8eb9c5ae7f1f4b8c8c4ec6b94183d0b8e2795b653b6165e692fda149543e5110

General

Target

bb7720e501256543a14486cc1de7f9e1.exe
Size

279KB
MD5

bb7720e501256543a14486cc1de7f9e1
SHA1

a3f5fc9cc521659d483a18125b5c6ff53254c811
SHA256

8eb9c5ae7f1f4b8c8c4ec6b94183d0b8e2795b653b6165e692fda149543e5110
SHA512

c2d8d749d21441a95a84d7a33082cba17fb02783e2a7d70e0685d9916e8cc0e545941971869adb5be26903c14ba9a644e8efd8cec9491a8e3373ba02eb265225
SSDEEP

3072:HQC/yj5JO3MnnG+kLRkgUA1nQZwFGVO4Mqg+WD/:wlj7cMnG+kLRp1nQ4QLW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2216	MSWDM.EXE
2456	MSWDM.EXE
2624	BB7720E501256543A14486CC1DE7F9E1.EXE
2660	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2216	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	bb7720e501256543a14486cc1de7f9e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	bb7720e501256543a14486cc1de7f9e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	bb7720e501256543a14486cc1de7f9e1.exe
File opened for modification	C:\Windows\dev1A25.tmp	bb7720e501256543a14486cc1de7f9e1.exe
File opened for modification	C:\Windows\dev1A25.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	MSWDM.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2456	1952	bb7720e501256543a14486cc1de7f9e1.exe	28
PID 1952 wrote to memory of 2456	1952	bb7720e501256543a14486cc1de7f9e1.exe	28
PID 1952 wrote to memory of 2456	1952	bb7720e501256543a14486cc1de7f9e1.exe	28
PID 1952 wrote to memory of 2456	1952	bb7720e501256543a14486cc1de7f9e1.exe	28
PID 1952 wrote to memory of 2216	1952	bb7720e501256543a14486cc1de7f9e1.exe	29
PID 1952 wrote to memory of 2216	1952	bb7720e501256543a14486cc1de7f9e1.exe	29
PID 1952 wrote to memory of 2216	1952	bb7720e501256543a14486cc1de7f9e1.exe	29
PID 1952 wrote to memory of 2216	1952	bb7720e501256543a14486cc1de7f9e1.exe	29
PID 2216 wrote to memory of 2624	2216	MSWDM.EXE	30
PID 2216 wrote to memory of 2624	2216	MSWDM.EXE	30
PID 2216 wrote to memory of 2624	2216	MSWDM.EXE	30
PID 2216 wrote to memory of 2624	2216	MSWDM.EXE	30
PID 2216 wrote to memory of 2624	2216	MSWDM.EXE	30
PID 2216 wrote to memory of 2624	2216	MSWDM.EXE	30
PID 2216 wrote to memory of 2624	2216	MSWDM.EXE	30
PID 2216 wrote to memory of 2660	2216	MSWDM.EXE	31
PID 2216 wrote to memory of 2660	2216	MSWDM.EXE	31
PID 2216 wrote to memory of 2660	2216	MSWDM.EXE	31
PID 2216 wrote to memory of 2660	2216	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\bb7720e501256543a14486cc1de7f9e1.exe
"C:\Users\Admin\AppData\Local\Temp\bb7720e501256543a14486cc1de7f9e1.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1952
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2456
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1A25.tmp!C:\Users\Admin\AppData\Local\Temp\bb7720e501256543a14486cc1de7f9e1.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\BB7720E501256543A14486CC1DE7F9E1.EXE
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1A25.tmp!C:\Users\Admin\AppData\Local\Temp\BB7720E501256543A14486CC1DE7F9E1.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BB7720E501256543A14486CC1DE7F9E1.EXE

Filesize
279KB

MD5
d0258be7060602081745d92f9c1fe86d

SHA1
7da2acbc190394c84397ea44966a38490e12f04c

SHA256
d33ce2ac0471917de230846860da03718984dcbc371ba1e09ce7fdbd6396efe9

SHA512
bb11a75650a343fb60549eaf9573070fb60b7d14539cdf283e5429095b1c872ec880c7dd3705d45f83c82912baa9ae1f46bbf9aeb5e4013417de30a993614748

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
47KB

MD5
705344bf490f31433f80acda6837395a

SHA1
346129cbbebd2436e618d662676b39a520c9db52

SHA256
8c50105f61b4c4e18eac962a85d10a9a8d887620e2a5fdd7e620a123f7cf0486

SHA512
db5f9a44c470fc3dbeddba0389f48aca50eb6a07e823647dc42d33b3d6d0383fb4d2382d4a6e802c7a9948c1d8b5428fc345453ba795aa72592be06e45dc860b

Download Submit
C:\Windows\dev1A25.tmp

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
memory/1952-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1952-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2456-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2456-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2660-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2660-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads