Analysis
-
max time kernel
15s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 20:51
Static task
static1
Behavioral task
behavioral1
Sample
42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe
Resource
win10v2004-20240226-en
General
-
Target
42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe
-
Size
648KB
-
MD5
7588cbe7585b5c23e193638191baaa8c
-
SHA1
33e9d7317de950bb252a6d48b09601fb4e7fa790
-
SHA256
42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057
-
SHA512
866a49332b9a854d4ab829e73a7e326ee1fb9ca38a07cfd4d218a502255160834c8f1ec245aa8dcd97ca02672b504bff776e22f2f8611d2aa78354f433322cac
-
SSDEEP
12288:wlbo+Yaplw9U+qMi8CtdVldusIh6BBHCHrKZXCktSzIzWpX5m:Wbo+bYTqMi8CtBd2QHCHmTBW5m
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 8 IoCs
resource yara_rule behavioral1/files/0x000d0000000122d1-16.dat UPX behavioral1/memory/1312-13-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/1312-0-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2612-27-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/files/0x000a000000012340-33.dat UPX behavioral1/memory/1404-35-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2612-32-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2276-36-0x0000000000400000-0x000000000041B000-memory.dmp UPX -
Executes dropped EXE 5 IoCs
pid Process 1404 MSWDM.EXE 2276 MSWDM.EXE 2464 42C2785AEF7DD2915A4DBD468585CF54F9C8625FD9626F2E5624DFCC3480D057.EXE 1412 Process not Found 2612 MSWDM.EXE -
Loads dropped DLL 2 IoCs
pid Process 1404 MSWDM.EXE 1404 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe File opened for modification C:\Windows\dev896B.tmp 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe File opened for modification C:\Windows\dev896B.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1404 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1312 wrote to memory of 2276 1312 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe 28 PID 1312 wrote to memory of 2276 1312 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe 28 PID 1312 wrote to memory of 2276 1312 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe 28 PID 1312 wrote to memory of 2276 1312 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe 28 PID 1312 wrote to memory of 1404 1312 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe 29 PID 1312 wrote to memory of 1404 1312 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe 29 PID 1312 wrote to memory of 1404 1312 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe 29 PID 1312 wrote to memory of 1404 1312 42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe 29 PID 1404 wrote to memory of 2464 1404 MSWDM.EXE 30 PID 1404 wrote to memory of 2464 1404 MSWDM.EXE 30 PID 1404 wrote to memory of 2464 1404 MSWDM.EXE 30 PID 1404 wrote to memory of 2464 1404 MSWDM.EXE 30 PID 1404 wrote to memory of 2612 1404 MSWDM.EXE 31 PID 1404 wrote to memory of 2612 1404 MSWDM.EXE 31 PID 1404 wrote to memory of 2612 1404 MSWDM.EXE 31 PID 1404 wrote to memory of 2612 1404 MSWDM.EXE 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe"C:\Users\Admin\AppData\Local\Temp\42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2276
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev896B.tmp!C:\Users\Admin\AppData\Local\Temp\42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\42C2785AEF7DD2915A4DBD468585CF54F9C8625FD9626F2E5624DFCC3480D057.EXE
- Executes dropped EXE
PID:2464
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev896B.tmp!C:\Users\Admin\AppData\Local\Temp\42C2785AEF7DD2915A4DBD468585CF54F9C8625FD9626F2E5624DFCC3480D057.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\42C2785AEF7DD2915A4DBD468585CF54F9C8625FD9626F2E5624DFCC3480D057.EXE
Filesize648KB
MD5cda898b00bd26b75af390240feef54fa
SHA1de69f91d5bb9821841155388043b4a6ac4cdda66
SHA256b46a687c6cc3f8e577b924ec8b0259aa45859e169add30b1ac5f3620f7f67e58
SHA5120eb77de07e757092aa345a9adfc65743b9445f321dd23134688d26e40236553fd083e1bb47bf0287e7ef95db57dd03b3485d6949eb2d6719b519e5f1683bf656
-
Filesize
80KB
MD5d4f324176e864a4ba6c86ac00ec33851
SHA1953a5de37833fae53d66912fa86d8adceb3dd74e
SHA2563c69a2458dc6d1a1d1022efae1146c5541c661eb7e161124eabea1bf4fc8c43b
SHA512703eec6157d0750d0684f091d14c229a640adc5266a9499a7e7d16963514198ca6ad495954495eac70b76f130a14461742e8149c4f43e7ddd43c9387b56ab399
-
\Users\Admin\AppData\Local\Temp\42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe
Filesize568KB
MD504fb3ae7f05c8bc333125972ba907398
SHA1df22612647e9404a515d48ebad490349685250de
SHA2562fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef
SHA51294c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2