9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36

General

Target

9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe
Size

115KB
MD5

f229fa274ae6c19a8b50908f2032810d
SHA1

a36a3b3f398eee4ae9db73d7c4151cd97a051d01
SHA256

9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36
SHA512

893cb6bec75c44f0da174aba5e09e8abf3259a50b922e3e4095798a0e4ee90b491f80dfce1bf84587ee6d351894727aaec0f2cbc7109635e90080bea06f566af
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FIG+sdguxnSngBNpD0Ao/VZl8WCfsED:HQC/yj5JO3MnIG+Hu5foN5Cfse

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 7 IoCs

resource	yara_rule
behavioral2/memory/4860-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4860-8-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x000c000000023b5e-7.dat	UPX
behavioral2/files/0x000b000000023bba-17.dat	UPX
behavioral2/memory/4532-18-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/916-22-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/1020-23-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
1020	MSWDM.EXE
916	MSWDM.EXE
836	9FD256C02758625118FC01855F9AE24FEEDC816515CEB029F1BA1691299EFE36.EXE
4532	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe
File opened for modification	C:\Windows\dev467F.tmp	9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe
File opened for modification	C:\Windows\dev467F.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
916	MSWDM.EXE
916	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 1020	4860	9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe	83
PID 4860 wrote to memory of 1020	4860	9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe	83
PID 4860 wrote to memory of 1020	4860	9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe	83
PID 4860 wrote to memory of 916	4860	9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe	84
PID 4860 wrote to memory of 916	4860	9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe	84
PID 4860 wrote to memory of 916	4860	9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe	84
PID 916 wrote to memory of 836	916	MSWDM.EXE	85
PID 916 wrote to memory of 836	916	MSWDM.EXE	85
PID 916 wrote to memory of 836	916	MSWDM.EXE	85
PID 916 wrote to memory of 4532	916	MSWDM.EXE	87
PID 916 wrote to memory of 4532	916	MSWDM.EXE	87
PID 916 wrote to memory of 4532	916	MSWDM.EXE	87

C:\Users\Admin\AppData\Local\Temp\9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe
"C:\Users\Admin\AppData\Local\Temp\9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4860
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1020
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev467F.tmp!C:\Users\Admin\AppData\Local\Temp\9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\9FD256C02758625118FC01855F9AE24FEEDC816515CEB029F1BA1691299EFE36.EXE
    3⤵
    - Executes dropped EXE
    PID:836
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev467F.tmp!C:\Users\Admin\AppData\Local\Temp\9FD256C02758625118FC01855F9AE24FEEDC816515CEB029F1BA1691299EFE36.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9fd256c02758625118fc01855f9ae24feedc816515ceb029f1ba1691299efe36.exe

Filesize
115KB

MD5
45c687c341f60751ad8f44682bdba86d

SHA1
6c09dd3c9bb2f7c3db4c77a6d521571bfcaf1d5f

SHA256
6501acdf404a12e9c205c87e120eb89ffea19a01975bc19747e8261750063857

SHA512
31a0840064ada6c41771991be4203321e02ef32542b440556e0e52895ac4148716b1f10c7d48f456eac0c32b0e41f2620d32f3f8e58a02f224e8bbcfacaa1e4d

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
5fa751a0b7b0e1eb292f02437eeeacad

SHA1
75c889bb503c5becc93c147e7bf80b8e6e875a55

SHA256
34b3811aa0fc40930508f2c9e27ab480642e043c06bd9307b899c3dda33e8061

SHA512
0c0ffa3a84eaf60d173b7c913512504f6c1e93384f20a7993f283c8c4fe91e6a35f0da4ae73614f3e505de8003759d5e4db33c26a0be854f5c9f07596671479c

Download Submit
C:\Windows\dev467F.tmp

Filesize
35KB

MD5
6a7c4dc0fe5a8a33154566b5071b47c4

SHA1
265a1bcc6b6a6be7a7ad35194fb4984d7bb7ef88

SHA256
152944690bb39772fc594430205be704f7068c7a4bbcbe58074ebceab9911cf4

SHA512
8340ed45634757d05c95031541e8f655aabc7c7f4eab2caaf623c8b34bd0b2b08bb2c30f5f34faaee176b18730607308d492b1be10e098837fb6a450f344cf3e

Download Submit
memory/916-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1020-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4532-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4860-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4860-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads