137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918

General

Target

137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
Size

506KB
MD5

110c9d0751fc34165b2ac572d1da64b1
SHA1

b8f495f76da0467fc0a57c8312b4e2b1ce0fc38a
SHA256

137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918
SHA512

32219b18bb42bb2b8f7cead20e7598b28dfd2de2b2f561bcd1d7c4f0db96d9b0554b97044400d0c66c222838deb26190e6f0d2da256517828d3d714154861f99
SSDEEP

12288:wlbU+M1gL5pRTcAkS/3hzN8qE43fm78V8:WbU+p5jcAkSYqyE8

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1480-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral2/memory/2752-11-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/1480-7-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE	UPX
behavioral2/memory/776-20-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/2752-23-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4336-24-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXEMSWDM.EXE

pid process

2752 MSWDM.EXE
4336 MSWDM.EXE
4392 137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
776 MSWDM.EXE

pid	process
2752	MSWDM.EXE
4336	MSWDM.EXE
4392	137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
776	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
File opened for modification	C:\Windows\dev593C.tmp	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
File opened for modification	C:\Windows\dev593C.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

2752 MSWDM.EXE
2752 MSWDM.EXE

pid	process
2752	MSWDM.EXE
2752	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exeMSWDM.EXE

description	pid	process	target process
PID 1480 wrote to memory of 4336	1480	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 1480 wrote to memory of 4336	1480	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 1480 wrote to memory of 4336	1480	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 1480 wrote to memory of 2752	1480	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 1480 wrote to memory of 2752	1480	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 1480 wrote to memory of 2752	1480	137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe	MSWDM.EXE
PID 2752 wrote to memory of 4392	2752	MSWDM.EXE	137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
PID 2752 wrote to memory of 4392	2752	MSWDM.EXE	137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
PID 2752 wrote to memory of 776	2752	MSWDM.EXE	MSWDM.EXE
PID 2752 wrote to memory of 776	2752	MSWDM.EXE	MSWDM.EXE
PID 2752 wrote to memory of 776	2752	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe
"C:\Users\Admin\AppData\Local\Temp\137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1480

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4336

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev593C.tmp!C:\Users\Admin\AppData\Local\Temp\137da267595362d0dd8c7db94c1b3ede5dbf1c50db11910f1e744ff6b1f33918.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE
3⤵
- Executes dropped EXE
PID:4392

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev593C.tmp!C:\Users\Admin\AppData\Local\Temp\137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\137DA267595362D0DD8C7DB94C1B3EDE5DBF1C50DB11910F1E744FF6B1F33918.EXE

Filesize
506KB

MD5
95a8b4e4c53a1fb2b45207ff5796ceea

SHA1
50c6cef48407d0ae2e6cb528d31eece4999dc805

SHA256
49f9accf242534110fbfa85756987b5c005f021542e04db786f1a42365c87377

SHA512
e921f62ef1f1ae7c41401eca2638cc852daba96058a8f971887f79833416ea6747dac8133a165849e35dc9cc7ae3cb1201a7a7fc646629200277a19228a1b218

Download Submit
C:\Windows\MSWDM.EXE

Filesize
48KB

MD5
bbbb0cd00ecee4398cfbb727e05fc129

SHA1
f5e881fe23eed99368e64f59bcff02ac803ec8ea

SHA256
13c373c306bf19c9926d4d44d2f6d1789938436821ad2a0de9b58ddb86ef6b15

SHA512
cfd58804e453d022a62715fa236a974ec693296dc634821c9051c77467b35d83e3d89d178a2c1cf37d21f7e6a6a147ff51b82a475ed1d3d5403ca165dc6bcb8b

Download Submit
C:\Windows\dev593C.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/776-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1480-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1480-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2752-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4336-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads