8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f

General

Target

8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
Size

114KB
MD5

dc2fad1f4bea455d6d47f7735973612c
SHA1

f5f5ff059bd6e066c9a4a08c7a1303aa4b3f7ad1
SHA256

8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f
SHA512

c1b4272f9d2ce85e7b5f5328f71298e4eb612f69fca38d0c4dcf1116c303080fbdbac51898dbc08f7075400aa1dd59fbba762bb71cc04eda77e2693ecb69a7e1
SSDEEP

3072:HQC/yj5JO3Mn7G+Hu54Fx4xE8iOBDau8+fBi:wlj7cMnC+OEXVOBpC

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3420-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral2/memory/3420-8-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE	UPX
behavioral2/memory/380-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4580-22-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/1228-23-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXEMSWDM.EXE

pid process

1228 MSWDM.EXE
4580 MSWDM.EXE
932 8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
380 MSWDM.EXE

pid	process
1228	MSWDM.EXE
4580	MSWDM.EXE
932	8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
380	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSWDM.EXE8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
File opened for modification	C:\Windows\dev4CE7.tmp	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
File opened for modification	C:\Windows\dev4CE7.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

4580 MSWDM.EXE
4580 MSWDM.EXE

pid	process
4580	MSWDM.EXE
4580	MSWDM.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exeMSWDM.EXE

description	pid	process	target process
PID 3420 wrote to memory of 1228	3420	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3420 wrote to memory of 1228	3420	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3420 wrote to memory of 1228	3420	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3420 wrote to memory of 4580	3420	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3420 wrote to memory of 4580	3420	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 3420 wrote to memory of 4580	3420	8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe	MSWDM.EXE
PID 4580 wrote to memory of 932	4580	MSWDM.EXE	8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
PID 4580 wrote to memory of 932	4580	MSWDM.EXE	8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
PID 4580 wrote to memory of 932	4580	MSWDM.EXE	8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
PID 4580 wrote to memory of 380	4580	MSWDM.EXE	MSWDM.EXE
PID 4580 wrote to memory of 380	4580	MSWDM.EXE	MSWDM.EXE
PID 4580 wrote to memory of 380	4580	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe
"C:\Users\Admin\AppData\Local\Temp\8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3420

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1228

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev4CE7.tmp!C:\Users\Admin\AppData\Local\Temp\8044258c4ca64141bac30c91aac8244f4d22697af6456595f6a838168b158b2f.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Local\Temp\8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE
3⤵
- Executes dropped EXE
PID:932

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev4CE7.tmp!C:\Users\Admin\AppData\Local\Temp\8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8044258C4CA64141BAC30C91AAC8244F4D22697AF6456595F6A838168B158B2F.EXE

Filesize
114KB

MD5
94c9911e1def097deef3b4bcafb155d2

SHA1
7d81cd408126498df121819219247b75f4e4de99

SHA256
848e46e5b31ac10be2f4ca47bc22d4ed0dd1d8c9e57cff7590bed3fd9092bb2d

SHA512
b1e7ac5093e0e24a32b6f4fcaa04dcc33a0dd34823d1ffb06668d554fd41d5c3ebdb188b051ebd37c09b70230e2561983b0bda2cf4e9ab39e1bb35021cc851a0

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
dd68dc1f2acb8d56535514be222da2e9

SHA1
f8b48112bb5bff4d77e705ce05aa0f2dcb80c904

SHA256
38137371838a2b2704b823ed0fb8d6bb1d9cca9fc7da334535942ab1d489eb09

SHA512
2ebe2ea143735b014f5fced08a95a3e64a6c54a293a818a0d39555a31ea8d940b28ce9a6937f3d4d6cd449b849d5a1e8a645603c2571260bd6996bdb050bcb8a

Download Submit
C:\Windows\dev4CE7.tmp

Filesize
34KB

MD5
f521965bf3c3f38dc3df43f0df339e95

SHA1
5ab377d59cb07f5d21fbe20418a4e0c9991ed570

SHA256
893c8af4fb2456a681b4c8106735323073cbcc7494353a8f0d4b087a4469d2f0

SHA512
c02c0593bc17c163a64d179877a47ed7896b1df719caa957c4586d00a42ce3cfbe46355a21a855290e5b5eb0b8566a70a9a35edf7e7ae6deec77f56501cdbdc2

Download Submit
memory/380-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1228-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3420-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3420-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4580-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads