83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e

General

Target

83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
Size

89KB
MD5

2e3302c4952f77f99b178fd739e82491
SHA1

80ac4d1e9daf74619d71d5a625619be4f79d20b4
SHA256

83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e
SHA512

5091e25bee1cd5bc41f3c26b6e349d098a8a48c85ffd6be1fc45356edbc307cfe8847fb290d652150a91f2eaac3ba04e0c917a3808d44cbdf64adb16d73aee06
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FfgG+stEToa9D4ZQKbgZi1dst7x9Pxp:HQC/yj5JO3MnfgG++lZQKbgZi1St7xp

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral2/memory/4768-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4768-7-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x000900000002297e-4.dat	UPX
behavioral2/memory/3696-10-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/2460-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x0007000000023491-18.dat	UPX
behavioral2/memory/3696-23-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4680-24-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
4680	MSWDM.EXE
3696	MSWDM.EXE
3232	83CC912F654D83543EEB7D884F4C6EE7BF96DDF372937E28F00705A203870F0E.EXE
2460	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
File opened for modification	C:\Windows\dev53AE.tmp	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
File opened for modification	C:\Windows\dev53AE.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3696	MSWDM.EXE
3696	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4680	4768	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	82
PID 4768 wrote to memory of 4680	4768	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	82
PID 4768 wrote to memory of 4680	4768	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	82
PID 4768 wrote to memory of 3696	4768	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	83
PID 4768 wrote to memory of 3696	4768	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	83
PID 4768 wrote to memory of 3696	4768	83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe	83
PID 3696 wrote to memory of 3232	3696	MSWDM.EXE	84
PID 3696 wrote to memory of 3232	3696	MSWDM.EXE	84
PID 3696 wrote to memory of 2460	3696	MSWDM.EXE	85
PID 3696 wrote to memory of 2460	3696	MSWDM.EXE	85
PID 3696 wrote to memory of 2460	3696	MSWDM.EXE	85

C:\Users\Admin\AppData\Local\Temp\83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe
"C:\Users\Admin\AppData\Local\Temp\83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4768
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4680
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev53AE.tmp!C:\Users\Admin\AppData\Local\Temp\83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\83CC912F654D83543EEB7D884F4C6EE7BF96DDF372937E28F00705A203870F0E.EXE
    3⤵
    - Executes dropped EXE
    PID:3232
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev53AE.tmp!C:\Users\Admin\AppData\Local\Temp\83CC912F654D83543EEB7D884F4C6EE7BF96DDF372937E28F00705A203870F0E.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\83cc912f654d83543eeb7d884f4c6ee7bf96ddf372937e28f00705a203870f0e.exe

Filesize
89KB

MD5
7f6fed2106dec2b5a97d5d2103d41eb2

SHA1
ce21d60dc7341487f0e203bd50bc10e1446d6a23

SHA256
062c3e30d1eaabb0e3d069bb4496a8b2ab43046124c5a340dc0eb652f0af0507

SHA512
cf7681600264587bf50cecb4363cd609a508aed938ec270bbab373e41c84545e9449c0c0d51de68c7d86cc12133007316936e47d9c3871b9fe213dafcd0bd895

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
0899c12880bb71740aaeef618b3133b2

SHA1
9370dab734f42f59d4ae434e7644e7d7ba9507b1

SHA256
f6faa1e11b030e5640af5c5a96bce67ef928a723a003c71846ca668d58d155b1

SHA512
b5c825f19c1a27cb4eecb059ae08c339f701620f983f8db2ad76354d8e98c89ec2249855241fe16cc7384316f8d062000b060c7c8891d5b426281306dd32bac4

Download Submit
C:\Windows\dev53AE.tmp

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
memory/2460-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3696-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3696-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4680-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4768-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4768-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads