eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb

General

Target

eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
Size

2.2MB
MD5

d8d929c28e990ee53f77560cc5d2e899
SHA1

57e04b4a3daeb8ecb80dd309f97630fcc5f5e6bc
SHA256

eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb
SHA512

ffc386a78267dff5df469a7ee095651dbafbc9dd032b89653ac94f9bb17c00cc29e6bc8d970dd16f04fa94ce1f030db54e85961679777da075e6e36f27a9a5d7
SSDEEP

49152:WbV+QCbRquA/m2yL5zbfFiV+XenmE3/z2:WbV+5oq2VjnmV

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral2/memory/116-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x0006000000023278-8.dat	UPX
behavioral2/memory/2472-12-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/116-10-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/2184-6-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x00080000000233da-17.dat	UPX
behavioral2/memory/2472-24-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4092-20-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/2184-25-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
2184	MSWDM.EXE
2472	MSWDM.EXE
468	EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE
4092	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
File opened for modification	C:\Windows\dev5803.tmp	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
File opened for modification	C:\Windows\dev5803.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2472	MSWDM.EXE
2472	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2184	116	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	83
PID 116 wrote to memory of 2184	116	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	83
PID 116 wrote to memory of 2184	116	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	83
PID 116 wrote to memory of 2472	116	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	84
PID 116 wrote to memory of 2472	116	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	84
PID 116 wrote to memory of 2472	116	eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe	84
PID 2472 wrote to memory of 468	2472	MSWDM.EXE	85
PID 2472 wrote to memory of 468	2472	MSWDM.EXE	85
PID 2472 wrote to memory of 4092	2472	MSWDM.EXE	92
PID 2472 wrote to memory of 4092	2472	MSWDM.EXE	92
PID 2472 wrote to memory of 4092	2472	MSWDM.EXE	92

C:\Users\Admin\AppData\Local\Temp\eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe
"C:\Users\Admin\AppData\Local\Temp\eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:116
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2184
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev5803.tmp!C:\Users\Admin\AppData\Local\Temp\eac781cfd613b3d0cfad7e35123c525dcc73b07bb718df196a2f44cdf94997fb.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE
    3⤵
    - Executes dropped EXE
    PID:468
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev5803.tmp!C:\Users\Admin\AppData\Local\Temp\EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EAC781CFD613B3D0CFAD7E35123C525DCC73B07BB718DF196A2F44CDF94997FB.EXE

Filesize
2.2MB

MD5
84bb42a11018cdc8b5e027c93271f8e1

SHA1
7d9ceaaf2d811cbf0e92d34230efe9f1d8f7cf65

SHA256
d8237da9f6b9c81c88b45249269eae38c1547e5fe0ec199c93a486c246794137

SHA512
4bb7eb1db932ef59302218585fc69c65d714e936fdf62097eb6f064f2c8da0295e9f097ebfdf84fa9b7cfd2e69900faed8074b0c137102899427445c47210ce3

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
501f727fd29030d1af7937cf02748bf1

SHA1
db54ea740e13b5b7c5eae0c46ba35ee24bb63f26

SHA256
8a2d9932962112f5140a01e9bd386ea41a62fd198ee15bab09441d230a2d505f

SHA512
32bc9f567399b102e5230a4c4b2e4e1fe3fdb8273effb385119092d6e9961b47918336b69dfb725c9bc6e7ad2bdfdd4fc9e9492351be696bc43a721fb750de0e

Download Submit
C:\Windows\dev5803.tmp

Filesize
2.1MB

MD5
b8d69fa2755c3ab1f12f8866a8e2a4f7

SHA1
8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d

SHA256
7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd

SHA512
5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

Download Submit
memory/116-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/116-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2184-6-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2184-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2472-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2472-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4092-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads