ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468

General

Target

ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe
Size

407KB
MD5

6ccdac07e1bf29efe54f1110d738c123
SHA1

5654136961155fad023984b3af30b2cd44a2770b
SHA256

ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468
SHA512

7a1a51d3bf083808c45cee9d63c21bf2eb622221746602af0a9ad265167996260d9035dea5c78923c18a45892ad4b75cd72e10022d43f6c64ea18d3a7cc36a52
SSDEEP

3072:uTCDYDg+vr87rnj3WCW2EW51HKKnLAmLRkgUA1nQZwFGVO4Mqg+WDo:IooZIFH5nDLRp1nQ4QLB

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 10 IoCs

resource	yara_rule
behavioral2/memory/3596-1-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral2/files/0x0006000000023308-5.dat	UPX
behavioral2/memory/3732-10-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral2/memory/1016-9-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral2/memory/3596-6-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral2/files/0x000700000002348e-19.dat	UPX
behavioral2/memory/892-20-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral2/memory/3732-22-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral2/memory/892-18-0x0000000000400000-0x000000000042C000-memory.dmp	UPX
behavioral2/memory/1016-26-0x0000000000400000-0x000000000042C000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
3732	MSWDM.EXE
1016	MSWDM.EXE
4960	CCBC737C03AB215B1F5508B70978223E25854E7D431FC7D6F8059BA33D8AE468.EXE
892	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe
File opened for modification	C:\Windows\dev54A8.tmp	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe
File opened for modification	C:\Windows\dev54A8.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3732	MSWDM.EXE
3732	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 1016	3596	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	83
PID 3596 wrote to memory of 1016	3596	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	83
PID 3596 wrote to memory of 1016	3596	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	83
PID 3596 wrote to memory of 3732	3596	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	84
PID 3596 wrote to memory of 3732	3596	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	84
PID 3596 wrote to memory of 3732	3596	ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe	84
PID 3732 wrote to memory of 4960	3732	MSWDM.EXE	85
PID 3732 wrote to memory of 4960	3732	MSWDM.EXE	85
PID 3732 wrote to memory of 4960	3732	MSWDM.EXE	85
PID 3732 wrote to memory of 892	3732	MSWDM.EXE	86
PID 3732 wrote to memory of 892	3732	MSWDM.EXE	86
PID 3732 wrote to memory of 892	3732	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe
"C:\Users\Admin\AppData\Local\Temp\ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3596
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1016
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev54A8.tmp!C:\Users\Admin\AppData\Local\Temp\ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\CCBC737C03AB215B1F5508B70978223E25854E7D431FC7D6F8059BA33D8AE468.EXE
    3⤵
    - Executes dropped EXE
    PID:4960
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev54A8.tmp!C:\Users\Admin\AppData\Local\Temp\CCBC737C03AB215B1F5508B70978223E25854E7D431FC7D6F8059BA33D8AE468.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ccbc737c03ab215b1f5508b70978223e25854e7d431fc7d6f8059ba33d8ae468.exe

Filesize
407KB

MD5
2cdba579f346840813942cbdf4f8568c

SHA1
b06fb218b8e7fa569bf32ebb590118ebda0bf2e1

SHA256
cf3ade631edbdef56cf1ae794b1592da0df6a7c17a4ae77baf09d9d8343794e7

SHA512
851df8c69d0ec397fd2e23aa21e1e23328a21e9d98abcf7ed90f00f2eaab7d531a19b232c9c51a124244fe2e9817a66e2c265410641a734be72419950ec080e6

Download Submit
C:\Windows\MSWDM.EXE

Filesize
176KB

MD5
7c3199a95a476fa78c05b9e6eaa8ec3e

SHA1
0e7232603297cd40dcd4a50df773b985f6181375

SHA256
5753e91da530a2ce7539e93763177a75e4442998608bf67d2970349d27f37627

SHA512
c4721779465582acd0652c9da9a60c12a91c400198f1a7fd23025ebeb20f0ff6956df3c2af94d0f78dd697aa0e4615304405c8da2dd2de0221c011ac957b7ca5

Download Submit
C:\Windows\dev54A8.tmp

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
memory/892-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/892-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1016-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1016-23-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/1016-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3596-1-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3596-6-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3732-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3732-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads