42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057

General

Target

42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe
Size

648KB
MD5

7588cbe7585b5c23e193638191baaa8c
SHA1

33e9d7317de950bb252a6d48b09601fb4e7fa790
SHA256

42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057
SHA512

866a49332b9a854d4ab829e73a7e326ee1fb9ca38a07cfd4d218a502255160834c8f1ec245aa8dcd97ca02672b504bff776e22f2f8611d2aa78354f433322cac
SSDEEP

12288:wlbo+Yaplw9U+qMi8CtdVldusIh6BBHCHrKZXCktSzIzWpX5m:Wbo+bYTqMi8CtBd2QHCHmTBW5m

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral2/memory/2112-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/2112-1-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x000b00000001ea83-4.dat	UPX
behavioral2/memory/2112-9-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x0007000000023260-15.dat	UPX
behavioral2/memory/828-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/820-22-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3868-23-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
3868	MSWDM.EXE
820	MSWDM.EXE
4384	42C2785AEF7DD2915A4DBD468585CF54F9C8625FD9626F2E5624DFCC3480D057.EXE
828	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe
File opened for modification	C:\Windows\dev388F.tmp	42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe
File opened for modification	C:\Windows\dev388F.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
820	MSWDM.EXE
820	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3868	2112	42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe	91
PID 2112 wrote to memory of 3868	2112	42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe	91
PID 2112 wrote to memory of 3868	2112	42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe	91
PID 2112 wrote to memory of 820	2112	42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe	92
PID 2112 wrote to memory of 820	2112	42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe	92
PID 2112 wrote to memory of 820	2112	42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe	92
PID 820 wrote to memory of 4384	820	MSWDM.EXE	93
PID 820 wrote to memory of 4384	820	MSWDM.EXE	93
PID 820 wrote to memory of 828	820	MSWDM.EXE	94
PID 820 wrote to memory of 828	820	MSWDM.EXE	94
PID 820 wrote to memory of 828	820	MSWDM.EXE	94

C:\Users\Admin\AppData\Local\Temp\42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe
"C:\Users\Admin\AppData\Local\Temp\42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2112
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3868
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev388F.tmp!C:\Users\Admin\AppData\Local\Temp\42c2785aef7dd2915a4dbd468585cf54f9c8625fd9626f2e5624dfcc3480d057.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\42C2785AEF7DD2915A4DBD468585CF54F9C8625FD9626F2E5624DFCC3480D057.EXE
    3⤵
    - Executes dropped EXE
    PID:4384
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev388F.tmp!C:\Users\Admin\AppData\Local\Temp\42C2785AEF7DD2915A4DBD468585CF54F9C8625FD9626F2E5624DFCC3480D057.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\42C2785AEF7DD2915A4DBD468585CF54F9C8625FD9626F2E5624DFCC3480D057.EXE

Filesize
648KB

MD5
fbc17bdceddf043dc2607d4ea40757f7

SHA1
7a5bbd803a063cc65734da3d640d791671d67da0

SHA256
821c949c90d9484d04607a1e9cadd31ffa33db0ffce6754bb1347b5b3d04f7a3

SHA512
4b6cdeb6b2f301031163e44f9c64b586405db85423f83af268ea7da4907be0eef95e908e38bd60b5a3dac81c560fa4cc55444dcff7f5cc56959002aace2002ad

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
d4f324176e864a4ba6c86ac00ec33851

SHA1
953a5de37833fae53d66912fa86d8adceb3dd74e

SHA256
3c69a2458dc6d1a1d1022efae1146c5541c661eb7e161124eabea1bf4fc8c43b

SHA512
703eec6157d0750d0684f091d14c229a640adc5266a9499a7e7d16963514198ca6ad495954495eac70b76f130a14461742e8149c4f43e7ddd43c9387b56ab399

Download Submit
C:\Windows\dev388F.tmp

Filesize
568KB

MD5
04fb3ae7f05c8bc333125972ba907398

SHA1
df22612647e9404a515d48ebad490349685250de

SHA256
2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef

SHA512
94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2

Download Submit
memory/820-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/828-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2112-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2112-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2112-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3868-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads