c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1

General

Target

c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe
Size

115KB
MD5

76af2d30bb30843e49e3d2649a1e5783
SHA1

4b5a9e69624c737e516e61d484e32e54d2f9a1bd
SHA256

c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1
SHA512

fc08db64d970f15c3ddfd3e8042d498227ff3bda1f3161c7a60c21725fefec25c03c2afd8d798330577f0981aef6be6bf07b406993d45acbb9b571e11cad2756
SSDEEP

3072:HQC/yj5JO3MngG+Hu54Fx4xE8KoN5Cfsf:wlj7cMnp+OEX1O59

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral1/memory/2012-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x000c00000001313a-5.dat	UPX
behavioral1/memory/2012-15-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2232-13-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2580-31-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x000d000000015d4a-27.dat	UPX
behavioral1/memory/2200-34-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2232-35-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
2232	MSWDM.EXE
2200	MSWDM.EXE
2616	C357F5EA1E8AD9030773E39628AD60A83F94C4F483F092B71BDBDE067294DDD1.EXE
2580	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2200	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe
File opened for modification	C:\Windows\dev2D48.tmp	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe
File opened for modification	C:\Windows\dev2D48.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2200	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2232	2012	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe	28
PID 2012 wrote to memory of 2232	2012	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe	28
PID 2012 wrote to memory of 2232	2012	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe	28
PID 2012 wrote to memory of 2232	2012	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe	28
PID 2012 wrote to memory of 2200	2012	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe	29
PID 2012 wrote to memory of 2200	2012	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe	29
PID 2012 wrote to memory of 2200	2012	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe	29
PID 2012 wrote to memory of 2200	2012	c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe	29
PID 2200 wrote to memory of 2616	2200	MSWDM.EXE	30
PID 2200 wrote to memory of 2616	2200	MSWDM.EXE	30
PID 2200 wrote to memory of 2616	2200	MSWDM.EXE	30
PID 2200 wrote to memory of 2616	2200	MSWDM.EXE	30
PID 2200 wrote to memory of 2580	2200	MSWDM.EXE	32
PID 2200 wrote to memory of 2580	2200	MSWDM.EXE	32
PID 2200 wrote to memory of 2580	2200	MSWDM.EXE	32
PID 2200 wrote to memory of 2580	2200	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe
"C:\Users\Admin\AppData\Local\Temp\c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2012
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2232
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev2D48.tmp!C:\Users\Admin\AppData\Local\Temp\c357f5ea1e8ad9030773e39628ad60a83f94c4f483f092b71bdbde067294ddd1.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\C357F5EA1E8AD9030773E39628AD60A83F94C4F483F092B71BDBDE067294DDD1.EXE
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev2D48.tmp!C:\Users\Admin\AppData\Local\Temp\C357F5EA1E8AD9030773E39628AD60A83F94C4F483F092B71BDBDE067294DDD1.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C357F5EA1E8AD9030773E39628AD60A83F94C4F483F092B71BDBDE067294DDD1.EXE

Filesize
115KB

MD5
fee1723e97f200d553e8f66740d07a2c

SHA1
dd15f164445dc96b75c3121a0db943d9be1bc0f2

SHA256
462b3ddac8982a7c5095bf74a1faa96d928846ba630170079a0a2e63afd0e176

SHA512
2c05d276c6ed9c409c45bcb989953908252051b9f6df4545eac468bbfba222ee2cac17450731f6f81ffab88d44ddb9e31715601e296479fa5a8a08027bfb628a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
cc41dea2a955d0659a9b337447e46bb4

SHA1
fa6fe55fd1108c9a1edd44385937579485d0cf80

SHA256
470c963ada81fa39f0dce1b0d4135407714376b4085f94470cdef951cb462ec4

SHA512
e82f4072284e008038f632c0098d9e4fc832ce36835624e321fcc011a26bdc0d503f1be415299763027cb3c4d84bc412acdb62824c1c370d698d078c6ce34721

Download Submit
C:\Windows\dev2D48.tmp

Filesize
35KB

MD5
6a7c4dc0fe5a8a33154566b5071b47c4

SHA1
265a1bcc6b6a6be7a7ad35194fb4984d7bb7ef88

SHA256
152944690bb39772fc594430205be704f7068c7a4bbcbe58074ebceab9911cf4

SHA512
8340ed45634757d05c95031541e8f655aabc7c7f4eab2caaf623c8b34bd0b2b08bb2c30f5f34faaee176b18730607308d492b1be10e098837fb6a450f344cf3e

Download Submit
memory/2012-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2012-6-0x00000000005C0000-0x00000000005DB000-memory.dmp

Filesize
108KB

Download
memory/2012-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2012-16-0x00000000005C0000-0x00000000005DB000-memory.dmp

Filesize
108KB

Download
memory/2200-25-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2200-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2580-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads