83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e

General

Target

83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
Size

89KB
MD5

2e3302c4952f77f99b178fd739e82491
SHA1

80ac4d1e9daf74619d71d5a625619be4f79d20b4
SHA256

83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e
SHA512

5091e25bee1cd5bc41f3c26b6e349d098a8a48c85ffd6be1fc45356edbc307cfe8847fb290d652150a91f2eaac3ba04e0c917a3808d44cbdf64adb16d73aee06
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FfgG+stEToa9D4ZQKbgZi1dst7x9Pxp:HQC/yj5JO3MnfgG++lZQKbgZi1St7xp

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 10 IoCs

resource	yara_rule
behavioral1/memory/2988-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2988-3-0x00000000001B0000-0x00000000001CB000-memory.dmp	UPX
behavioral1/files/0x000b0000000155e2-15.dat	UPX
behavioral1/memory/2888-22-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2884-20-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2988-12-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2884-32-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x0007000000015c69-30.dat	UPX
behavioral1/memory/2380-29-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2888-33-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
2884	MSWDM.EXE
2888	MSWDM.EXE
2628	83CC912F654D83543EEB7D884F4C6EE7BF96DDF372937E28F00705A203870F0E.EXE
2380	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2884	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
File opened for modification	C:\Windows\dev8CD5.tmp	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
File opened for modification	C:\Windows\dev8CD5.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2884	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2888	2988	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	28
PID 2988 wrote to memory of 2888	2988	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	28
PID 2988 wrote to memory of 2888	2988	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	28
PID 2988 wrote to memory of 2888	2988	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	28
PID 2988 wrote to memory of 2884	2988	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	29
PID 2988 wrote to memory of 2884	2988	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	29
PID 2988 wrote to memory of 2884	2988	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	29
PID 2988 wrote to memory of 2884	2988	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	29
PID 2884 wrote to memory of 2628	2884	MSWDM.EXE	30
PID 2884 wrote to memory of 2628	2884	MSWDM.EXE	30
PID 2884 wrote to memory of 2628	2884	MSWDM.EXE	30
PID 2884 wrote to memory of 2628	2884	MSWDM.EXE	30
PID 2884 wrote to memory of 2380	2884	MSWDM.EXE	31
PID 2884 wrote to memory of 2380	2884	MSWDM.EXE	31
PID 2884 wrote to memory of 2380	2884	MSWDM.EXE	31
PID 2884 wrote to memory of 2380	2884	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
"C:\Users\Admin\AppData\Local\Temp\83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2988
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2888
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev8CD5.tmp!C:\Users\Admin\AppData\Local\Temp\83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\83CC912F654D83543EEB7D884F4C6EE7BF96DDF372937E28F00705A203870F0E.EXE
    3⤵
    - Executes dropped EXE
    PID:2628
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev8CD5.tmp!C:\Users\Admin\AppData\Local\Temp\83CC912F654D83543EEB7D884F4C6EE7BF96DDF372937E28F00705A203870F0E.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83CC912F654D83543EEB7D884F4C6EE7BF96DDF372937E28F00705A203870F0E.EXE

Filesize
89KB

MD5
333e6b79d1d1947e7ca44492cd96c833

SHA1
2ad154740297258c4e2cca2a72d18e2c6ff0770f

SHA256
a4e0f59d8448fa771c07de2a2427db5ea40e8720721fffe04858063a0a68c90f

SHA512
4c0e5f9536d1efd21da3494c5a02d03c8eeb76f10e964802191503fc7523d8c3c9f79de3a6558753058e9e37d68b2b8d30713bdaa4ca54ccf8f92ecd3c66751a

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
0899c12880bb71740aaeef618b3133b2

SHA1
9370dab734f42f59d4ae434e7644e7d7ba9507b1

SHA256
f6faa1e11b030e5640af5c5a96bce67ef928a723a003c71846ca668d58d155b1

SHA512
b5c825f19c1a27cb4eecb059ae08c339f701620f983f8db2ad76354d8e98c89ec2249855241fe16cc7384316f8d062000b060c7c8891d5b426281306dd32bac4

Download Submit
C:\Windows\dev8CD5.tmp

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
memory/2380-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-23-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/2888-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2888-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-3-0x00000000001B0000-0x00000000001CB000-memory.dmp

Filesize
108KB

Download
memory/2988-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads