d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc

General

Target

d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe
Size

95KB
MD5

7de0e55e080109e43e832b11cb0f2f35
SHA1

b4e238de5ea1494efc939e726787825de8b7b966
SHA256

d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc
SHA512

4cdd2e1f93f3d5711f0623d4f48320708d9f2b99bbcc1f069f7ea602e6d3e114e4dbf1ca3b97a1191eba7bb12c4b5a80065274c10b9b50832e147f799dccf472
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FCG+sdguxnSngBNpT/mzNnxPAxEAz0+/8omCH:HQC/yj5JO3MnCG+Hu54Fx4xE8EomCP1x

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral2/memory/4632-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4632-9-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x000c000000023b59-7.dat	UPX
behavioral2/memory/5092-11-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/1512-10-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/1512-15-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

pid	Process
1512	MSWDM.EXE
5092	MSWDM.EXE
4004	D64E6D00675F2B672ED6A6296F1754F155325620149F47BF90F6ABC07E4E09CC.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe
File opened for modification	C:\Windows\dev4A76.tmp	d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5092	MSWDM.EXE
5092	MSWDM.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 1512	4632	d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe	85
PID 4632 wrote to memory of 1512	4632	d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe	85
PID 4632 wrote to memory of 1512	4632	d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe	85
PID 4632 wrote to memory of 5092	4632	d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe	86
PID 4632 wrote to memory of 5092	4632	d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe	86
PID 4632 wrote to memory of 5092	4632	d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe	86
PID 5092 wrote to memory of 4004	5092	MSWDM.EXE	87
PID 5092 wrote to memory of 4004	5092	MSWDM.EXE	87
PID 5092 wrote to memory of 4004	5092	MSWDM.EXE	87

C:\Users\Admin\AppData\Local\Temp\d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe
"C:\Users\Admin\AppData\Local\Temp\d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4632
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1512
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev4A76.tmp!C:\Users\Admin\AppData\Local\Temp\d64e6d00675f2b672ed6a6296f1754f155325620149f47bf90f6abc07e4e09cc.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\D64E6D00675F2B672ED6A6296F1754F155325620149F47BF90F6ABC07E4E09CC.EXE
    3⤵
    - Executes dropped EXE
    PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
5b2a8c1fc71bff8146d3a25249562b02

SHA1
1f7a15cc0e430a3c8c7691709b3ef5bb03178447

SHA256
6bb8e73f400fa65389c630483e946ab802a00412937143093de285222dc10141

SHA512
8ff3c02a36495d7e6a3e9bb115e56392fd489fff4155b9106c7b0da1184d4d84a5f6bef821b845ba2200a7748d773ae1a2c731f6f37b04a27ede967caba0b2f8

Download Submit
C:\Windows\dev4A76.tmp

Filesize
15KB

MD5
b0cec9f342bf95700b602ee376446577

SHA1
b955b1b64280bb0ea873538029cf5ea44081501b

SHA256
24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088

SHA512
05ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e

Download Submit
memory/1512-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1512-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4632-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4632-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5092-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads