2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a

General

Target

2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
Size

299KB
MD5

68b791bc4d8204b1a42e14535d92dd75
SHA1

f042863fa3fd449781e6a6c3b84947e81c17010f
SHA256

2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a
SHA512

d0d575bd2c5c22c97c5046a3141e062532fa6d20de457318aa3cd152344b0952f45a6a1428163adf7a39438bd5c8b2958f1c305fedd8b25527806b6ae433e97c
SSDEEP

6144:wlj7cMnd+OEXmjDWxgkiRaxBgV48MzA69VDEz5yTB5xAuFQfap:wlbd+GvWxjwOJ6z4Tfx9QfS

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3224-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\WINDOWS\MSWDM.EXE	UPX
behavioral2/memory/220-10-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3224-9-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/2120-20-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	UPX
behavioral2/memory/4600-23-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/220-24-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXEMSWDM.EXE

pid process

220 MSWDM.EXE
4600 MSWDM.EXE
732 2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
2120 MSWDM.EXE

pid	process
220	MSWDM.EXE
4600	MSWDM.EXE
732	2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
2120	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
File opened for modification	C:\Windows\dev592C.tmp	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
File opened for modification	C:\Windows\dev592C.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

4600 MSWDM.EXE
4600 MSWDM.EXE

pid	process
4600	MSWDM.EXE
4600	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exeMSWDM.EXE

description	pid	process	target process
PID 3224 wrote to memory of 220	3224	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 3224 wrote to memory of 220	3224	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 3224 wrote to memory of 220	3224	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 3224 wrote to memory of 4600	3224	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 3224 wrote to memory of 4600	3224	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 3224 wrote to memory of 4600	3224	2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe	MSWDM.EXE
PID 4600 wrote to memory of 732	4600	MSWDM.EXE	2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
PID 4600 wrote to memory of 732	4600	MSWDM.EXE	2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
PID 4600 wrote to memory of 2120	4600	MSWDM.EXE	MSWDM.EXE
PID 4600 wrote to memory of 2120	4600	MSWDM.EXE	MSWDM.EXE
PID 4600 wrote to memory of 2120	4600	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe
"C:\Users\Admin\AppData\Local\Temp\2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3224

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:220

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev592C.tmp!C:\Users\Admin\AppData\Local\Temp\2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\AppData\Local\Temp\2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE
3⤵
- Executes dropped EXE
PID:732

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev592C.tmp!C:\Users\Admin\AppData\Local\Temp\2AA6CAA9C12360201F8E052DE352777B0470E8C53084467DDDDF8E6C1DDE5C4A.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2aa6caa9c12360201f8e052de352777b0470e8c53084467ddddf8e6c1dde5c4a.exe

Filesize
299KB

MD5
2b08eea2e4591cb2eb523c3f76a329d5

SHA1
2c4d9518aa2e0089c19a5675153e0aa0b76ce7fc

SHA256
fc01f0cf93896cebce4e8183e8f9bb0435a929c03f1a603d0dfe1ad09178da33

SHA512
4ecdcda14295a459873a1c56207cf601d8e0fe2b6350c4911770588c109b0a31b3790bb6ccf5a0317aa5eb3c02afbb710b17f2e5b6b6ebb6c5f72c28c17e1698

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
ca1665aebc386a9e1e00e62a6f24bccd

SHA1
ace8a60b685b6e870d0952fd7de8b1157112db6a

SHA256
9a7574d09ccc52c090ac586db59b15f7295fb15f6c2a1492558cb6d4cfdd5d3d

SHA512
bd227870c2e6b67e11e532e43aecdd0af65745a31cc0beed86032bb00879a3eddeb9ddeae7bcc7089fee758179e2b7b9f567957f7f2fcfc69ed766d5feaa6d17

Download Submit
C:\Windows\dev592C.tmp

Filesize
219KB

MD5
e2312f199976d03a7cf41e453c5af246

SHA1
c723bf05f7132c9b66c4f91d6cc363d08b4ed622

SHA256
84fe7824717bb55d7f32c7487e37012a1bc6cd4c8c0202be4bfb07e770f8dc51

SHA512
a5cad97d8bcf893b79eed436ae8df232d7e53df86a0ed38b381c128c5d8c76c0caad41407ed564f2ea2725236eb98ea6d29413886ea22371920bf2b498b49686

Download Submit
memory/220-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/220-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2120-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3224-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3224-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4600-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads