88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b

General

Target

88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
Size

723KB
MD5

f3a1211731865ab767a74d15b6453860
SHA1

89f1aca5ff6ce85db7fa3feb03ba83e006eddf6d
SHA256

88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b
SHA512

22795cf567a775376fcd51902fb11b5ba2a2d0683f2c1470e07fa913d318e4a503e3415d0f75ed27184248888c67abd8089c5c34098abb9895ee6f68578af3c3
SSDEEP

12288:+AfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXVD:+sLOS2opPIXVD

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3008-0-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral1/memory/2852-20-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/3008-17-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/2084-14-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE	UPX
behavioral1/memory/2852-40-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/2644-37-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/2644-32-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/2084-41-0x0000000000400000-0x0000000000418000-memory.dmp	UPX

Executes dropped EXE 5 IoCs

Processes:

MSWDM.EXEMSWDM.EXE88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXEMSWDM.EXE

pid process

2084 MSWDM.EXE
2852 MSWDM.EXE
2716 88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
1228
2644 MSWDM.EXE
Loads dropped DLL 2 IoCs

Processes:

MSWDM.EXE

pid process

2852 MSWDM.EXE
2852 MSWDM.EXE

pid	process
2084	MSWDM.EXE
2852	MSWDM.EXE
2716	88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
1228
2644	MSWDM.EXE

pid	process
2852	MSWDM.EXE
2852	MSWDM.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3008-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Windows\MSWDM.EXE	upx
behavioral1/memory/2852-20-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/3008-17-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2084-14-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE	upx
behavioral1/memory/2852-40-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2644-37-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2644-32-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2084-41-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
File opened for modification	C:\Windows\dev780.tmp	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
File opened for modification	C:\Windows\dev780.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

2852 MSWDM.EXE

pid	process
2852	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exeMSWDM.EXE

description	pid	process	target process
PID 3008 wrote to memory of 2084	3008	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 3008 wrote to memory of 2084	3008	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 3008 wrote to memory of 2084	3008	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 3008 wrote to memory of 2084	3008	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 3008 wrote to memory of 2852	3008	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 3008 wrote to memory of 2852	3008	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 3008 wrote to memory of 2852	3008	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 3008 wrote to memory of 2852	3008	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 2852 wrote to memory of 2716	2852	MSWDM.EXE	88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
PID 2852 wrote to memory of 2716	2852	MSWDM.EXE	88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
PID 2852 wrote to memory of 2716	2852	MSWDM.EXE	88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
PID 2852 wrote to memory of 2716	2852	MSWDM.EXE	88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
PID 2852 wrote to memory of 2644	2852	MSWDM.EXE	MSWDM.EXE
PID 2852 wrote to memory of 2644	2852	MSWDM.EXE	MSWDM.EXE
PID 2852 wrote to memory of 2644	2852	MSWDM.EXE	MSWDM.EXE
PID 2852 wrote to memory of 2644	2852	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
"C:\Users\Admin\AppData\Local\Temp\88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3008

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2084

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev780.tmp!C:\Users\Admin\AppData\Local\Temp\88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
3⤵
- Executes dropped EXE
PID:2716

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev780.tmp!C:\Users\Admin\AppData\Local\Temp\88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE

Filesize
723KB

MD5
4553655cdd143dc0c72ffeb0c242aae1

SHA1
88481f998bebfca6415b077282a2241c313e0623

SHA256
a4c96280259237ea1e0a4114459e1409a0157afe1a8dfbe0668c7c1d5a99aee9

SHA512
ab964449e0398a6495d7d71c7f014f113f5c9a35ca842f50a083112e3aa0a34bb159b839a4581a95def99b7fd04c62baa987348de7f9349feaea18f6db61a20b

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
36b594ef79ea6d5f2ae23b4dbd940245

SHA1
7f016dde472df1dc3e0377d88c05475207bc44b3

SHA256
af3eb1fff772cba996abad554c8b9b73d92706b8f8a40cd7d07a170d41bed0d9

SHA512
d48a9b0d23d97afe6deb4a6f26174b1d812d0069bb5ec2496f6ec4d22ce070564f5e4d465394b63328bc8dc857a4462e6aea57bbde2c607d51c9e1d0addf673e

Download Submit
C:\Windows\dev780.tmp

Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
memory/2084-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2084-41-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2644-37-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2644-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2852-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2852-40-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3008-18-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/3008-6-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/3008-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3008-16-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/3008-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3008-7-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads