8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f

General

Target

8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
Size

114KB
MD5

dc2fad1f4bea455d6d47f7735973612c
SHA1

f5f5ff059bd6e066c9a4a08c7a1303aa4b3f7ad1
SHA256

8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f
SHA512

c1b4272f9d2ce85e7b5f5328f71298e4eb612f69fca38d0c4dcf1116c303080fbdbac51898dbc08f7075400aa1dd59fbba762bb71cc04eda77e2693ecb69a7e1
SSDEEP

3072:HQC/yj5JO3Mn7G+Hu54Fx4xE8iOBDau8+fBi:wlj7cMnC+OEXVOBpC

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3036-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral1/memory/1988-29-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/3036-17-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2208-16-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2448-37-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE	UPX
behavioral1/memory/1988-40-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/1988-31-0x0000000000320000-0x000000000033B000-memory.dmp	UPX
behavioral1/memory/2208-41-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/3036-43-0x00000000002B0000-0x00000000002CB000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXEMSWDM.EXE

pid process

2208 MSWDM.EXE
1988 MSWDM.EXE
2888 8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
2448 MSWDM.EXE
Loads dropped DLL 2 IoCs

Processes:

MSWDM.EXE

pid process

1988 MSWDM.EXE
1988 MSWDM.EXE

pid	process
2208	MSWDM.EXE
1988	MSWDM.EXE
2888	8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
2448	MSWDM.EXE

pid	process
1988	MSWDM.EXE
1988	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
File opened for modification	C:\Windows\dev6BBE.tmp	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
File opened for modification	C:\Windows\dev6BBE.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

1988 MSWDM.EXE

pid	process
1988	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exeMSWDM.EXE

description	pid	process	target process
PID 3036 wrote to memory of 2208	3036	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3036 wrote to memory of 2208	3036	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3036 wrote to memory of 2208	3036	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3036 wrote to memory of 2208	3036	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3036 wrote to memory of 1988	3036	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3036 wrote to memory of 1988	3036	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3036 wrote to memory of 1988	3036	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3036 wrote to memory of 1988	3036	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 1988 wrote to memory of 2888	1988	MSWDM.EXE	8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
PID 1988 wrote to memory of 2888	1988	MSWDM.EXE	8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
PID 1988 wrote to memory of 2888	1988	MSWDM.EXE	8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
PID 1988 wrote to memory of 2888	1988	MSWDM.EXE	8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
PID 1988 wrote to memory of 2448	1988	MSWDM.EXE	MSWDM.EXE
PID 1988 wrote to memory of 2448	1988	MSWDM.EXE	MSWDM.EXE
PID 1988 wrote to memory of 2448	1988	MSWDM.EXE	MSWDM.EXE
PID 1988 wrote to memory of 2448	1988	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
"C:\Users\Admin\AppData\Local\Temp\8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3036

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2208

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev6BBE.tmp!C:\Users\Admin\AppData\Local\Temp\8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
3⤵
- Executes dropped EXE
PID:2888

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev6BBE.tmp!C:\Users\Admin\AppData\Local\Temp\8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE

Filesize
114KB

MD5
7733e0071b3d6cd54de54080c76b84d7

SHA1
a6beca2f4300236e0e1078c6f7b69557f30538ec

SHA256
9492be1ab47340d16ec724711768a42e35494a1ded477fadab693cc4611912ca

SHA512
fcc09722e67b84c9d056c7a1cc0d5972c500552405ea5973d2e183475c7bb50d57ce92f7a8c130c14fd7e86e6a1447c51a14e739fe8f738b18b72df2d0196b4c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
dd68dc1f2acb8d56535514be222da2e9

SHA1
f8b48112bb5bff4d77e705ce05aa0f2dcb80c904

SHA256
38137371838a2b2704b823ed0fb8d6bb1d9cca9fc7da334535942ab1d489eb09

SHA512
2ebe2ea143735b014f5fced08a95a3e64a6c54a293a818a0d39555a31ea8d940b28ce9a6937f3d4d6cd449b849d5a1e8a645603c2571260bd6996bdb050bcb8a

Download Submit
C:\Windows\dev6BBE.tmp

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
memory/1988-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1988-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1988-31-0x0000000000320000-0x000000000033B000-memory.dmp

Filesize
108KB

Download
memory/2208-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2208-41-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2448-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-10-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/3036-18-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/3036-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-15-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/3036-9-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download
memory/3036-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-43-0x00000000002B0000-0x00000000002CB000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads