32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97

General

Target

32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe
Size

95KB
MD5

fd2c98030807b419ca1e9f490616a33c
SHA1

64a55c78c050e86f00520b08e58c73b7650a2953
SHA256

32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97
SHA512

78e3e013ccce17fa828d3d99b37a6139bbbdb8e8f736eeba44533a0c9bd483c5e8328ceed295e509c99060472ef826482c75774531df2b9a2b49ba1c7e214798
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FfgG+sdguxnSngBNpT/mzNnxPAxEAz0+/8omQ:HQC/yj5JO3MnfgG+Hu54Fx4xE8EomCPP

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2524-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral1/memory/2952-16-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2100-15-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2524-12-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2100-25-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2952-24-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

Processes:

MSWDM.EXEMSWDM.EXE32FD8F1B254A932406146818A133B39E43D9B8BAA70800354FFC4544AC42FF97.EXE

pid process

2100 MSWDM.EXE
2952 MSWDM.EXE
2644 32FD8F1B254A932406146818A133B39E43D9B8BAA70800354FFC4544AC42FF97.EXE
Loads dropped DLL 1 IoCs

Processes:

MSWDM.EXE

pid process

2100 MSWDM.EXE

pid	process
2100	MSWDM.EXE
2952	MSWDM.EXE
2644	32FD8F1B254A932406146818A133B39E43D9B8BAA70800354FFC4544AC42FF97.EXE

pid	process
2100	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

Processes:

32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe
File opened for modification	C:\Windows\dev1FEF.tmp	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

2100 MSWDM.EXE

pid	process
2100	MSWDM.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exeMSWDM.EXE

description	pid	process	target process
PID 2524 wrote to memory of 2952	2524	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe	MSWDM.EXE
PID 2524 wrote to memory of 2952	2524	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe	MSWDM.EXE
PID 2524 wrote to memory of 2952	2524	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe	MSWDM.EXE
PID 2524 wrote to memory of 2952	2524	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe	MSWDM.EXE
PID 2524 wrote to memory of 2100	2524	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe	MSWDM.EXE
PID 2524 wrote to memory of 2100	2524	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe	MSWDM.EXE
PID 2524 wrote to memory of 2100	2524	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe	MSWDM.EXE
PID 2524 wrote to memory of 2100	2524	32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe	MSWDM.EXE
PID 2100 wrote to memory of 2644	2100	MSWDM.EXE	32FD8F1B254A932406146818A133B39E43D9B8BAA70800354FFC4544AC42FF97.EXE
PID 2100 wrote to memory of 2644	2100	MSWDM.EXE	32FD8F1B254A932406146818A133B39E43D9B8BAA70800354FFC4544AC42FF97.EXE
PID 2100 wrote to memory of 2644	2100	MSWDM.EXE	32FD8F1B254A932406146818A133B39E43D9B8BAA70800354FFC4544AC42FF97.EXE
PID 2100 wrote to memory of 2644	2100	MSWDM.EXE	32FD8F1B254A932406146818A133B39E43D9B8BAA70800354FFC4544AC42FF97.EXE
PID 2100 wrote to memory of 2644	2100	MSWDM.EXE	32FD8F1B254A932406146818A133B39E43D9B8BAA70800354FFC4544AC42FF97.EXE
PID 2100 wrote to memory of 2644	2100	MSWDM.EXE	32FD8F1B254A932406146818A133B39E43D9B8BAA70800354FFC4544AC42FF97.EXE
PID 2100 wrote to memory of 2644	2100	MSWDM.EXE	32FD8F1B254A932406146818A133B39E43D9B8BAA70800354FFC4544AC42FF97.EXE

C:\Users\Admin\AppData\Local\Temp\32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe
"C:\Users\Admin\AppData\Local\Temp\32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2524

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2952

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev1FEF.tmp!C:\Users\Admin\AppData\Local\Temp\32fd8f1b254a932406146818a133b39e43d9b8baa70800354ffc4544ac42ff97.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\32FD8F1B254A932406146818A133B39E43D9B8BAA70800354FFC4544AC42FF97.EXE
3⤵
- Executes dropped EXE
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
661c15a11df08fa7d4579daa5c7720a0

SHA1
00793fc91b20c1a82057d73548de132c391102d0

SHA256
5b1b3078c65b7cbb237bc41727c92cce60376e3cb99ab17a2bb0d06046c47bd4

SHA512
459ac19b65a7d8ce156ebb28313fed2f7db626daf3c8dbb6e75d5ed7d1aeed88c0100374b9bbe8bebd876848f03b5affc95bafce0dfa4fb96a82f546eb552bfc

Download Submit
C:\Windows\dev1FEF.tmp

Filesize
15KB

MD5
b0cec9f342bf95700b602ee376446577

SHA1
b955b1b64280bb0ea873538029cf5ea44081501b

SHA256
24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088

SHA512
05ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e

Download Submit
memory/2100-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2100-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2524-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2952-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads