 4832	3900	eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe	85
PID 4832 wrote to memory of 3232	4832	MSWDM.EXE	86
PID 4832 wrote to memory of 3232	4832	MSWDM.EXE	86
PID 4832 wrote to memory of 3232	4832	MSWDM.EXE	86
PID 4832 wrote to memory of 2772	4832	MSWDM.EXE	90
PID 4832 wrote to memory of 2772	4832	MSWDM.EXE	90
PID 4832 wrote to memory of 2772	4832	MSWDM.EXE	90

C:\Users\Admin\AppData\Local\Temp\eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe
"C:\Users\Admin\AppData\Local\Temp\eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3900
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1196
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev3A79.tmp!C:\Users\Admin\AppData\Local\Temp\eda3d6d653a096cc57dc4f3d5a9550f66991c5084967980e26de9e3ef867e24b.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\Temp\EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE
    3⤵
    - Executes dropped EXE
    PID:3232
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev3A79.tmp!C:\Users\Admin\AppData\Local\Temp\EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EDA3D6D653A096CC57DC4F3D5A9550F66991C5084967980E26DE9E3EF867E24B.EXE

Filesize
311KB

MD5
42b68823afb587887fb26d13952b7aef

SHA1
900d4babc2faa02ee113c2db983fb7fdf800d04f

SHA256
dc3657e81d01071fca637b94de9bdc9f9ee75151d0a46770a3ff33a7d8865f5a

SHA512
0cf09a89e4b9cb57f2da355fdfb90c5432dcb004d95cfc7fb957e9d743a9d1ef7049664d7d446dddbddd2b79bd5bcfde8840ca48547201f96d7d2326ba0284d7

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
c0a13d8c5d6be0da0ba14bd33b85796c

SHA1
e7e587443835ee91ad94bb0dfdd455154f5f4601

SHA256
c0b7ba4c7b2f95c9ba4f9456dc998c95a65985bd0e4a81db6ae67fc68cfad932

SHA512
f76f6af92aedc1092e437438df9fe44af60908c56e52cc3ae7148252fbc7d846171f725e2f8427de450237db22ce0a8519f75888ed74db1c9646188ace499524

Download Submit
C:\Windows\dev3A79.tmp

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
memory/1196-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1196-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2772-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3900-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3900-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4832-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4832-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads