ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468

General

Target

ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe
Size

407KB
MD5

6ccdac07e1bf29efe54f1110d738c123
SHA1

5654136961155fad023984b3af30b2cd44a2770b
SHA256

ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468
SHA512

7a1a51d3bf083808c45cee9d63c21bf2eb622221746602af0a9ad265167996260d9035dea5c78923c18a45892ad4b75cd72e10022d43f6c64ea18d3a7cc36a52
SSDEEP

3072:uTCDYDg+vr87rnj3WCW2EW51HKKnLAmLRkgUA1nQZwFGVO4Mqg+WDo:IooZIFH5nDLRp1nQ4QLB

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 10 IoCs

resource	yara_rule
behavioral1/memory/1848-0-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral1/files/0x000b000000014abe-10.dat	UPX
behavioral1/memory/1848-3-0x00000000002D0000-0x00000000002FC000-memory.dmp	UPX
behavioral1/memory/1848-13-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral1/memory/2040-17-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral1/files/0x00080000000155f7-26.dat	UPX
behavioral1/memory/1448-31-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral1/memory/2580-29-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral1/memory/2580-25-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral1/memory/2040-32-0x0000000000400000-0x000000000042C000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
1448	MSWDM.EXE
2040	MSWDM.EXE
2920	CCBC737C03AB215B1F5508B70978223E25854E7D431FC7D6F8059BA33D8AE468.EXE
2580	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
1448	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe
File opened for modification	C:\Windows\dev193B.tmp	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe
File opened for modification	C:\Windows\dev193B.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1448	MSWDM.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2040	1848	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	28
PID 1848 wrote to memory of 2040	1848	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	28
PID 1848 wrote to memory of 2040	1848	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	28
PID 1848 wrote to memory of 2040	1848	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	28
PID 1848 wrote to memory of 1448	1848	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	29
PID 1848 wrote to memory of 1448	1848	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	29
PID 1848 wrote to memory of 1448	1848	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	29
PID 1848 wrote to memory of 1448	1848	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	29
PID 1448 wrote to memory of 2920	1448	MSWDM.EXE	30
PID 1448 wrote to memory of 2920	1448	MSWDM.EXE	30
PID 1448 wrote to memory of 2920	1448	MSWDM.EXE	30
PID 1448 wrote to memory of 2920	1448	MSWDM.EXE	30
PID 1448 wrote to memory of 2920	1448	MSWDM.EXE	30
PID 1448 wrote to memory of 2920	1448	MSWDM.EXE	30
PID 1448 wrote to memory of 2920	1448	MSWDM.EXE	30
PID 1448 wrote to memory of 2580	1448	MSWDM.EXE	31
PID 1448 wrote to memory of 2580	1448	MSWDM.EXE	31
PID 1448 wrote to memory of 2580	1448	MSWDM.EXE	31
PID 1448 wrote to memory of 2580	1448	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe
"C:\Users\Admin\AppData\Local\Temp\ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1848
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2040
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev193B.tmp!C:\Users\Admin\AppData\Local\Temp\ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\CCBC737C03AB215B1F5508B70978223E25854E7D431FC7D6F8059BA33D8AE468.EXE
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev193B.tmp!C:\Users\Admin\AppData\Local\Temp\CCBC737C03AB215B1F5508B70978223E25854E7D431FC7D6F8059BA33D8AE468.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CCBC737C03AB215B1F5508B70978223E25854E7D431FC7D6F8059BA33D8AE468.EXE

Filesize
407KB

MD5
3f2213c0485180bd915e0b3e0c172296

SHA1
752e4844791dbe16500a0ba28f0a9b36c88ffc49

SHA256
c2d55dc09c9335751a5cc46afdaf305200cd9853032182e83b3df98fbba51555

SHA512
e5cb9c8df153fc022ac74acb792e04bb1b11c24bc23263823a60e69410b03f6f171198618fa879313ff996bbb259167df4cb234d3543e948d3fe18855a37f25f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
176KB

MD5
7c3199a95a476fa78c05b9e6eaa8ec3e

SHA1
0e7232603297cd40dcd4a50df773b985f6181375

SHA256
5753e91da530a2ce7539e93763177a75e4442998608bf67d2970349d27f37627

SHA512
c4721779465582acd0652c9da9a60c12a91c400198f1a7fd23025ebeb20f0ff6956df3c2af94d0f78dd697aa0e4615304405c8da2dd2de0221c011ac957b7ca5

Download Submit
C:\Windows\dev193B.tmp

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
memory/1448-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1848-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1848-3-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/1848-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1848-12-0x00000000002D0000-0x00000000002FC000-memory.dmp

Filesize
176KB

Download
memory/2040-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2040-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2580-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2580-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads