92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e

General

Target

92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe
Size

153KB
MD5

f54eced60418662afc8fac123cb2c465
SHA1

3cd13c09ebfbf015d07d48ecec1fa0ae8f48c6b7
SHA256

92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e
SHA512

856ae108c5fced6082454116834c245892e143f9e7e023478365b86f5d8321d3bc792d140e8887553e87dddeda15ff6e4133a70e7d0fd5164baf0d91f9aa1f8c
SSDEEP

3072:HQC/yj5JO3MnlgG+Hu54Fx4xE8PpsgozqC4O/jHxo6l0PTBuJBQbRQ5WFq:wlj7cMn3+OEXyps5N/jHxn0l7xFq

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1740-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral1/memory/2448-24-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2392-23-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2392-32-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2780-29-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/1740-12-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2448-33-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXEMSWDM.EXE

pid process

2392 MSWDM.EXE
2448 MSWDM.EXE
2676 92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
2780 MSWDM.EXE
Loads dropped DLL 2 IoCs

Processes:

MSWDM.EXE

pid process

2392 MSWDM.EXE
2392 MSWDM.EXE

pid	process
2392	MSWDM.EXE
2448	MSWDM.EXE
2676	92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
2780	MSWDM.EXE

pid	process
2392	MSWDM.EXE
2392	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSWDM.EXE92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe

Drops file in Windows directory 2 IoCs

Processes:

92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe
File opened for modification	C:\Windows\devED0.tmp	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

2392 MSWDM.EXE

pid	process
2392	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exeMSWDM.EXE

description	pid	process	target process
PID 1740 wrote to memory of 2448	1740	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 1740 wrote to memory of 2448	1740	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 1740 wrote to memory of 2448	1740	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 1740 wrote to memory of 2448	1740	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 1740 wrote to memory of 2392	1740	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 1740 wrote to memory of 2392	1740	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 1740 wrote to memory of 2392	1740	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 1740 wrote to memory of 2392	1740	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 2392 wrote to memory of 2676	2392	MSWDM.EXE	92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
PID 2392 wrote to memory of 2676	2392	MSWDM.EXE	92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
PID 2392 wrote to memory of 2676	2392	MSWDM.EXE	92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
PID 2392 wrote to memory of 2676	2392	MSWDM.EXE	92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
PID 2392 wrote to memory of 2780	2392	MSWDM.EXE	MSWDM.EXE
PID 2392 wrote to memory of 2780	2392	MSWDM.EXE	MSWDM.EXE
PID 2392 wrote to memory of 2780	2392	MSWDM.EXE	MSWDM.EXE
PID 2392 wrote to memory of 2780	2392	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe
"C:\Users\Admin\AppData\Local\Temp\92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1740

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2448

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\devED0.tmp!C:\Users\Admin\AppData\Local\Temp\92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
3⤵
- Executes dropped EXE
PID:2676

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\devED0.tmp!C:\Users\Admin\AppData\Local\Temp\92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE!
3⤵
- Executes dropped EXE
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
17f839c1b36aa7df4bbd73a247689d6a

SHA1
b49095efb08f54a91bcfb47bf93453179707bbcb

SHA256
c6ddd49456130b3007242e59ea7f5dbc4ba5fd11abf9c54ad5a1d6163104305c

SHA512
89d0f81951735e5afa7f027d2e14144a8dfe884f85a37641962ff02326d17a03eb1f51dbf1a6154e33208d6adaf271ec64db3aa8faea3acc3604a401fe296c9b

Download Submit
C:\Windows\devED0.tmp

Filesize
73KB

MD5
2ffc9a24492c0a1af4d562f0c7608aa5

SHA1
1fd5ff6136fba36e9ee22598ecd250af3180ee53

SHA256
69828c857d4824b9f850b1e0597d2c134c91114b7a0774c41dffe33b0eb23721

SHA512
03806d162931b1dcf036a51e753ff073a43664491a3cd2e649e55dd77d5e910f7bcf1e217eb0889ef606457b679428640e975ee227de941a200f652417bc6d5d

Download Submit
memory/1740-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1740-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2392-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2392-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2392-26-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2448-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2448-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2780-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads