00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f

General

Target

00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe
Size

153KB
MD5

8b827b3bc085c531eab82aef2c4e64d0
SHA1

29869a12dab8291e091a9215a60933ba70093ff6
SHA256

00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f
SHA512

b3dd3a0a036cbb1c30b54584705d966acc818c58b11308a88a55e1a40a4c818fe6ee350ef304103db2da2f3b57333c8ad956f184d4f5ed487ba5d59154a50fcb
SSDEEP

3072:HQC/yj5JO3MnSG+T8wDSRUT0kbAYn2GgYlBYN2fHYTo+0D:wlj7cMnL+T8DRUTBbAMpgY3gTs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4740	MSWDM.EXE
2320	MSWDM.EXE
2736	00B2A5D0901D2F37FE6DCB1554DCE4AD2533FB1809901C0BFCC834A4B0A5C76F.EXE
3008	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe
File opened for modification	C:\Windows\devDC66.tmp	00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe
File opened for modification	C:\Windows\devDC66.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2320	MSWDM.EXE
2320	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4740	4060	00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe	90
PID 4060 wrote to memory of 4740	4060	00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe	90
PID 4060 wrote to memory of 4740	4060	00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe	90
PID 4060 wrote to memory of 2320	4060	00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe	91
PID 4060 wrote to memory of 2320	4060	00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe	91
PID 4060 wrote to memory of 2320	4060	00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe	91
PID 2320 wrote to memory of 2736	2320	MSWDM.EXE	92
PID 2320 wrote to memory of 2736	2320	MSWDM.EXE	92
PID 2320 wrote to memory of 3008	2320	MSWDM.EXE	94
PID 2320 wrote to memory of 3008	2320	MSWDM.EXE	94
PID 2320 wrote to memory of 3008	2320	MSWDM.EXE	94

C:\Users\Admin\AppData\Local\Temp\00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe
"C:\Users\Admin\AppData\Local\Temp\00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4060
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4740
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devDC66.tmp!C:\Users\Admin\AppData\Local\Temp\00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\00B2A5D0901D2F37FE6DCB1554DCE4AD2533FB1809901C0BFCC834A4B0A5C76F.EXE
    3⤵
    - Executes dropped EXE
    PID:2736
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devDC66.tmp!C:\Users\Admin\AppData\Local\Temp\00B2A5D0901D2F37FE6DCB1554DCE4AD2533FB1809901C0BFCC834A4B0A5C76F.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8
1⤵
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00b2a5d0901d2f37fe6dcb1554dce4ad2533fb1809901c0bfcc834a4b0a5c76f.exe

Filesize
153KB

MD5
c305e5da2c41405b1bf9ba8790801dc5

SHA1
b8640d0ad47771d23eb7f66cad2d2367219c7c5c

SHA256
9bc9f92dc2542c12cd625e71f09f92df5a61ffff9782d8b8f61ca439b413b7eb

SHA512
db328b88411a19d1beddc02727cc6a7f3a623272ea0e258035b8688c9d7913caf9fb9c96af8d935be69866dc7e3f222f1920bbede3007023ef13376429407794

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
29c9387f23c164ed635ee6b4b2b243fb

SHA1
cf8c961cbedb5aa3e0a9ec9263b7aa62e2939130

SHA256
05e9a775c3e39e0ed8fc0d61f3e1da1f40aec50d945aa22b477bf13e1ab9b698

SHA512
f39ecc49d8aece2881280996c40393f813fd8929dea46e28bbfb18cb5eb8f6bfa271f2dd71ddeb5cc34d6a4ba94efcb761c0071d6fb2bc40dc0b729cdde65522

Download Submit
C:\Windows\devDC66.tmp

Filesize
105KB

MD5
6b4a0140575c78a3151b291e9227abb9

SHA1
0b587bf39801459d499083851e9c4d44e53626e9

SHA256
807d0e5a43ef1331aca1328514c937354374f5c273450cba4ee5e1ce4ced7716

SHA512
8db25071d7fe5cbcd59f79d6c9e28456cd4582e6a0a1d8812fa0658266a304357860269cc753773b395b545a21cafc12aaa368ef1bc450238daa7a8b8add53b7

Download Submit
memory/2320-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3008-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4060-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4060-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4740-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4740-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads