88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b

General

Target

88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
Size

723KB
MD5

f3a1211731865ab767a74d15b6453860
SHA1

89f1aca5ff6ce85db7fa3feb03ba83e006eddf6d
SHA256

88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b
SHA512

22795cf567a775376fcd51902fb11b5ba2a2d0683f2c1470e07fa913d318e4a503e3415d0f75ed27184248888c67abd8089c5c34098abb9895ee6f68578af3c3
SSDEEP

12288:+AfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXVD:+sLOS2opPIXVD

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1436-0-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral2/memory/1436-11-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/1320-9-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/220-18-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE	UPX
behavioral2/memory/220-21-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/1320-24-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/2180-25-0x0000000000400000-0x0000000000418000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXEMSWDM.EXE

pid process

2180 MSWDM.EXE
1320 MSWDM.EXE
3880 88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
220 MSWDM.EXE

pid	process
2180	MSWDM.EXE
1320	MSWDM.EXE
3880	88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
220	MSWDM.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1436-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Windows\MSWDM.EXE	upx
behavioral2/memory/1436-11-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1320-9-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/220-18-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE	upx
behavioral2/memory/220-21-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1320-24-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/2180-25-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
File opened for modification	C:\Windows\devFF20.tmp	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
File opened for modification	C:\Windows\devFF20.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

1320 MSWDM.EXE
1320 MSWDM.EXE

pid	process
1320	MSWDM.EXE
1320	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exeMSWDM.EXE

description	pid	process	target process
PID 1436 wrote to memory of 2180	1436	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 1436 wrote to memory of 2180	1436	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 1436 wrote to memory of 2180	1436	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 1436 wrote to memory of 1320	1436	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 1436 wrote to memory of 1320	1436	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 1436 wrote to memory of 1320	1436	88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe	MSWDM.EXE
PID 1320 wrote to memory of 3880	1320	MSWDM.EXE	88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
PID 1320 wrote to memory of 3880	1320	MSWDM.EXE	88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
PID 1320 wrote to memory of 220	1320	MSWDM.EXE	MSWDM.EXE
PID 1320 wrote to memory of 220	1320	MSWDM.EXE	MSWDM.EXE
PID 1320 wrote to memory of 220	1320	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe
"C:\Users\Admin\AppData\Local\Temp\88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1436

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2180

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\devFF20.tmp!C:\Users\Admin\AppData\Local\Temp\88df7525b7fcd140e3dfcd70c00a5c0607aa29ca657ef4ca1883df7b3750529b.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE
3⤵
- Executes dropped EXE
PID:3880

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\devFF20.tmp!C:\Users\Admin\AppData\Local\Temp\88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4052 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\88DF7525B7FCD140E3DFCD70C00A5C0607AA29CA657EF4CA1883DF7B3750529B.EXE

Filesize
723KB

MD5
37b8ed83b6591037e72cfafff52031d4

SHA1
cd89f0b4a9e1fa58c1d44572dbe338a4a0b66448

SHA256
cd852cd68e108085f9a518fc50b847c04e486624dc1ee97e5f93380f8b02a97e

SHA512
4abb87673392a7d857353390a2ffbadba50f1d7e446e4593e01893870c9d55e2677fa8049c5c0880b84c1d9e4f2e97568470c8b3bd3211d86380a17e2e6f86ce

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
36b594ef79ea6d5f2ae23b4dbd940245

SHA1
7f016dde472df1dc3e0377d88c05475207bc44b3

SHA256
af3eb1fff772cba996abad554c8b9b73d92706b8f8a40cd7d07a170d41bed0d9

SHA512
d48a9b0d23d97afe6deb4a6f26174b1d812d0069bb5ec2496f6ec4d22ce070564f5e4d465394b63328bc8dc857a4462e6aea57bbde2c607d51c9e1d0addf673e

Download Submit
C:\Windows\devFF20.tmp

Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
memory/220-18-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/220-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1320-9-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1320-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1436-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1436-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2180-25-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads