eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb

General

Target

eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
Size

2.2MB
MD5

d8d929c28e990ee53f77560cc5d2e899
SHA1

57e04b4a3daeb8ecb80dd309f97630fcc5f5e6bc
SHA256

eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb
SHA512

ffc386a78267dff5df469a7ee095651dbafbc9dd032b89653ac94f9bb17c00cc29e6bc8d970dd16f04fa94ce1f030db54e85961679777da075e6e36f27a9a5d7
SSDEEP

49152:WbV+QCbRquA/m2yL5zbfFiV+XenmE3/z2:WbV+5oq2VjnmV

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 10 IoCs

resource	yara_rule
behavioral1/memory/2420-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x000c00000001227f-5.dat	UPX
behavioral1/memory/2216-8-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2420-16-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2820-18-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2668-32-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x000b000000015cf3-28.dat	UPX
behavioral1/memory/2668-27-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2820-35-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2216-37-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
2216	MSWDM.EXE
2820	MSWDM.EXE
2644	EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE
2668	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2820	MSWDM.EXE
2736	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
File opened for modification	C:\Windows\dev1F24.tmp	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
File opened for modification	C:\Windows\dev1F24.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2820	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2216	2420	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	28
PID 2420 wrote to memory of 2216	2420	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	28
PID 2420 wrote to memory of 2216	2420	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	28
PID 2420 wrote to memory of 2216	2420	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	28
PID 2420 wrote to memory of 2820	2420	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	29
PID 2420 wrote to memory of 2820	2420	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	29
PID 2420 wrote to memory of 2820	2420	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	29
PID 2420 wrote to memory of 2820	2420	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	29
PID 2820 wrote to memory of 2644	2820	MSWDM.EXE	30
PID 2820 wrote to memory of 2644	2820	MSWDM.EXE	30
PID 2820 wrote to memory of 2644	2820	MSWDM.EXE	30
PID 2820 wrote to memory of 2644	2820	MSWDM.EXE	30
PID 2820 wrote to memory of 2668	2820	MSWDM.EXE	32
PID 2820 wrote to memory of 2668	2820	MSWDM.EXE	32
PID 2820 wrote to memory of 2668	2820	MSWDM.EXE	32
PID 2820 wrote to memory of 2668	2820	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
"C:\Users\Admin\AppData\Local\Temp\eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2420
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2216
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1F24.tmp!C:\Users\Admin\AppData\Local\Temp\eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1F24.tmp!C:\Users\Admin\AppData\Local\Temp\EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE

Filesize
2.2MB

MD5
c0e2f7a343d9e67bc8106eb37db447cb

SHA1
fc018bc786eb4233c6866294df7351821a82dad1

SHA256
252b39ed75b690bd906ba3b71c932b7ab1963a3f14bb62b2568153d2b741ddb8

SHA512
cc89f3b214f662e8861d67cf3476f699458ff38d108a75ce2817f1bce4d01cb6ed789634f1b90f3e5f778e16f628baa9aa90a7d0680e9a962334e67ea40a0466

Download Submit
C:\Users\Admin\AppData\Local\Temp\eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe

Filesize
2.1MB

MD5
b8d69fa2755c3ab1f12f8866a8e2a4f7

SHA1
8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d

SHA256
7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd

SHA512
5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
501f727fd29030d1af7937cf02748bf1

SHA1
db54ea740e13b5b7c5eae0c46ba35ee24bb63f26

SHA256
8a2d9932962112f5140a01e9bd386ea41a62fd198ee15bab09441d230a2d505f

SHA512
32bc9f567399b102e5230a4c4b2e4e1fe3fdb8273effb385119092d6e9961b47918336b69dfb725c9bc6e7ad2bdfdd4fc9e9492351be696bc43a721fb750de0e

Download Submit
memory/2216-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-37-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-7-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2420-11-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2420-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2420-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2820-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2820-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads