137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918

General

Target

137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
Size

506KB
MD5

110c9d0751fc34165b2ac572d1da64b1
SHA1

b8f495f76da0467fc0a57c8312b4e2b1ce0fc38a
SHA256

137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918
SHA512

32219b18bb42bb2b8f7cead20e7598b28dfd2de2b2f561bcd1d7c4f0db96d9b0554b97044400d0c66c222838deb26190e6f0d2da256517828d3d714154861f99
SSDEEP

12288:wlbU+M1gL5pRTcAkS/3hzN8qE43fm78V8:WbU+p5jcAkSYqyE8

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2204-12-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/3036-14-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2212-21-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\WINDOWS\MSWDM.EXE	UPX
behavioral1/memory/2608-30-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE	UPX
behavioral1/memory/3036-33-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2212-34-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXEMSWDM.EXE

pid process

3036 MSWDM.EXE
2212 MSWDM.EXE
2592 137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
2608 MSWDM.EXE
Loads dropped DLL 2 IoCs

Processes:

MSWDM.EXE

pid process

3036 MSWDM.EXE
2712

pid	process
3036	MSWDM.EXE
2212	MSWDM.EXE
2592	137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
2608	MSWDM.EXE

pid	process
3036	MSWDM.EXE
2712

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSWDM.EXE137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
File opened for modification	C:\Windows\devE24.tmp	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
File opened for modification	C:\Windows\devE24.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

3036 MSWDM.EXE

pid	process
3036	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exeMSWDM.EXE

description	pid	process	target process
PID 2204 wrote to memory of 2212	2204	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 2204 wrote to memory of 2212	2204	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 2204 wrote to memory of 2212	2204	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 2204 wrote to memory of 2212	2204	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 2204 wrote to memory of 3036	2204	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 2204 wrote to memory of 3036	2204	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 2204 wrote to memory of 3036	2204	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 2204 wrote to memory of 3036	2204	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 3036 wrote to memory of 2592	3036	MSWDM.EXE	137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
PID 3036 wrote to memory of 2592	3036	MSWDM.EXE	137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
PID 3036 wrote to memory of 2592	3036	MSWDM.EXE	137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
PID 3036 wrote to memory of 2592	3036	MSWDM.EXE	137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
PID 3036 wrote to memory of 2608	3036	MSWDM.EXE	MSWDM.EXE
PID 3036 wrote to memory of 2608	3036	MSWDM.EXE	MSWDM.EXE
PID 3036 wrote to memory of 2608	3036	MSWDM.EXE	MSWDM.EXE
PID 3036 wrote to memory of 2608	3036	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
"C:\Users\Admin\AppData\Local\Temp\137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2204

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2212

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\devE24.tmp!C:\Users\Admin\AppData\Local\Temp\137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
3⤵
- Executes dropped EXE
PID:2592

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\devE24.tmp!C:\Users\Admin\AppData\Local\Temp\137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
Filesize
506KB

MD5
91091f0f571018dd5703847cea5df3a0

SHA1
33e4cb25b907cd6e65065a663778a45299548b3d

SHA256
083f0bd5f4c000f8777d6098014a48b9d6b1de8d087ee635e0c3019c1315de16

SHA512
db99d3c655ea3073ad329e716230513c69db85d31ebb54370afa004e4f2f1aa95aa31d21a55e8cc5ec844105a1db3942eff08d9b41e0d3c945bbacd0be1bc660

Download Submit
C:\WINDOWS\MSWDM.EXE
Filesize
48KB

MD5
bbbb0cd00ecee4398cfbb727e05fc129

SHA1
f5e881fe23eed99368e64f59bcff02ac803ec8ea

SHA256
13c373c306bf19c9926d4d44d2f6d1789938436821ad2a0de9b58ddb86ef6b15

SHA512
cfd58804e453d022a62715fa236a974ec693296dc634821c9051c77467b35d83e3d89d178a2c1cf37d21f7e6a6a147ff51b82a475ed1d3d5403ca165dc6bcb8b

Download Submit
\Users\Admin\AppData\Local\Temp\137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2204-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2204-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2212-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2212-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2608-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3036-24-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads