92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e

General

Target

92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe
Size

153KB
MD5

f54eced60418662afc8fac123cb2c465
SHA1

3cd13c09ebfbf015d07d48ecec1fa0ae8f48c6b7
SHA256

92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e
SHA512

856ae108c5fced6082454116834c245892e143f9e7e023478365b86f5d8321d3bc792d140e8887553e87dddeda15ff6e4133a70e7d0fd5164baf0d91f9aa1f8c
SSDEEP

3072:HQC/yj5JO3MnlgG+Hu54Fx4xE8PpsgozqC4O/jHxo6l0PTBuJBQbRQ5WFq:wlj7cMn3+OEXyps5N/jHxn0l7xFq

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3724-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\WINDOWS\MSWDM.EXE	UPX
behavioral2/memory/4368-11-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3012-10-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3724-9-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/2520-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	UPX
behavioral2/memory/4368-23-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3012-24-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXEMSWDM.EXE

pid process

3012 MSWDM.EXE
4368 MSWDM.EXE
948 92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
2520 MSWDM.EXE

pid	process
3012	MSWDM.EXE
4368	MSWDM.EXE
948	92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
2520	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSWDM.EXE92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe

Drops file in Windows directory 3 IoCs

Processes:

92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe
File opened for modification	C:\Windows\dev3B73.tmp	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe
File opened for modification	C:\Windows\dev3B73.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

4368 MSWDM.EXE
4368 MSWDM.EXE

pid	process
4368	MSWDM.EXE
4368	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exeMSWDM.EXE

description	pid	process	target process
PID 3724 wrote to memory of 3012	3724	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 3724 wrote to memory of 3012	3724	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 3724 wrote to memory of 3012	3724	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 3724 wrote to memory of 4368	3724	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 3724 wrote to memory of 4368	3724	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 3724 wrote to memory of 4368	3724	92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe	MSWDM.EXE
PID 4368 wrote to memory of 948	4368	MSWDM.EXE	92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
PID 4368 wrote to memory of 948	4368	MSWDM.EXE	92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
PID 4368 wrote to memory of 2520	4368	MSWDM.EXE	MSWDM.EXE
PID 4368 wrote to memory of 2520	4368	MSWDM.EXE	MSWDM.EXE
PID 4368 wrote to memory of 2520	4368	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe
"C:\Users\Admin\AppData\Local\Temp\92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3724

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3012

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev3B73.tmp!C:\Users\Admin\AppData\Local\Temp\92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Local\Temp\92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE
3⤵
- Executes dropped EXE
PID:948

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev3B73.tmp!C:\Users\Admin\AppData\Local\Temp\92BDFDF76B074E76935649922C67AC1419A075CCD8E85D6019792559464D441E.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe

Filesize
153KB

MD5
6e31645060f45770fb99929a859a80da

SHA1
34e248f47219ebc07715a66d693e733b266e4feb

SHA256
b0c33c36c2e5cade15c9420adad5876b5f5c0272d3a4be7cdd3101786c9cbf40

SHA512
3305ef8b9e3de2b0c22517317cfc79ce99f744fb2c7a7ad914d9276983fa4774a53ea498f84f2b7543ffb41db6b195a6f75c3dfa8373c3452b6eb571b36cb1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\92bdfdf76b074e76935649922c67ac1419a075ccd8e85d6019792559464d441e.exe

Filesize
153KB

MD5
66cd8227667531f43c7c745a80d2cd4e

SHA1
778ca0ef43e526d95d2b3242ae9b6e44b8f61c2c

SHA256
b4f7fc7a1e548f1813ebf1944f66c943594886c19db63a54d24fb030ceacdf90

SHA512
93153f965983d407ede316fcb5dedadc78039bb913cf354ab9e8586dfcf35398ff3bc1622c3acff320dfab99eff5e084110f86e51983a074ccfc22c69cf01012

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
80KB

MD5
17f839c1b36aa7df4bbd73a247689d6a

SHA1
b49095efb08f54a91bcfb47bf93453179707bbcb

SHA256
c6ddd49456130b3007242e59ea7f5dbc4ba5fd11abf9c54ad5a1d6163104305c

SHA512
89d0f81951735e5afa7f027d2e14144a8dfe884f85a37641962ff02326d17a03eb1f51dbf1a6154e33208d6adaf271ec64db3aa8faea3acc3604a401fe296c9b

Download Submit
C:\Windows\dev3B73.tmp

Filesize
73KB

MD5
2ffc9a24492c0a1af4d562f0c7608aa5

SHA1
1fd5ff6136fba36e9ee22598ecd250af3180ee53

SHA256
69828c857d4824b9f850b1e0597d2c134c91114b7a0774c41dffe33b0eb23721

SHA512
03806d162931b1dcf036a51e753ff073a43664491a3cd2e649e55dd77d5e910f7bcf1e217eb0889ef606457b679428640e975ee227de941a200f652417bc6d5d

Download Submit
memory/2520-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3724-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3724-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4368-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4368-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads