2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a

General

Target

2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
Size

299KB
MD5

68b791bc4d8204b1a42e14535d92dd75
SHA1

f042863fa3fd449781e6a6c3b84947e81c17010f
SHA256

2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a
SHA512

d0d575bd2c5c22c97c5046a3141e062532fa6d20de457318aa3cd152344b0952f45a6a1428163adf7a39438bd5c8b2958f1c305fedd8b25527806b6ae433e97c
SSDEEP

6144:wlj7cMnd+OEXmjDWxgkiRaxBgV48MzA69VDEz5yTB5xAuFQfap:wlbd+GvWxjwOJ6z4Tfx9QfS

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2740-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral1/memory/2208-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/1968-17-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2740-14-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2208-35-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE	UPX
behavioral1/memory/2952-32-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/1968-36-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 5 IoCs

Processes:

MSWDM.EXEMSWDM.EXE2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXEMSWDM.EXE

pid process

1968 MSWDM.EXE
2208 MSWDM.EXE
2664 2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
1208
2952 MSWDM.EXE
Loads dropped DLL 1 IoCs

Processes:

MSWDM.EXE

pid process

2208 MSWDM.EXE

pid	process
1968	MSWDM.EXE
2208	MSWDM.EXE
2664	2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
1208
2952	MSWDM.EXE

pid	process
2208	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
File opened for modification	C:\Windows\dev1A83.tmp	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
File opened for modification	C:\Windows\dev1A83.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

2208 MSWDM.EXE

pid	process
2208	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exeMSWDM.EXE

description	pid	process	target process
PID 2740 wrote to memory of 1968	2740	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 2740 wrote to memory of 1968	2740	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 2740 wrote to memory of 1968	2740	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 2740 wrote to memory of 1968	2740	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 2740 wrote to memory of 2208	2740	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 2740 wrote to memory of 2208	2740	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 2740 wrote to memory of 2208	2740	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 2740 wrote to memory of 2208	2740	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 2208 wrote to memory of 2664	2208	MSWDM.EXE	2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
PID 2208 wrote to memory of 2664	2208	MSWDM.EXE	2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
PID 2208 wrote to memory of 2664	2208	MSWDM.EXE	2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
PID 2208 wrote to memory of 2664	2208	MSWDM.EXE	2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
PID 2208 wrote to memory of 2952	2208	MSWDM.EXE	MSWDM.EXE
PID 2208 wrote to memory of 2952	2208	MSWDM.EXE	MSWDM.EXE
PID 2208 wrote to memory of 2952	2208	MSWDM.EXE	MSWDM.EXE
PID 2208 wrote to memory of 2952	2208	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
"C:\Users\Admin\AppData\Local\Temp\2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2740

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1968

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev1A83.tmp!C:\Users\Admin\AppData\Local\Temp\2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
3⤵
- Executes dropped EXE
PID:2664

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev1A83.tmp!C:\Users\Admin\AppData\Local\Temp\2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE

Filesize
299KB

MD5
6cbbb7724c0b4a066282eed3949d21b1

SHA1
0ef7254db111df506d82e554df5676522e1d3ff9

SHA256
36897ed62e452a278de5b78107d0f28ea202ba5aa6ee000e96135c30fcf5f5be

SHA512
306f1a9c021e8efd5fb3f1ce6cf77904d8d60fdb8828450a98a588a5043243e67598411fbc5a3eb88df8e98d4cbb0844915bc707a39aa2fe6f49bc3bd9a284cd

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
ca1665aebc386a9e1e00e62a6f24bccd

SHA1
ace8a60b685b6e870d0952fd7de8b1157112db6a

SHA256
9a7574d09ccc52c090ac586db59b15f7295fb15f6c2a1492558cb6d4cfdd5d3d

SHA512
bd227870c2e6b67e11e532e43aecdd0af65745a31cc0beed86032bb00879a3eddeb9ddeae7bcc7089fee758179e2b7b9f567957f7f2fcfc69ed766d5feaa6d17

Download Submit
C:\Windows\dev1A83.tmp

Filesize
219KB

MD5
e2312f199976d03a7cf41e453c5af246

SHA1
c723bf05f7132c9b66c4f91d6cc363d08b4ed622

SHA256
84fe7824717bb55d7f32c7487e37012a1bc6cd4c8c0202be4bfb07e770f8dc51

SHA512
a5cad97d8bcf893b79eed436ae8df232d7e53df86a0ed38b381c128c5d8c76c0caad41407ed564f2ea2725236eb98ea6d29413886ea22371920bf2b498b49686

Download Submit
memory/1968-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1968-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2208-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2208-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-13-0x00000000002E0000-0x00000000002FB000-memory.dmp

Filesize
108KB

Download
memory/2740-12-0x00000000002E0000-0x00000000002FB000-memory.dmp

Filesize
108KB

Download
memory/2740-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2740-15-0x00000000002E0000-0x00000000002FB000-memory.dmp

Filesize
108KB

Download
memory/2740-37-0x00000000002E0000-0x00000000002FB000-memory.dmp

Filesize
108KB

Download
memory/2952-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads