893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775

General

Target

893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe
Size

73KB
MD5

2b04b5e2f847c4911c60d9c411fbe725
SHA1

48b461cc5e5bd54c48724274c008dbaf1675326b
SHA256

893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775
SHA512

f1fd4278be6d4432f1d6f4e4c9843a927a46750e5205c71ded35fcfd47cc396ecd1960eff27f6a80da3751af6fa783fe5f93be8247639a34aaa55181c996b730
SSDEEP

1536:rxG0+a0V7JCaTYnSGMkc/bOBJlZsuHc+fBEc:rlIV7JCaMnSrfbOBDau8+fBh

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral2/memory/332-0-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/files/0x000a000000023423-3.dat	UPX
behavioral2/memory/4064-10-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/332-12-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/692-11-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/files/0x0007000000023429-19.dat	UPX
behavioral2/memory/4356-21-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/692-23-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/4064-24-0x0000000000400000-0x0000000000418000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
4064	MSWDM.EXE
692	MSWDM.EXE
4556	893820AC81D24D2E92ED827B60F9E9088B1F27BFE9043FF6020E2AA8F6866775.EXE
4356	MSWDM.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/332-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x000a000000023423-3.dat	upx
behavioral2/memory/4064-10-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/332-12-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/692-11-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x0007000000023429-19.dat	upx
behavioral2/memory/4356-21-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/692-23-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4064-24-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe
File opened for modification	C:\Windows\dev3921.tmp	893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe
File opened for modification	C:\Windows\dev3921.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
692	MSWDM.EXE
692	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 4064	332	893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe	82
PID 332 wrote to memory of 4064	332	893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe	82
PID 332 wrote to memory of 4064	332	893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe	82
PID 332 wrote to memory of 692	332	893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe	83
PID 332 wrote to memory of 692	332	893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe	83
PID 332 wrote to memory of 692	332	893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe	83
PID 692 wrote to memory of 4556	692	MSWDM.EXE	84
PID 692 wrote to memory of 4556	692	MSWDM.EXE	84
PID 692 wrote to memory of 4556	692	MSWDM.EXE	84
PID 692 wrote to memory of 4356	692	MSWDM.EXE	86
PID 692 wrote to memory of 4356	692	MSWDM.EXE	86
PID 692 wrote to memory of 4356	692	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe
"C:\Users\Admin\AppData\Local\Temp\893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:332
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4064
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev3921.tmp!C:\Users\Admin\AppData\Local\Temp\893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Users\Admin\AppData\Local\Temp\893820AC81D24D2E92ED827B60F9E9088B1F27BFE9043FF6020E2AA8F6866775.EXE
    3⤵
    - Executes dropped EXE
    PID:4556
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev3921.tmp!C:\Users\Admin\AppData\Local\Temp\893820AC81D24D2E92ED827B60F9E9088B1F27BFE9043FF6020E2AA8F6866775.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\893820ac81d24d2e92ed827b60f9e9088b1f27bfe9043ff6020e2aa8f6866775.exe

Filesize
73KB

MD5
2e35d22f6e19242dde326cfe61a019e0

SHA1
ad3d60a2b19ccdd60290ca47e0b0b8a7c8cd0a41

SHA256
8a6094c860e9972bfd1916c64880f4ef7244e10c2451c6f8be942f0b04c3dcd1

SHA512
98881d5b87fe39a1f6e8f8100bd0a8a34b061a61a201645e6d7118882da56131a0b2ea205acc4b637711c488ac51415373b4a7fcc87c0705ea177226228b662d

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
66d80d8f33e48c894755326fa6ba21dd

SHA1
2eba9f7bdbaa30817fa02b3644cb3c9a22ad5fdd

SHA256
10920efe3452a64993af20cb3d814c6b1d315c10d253d667da2e4354f5ec3a86

SHA512
88dcf79f6291febb93976d06a8c60a431f3bc8df03e74cb6e38d09cca0b71531827d40296eef823d95c001d2017bddcf740463492edbcb82e55edbd2ea22c86a

Download Submit
C:\Windows\dev3921.tmp

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
memory/332-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/332-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/692-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/692-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4064-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4064-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4356-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads