51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173

General

Target

51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe
Size

75KB
MD5

5b6237f79467b0dbdd30a3425eb28280
SHA1

7224ba280712fc471403dd005277bcd86ae2c954
SHA256

51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173
SHA512

17050c854926331ad85728b1f05e54d3cc7cd57c4ec46d39e347070787bb516fe0c121a34b8cd2b3c544d8f52194a4ee96f8423f97fe4cbabf30335eb2d5435a
SSDEEP

1536:rxG0+a0V7JCaTYnSGMD/6riw+d9bHrkT5gUHz7Fxtd:rlIV7JCaMnSr76rBkfkT5xHz/

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2792-0-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/2792-12-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/1320-21-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral1/memory/1452-20-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXE	UPX
behavioral1/memory/1452-31-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/2600-28-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/1320-32-0x0000000000400000-0x0000000000418000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXEMSWDM.EXE

pid process

1452 MSWDM.EXE
1320 MSWDM.EXE
2968 51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXE
2600 MSWDM.EXE
Loads dropped DLL 1 IoCs

Processes:

MSWDM.EXE

pid process

1452 MSWDM.EXE

pid	process
1452	MSWDM.EXE
1320	MSWDM.EXE
2968	51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXE
2600	MSWDM.EXE

pid	process
1452	MSWDM.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2792-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2792-12-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1320-21-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Windows\MSWDM.EXE	upx
behavioral1/memory/1452-20-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXE	upx
behavioral1/memory/1452-31-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2600-28-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1320-32-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exeMSWDM.EXE

description	ioc	process
File opened for modification	C:\Windows\dev1065.tmp	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe
File opened for modification	C:\Windows\dev1065.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

1452 MSWDM.EXE

pid	process
1452	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exeMSWDM.EXE

description	pid	process	target process
PID 2792 wrote to memory of 1320	2792	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe	MSWDM.EXE
PID 2792 wrote to memory of 1320	2792	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe	MSWDM.EXE
PID 2792 wrote to memory of 1320	2792	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe	MSWDM.EXE
PID 2792 wrote to memory of 1320	2792	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe	MSWDM.EXE
PID 2792 wrote to memory of 1452	2792	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe	MSWDM.EXE
PID 2792 wrote to memory of 1452	2792	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe	MSWDM.EXE
PID 2792 wrote to memory of 1452	2792	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe	MSWDM.EXE
PID 2792 wrote to memory of 1452	2792	51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe	MSWDM.EXE
PID 1452 wrote to memory of 2968	1452	MSWDM.EXE	51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXE
PID 1452 wrote to memory of 2968	1452	MSWDM.EXE	51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXE
PID 1452 wrote to memory of 2968	1452	MSWDM.EXE	51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXE
PID 1452 wrote to memory of 2968	1452	MSWDM.EXE	51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXE
PID 1452 wrote to memory of 2600	1452	MSWDM.EXE	MSWDM.EXE
PID 1452 wrote to memory of 2600	1452	MSWDM.EXE	MSWDM.EXE
PID 1452 wrote to memory of 2600	1452	MSWDM.EXE	MSWDM.EXE
PID 1452 wrote to memory of 2600	1452	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe
"C:\Users\Admin\AppData\Local\Temp\51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2792

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1320

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev1065.tmp!C:\Users\Admin\AppData\Local\Temp\51d826b9f4fe8154e22fdcd4212b1cc80581c2dd94c90f77a5e40f0917e40173.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXE
3⤵
- Executes dropped EXE
PID:2968

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev1065.tmp!C:\Users\Admin\AppData\Local\Temp\51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\51D826B9F4FE8154E22FDCD4212B1CC80581C2DD94C90F77A5E40F0917E40173.EXE

Filesize
75KB

MD5
906010962c4f785f356d9cc3a2011875

SHA1
f32861e68fbde0c94524033e5aa1867778b17f0f

SHA256
65ca0f2dfde42b7beb4b8ab2627574231de0f72780ffa9d94f081b15496d81d3

SHA512
5ea2906d652c9fc1ba18f102ff59f796d59628eb3a88a20072ee0d889f092c0f2e9f746e44e0638d121db6d095410329d5ca72b8d4aeff18ff13459b9f277c86

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
2b2ae7457a177dedaed7f72e1d149c4d

SHA1
c63ab6db2b24d55201ddac556cc00eb98fe77aaf

SHA256
ab6323a4a0d3bdabcab6e1e390da56d69a83c3f2cc522ec062a566f27fd837d8

SHA512
603ce8614256a05fb6e048af4098b3caaa2e1b071cb75617b3eac281dad36341811f2cd985358d38f3b7ed170b2527ac6bf0a63db30df5cf36c129cde09e9782

Download Submit
C:\Windows\dev1065.tmp

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
memory/1320-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1320-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1452-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1452-31-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2600-28-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2792-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2792-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads