a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282

General

Target

a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
Size

554KB
MD5

aa171ed652d51e671d3499351cd1f2c8
SHA1

b6313a4d16630d0298da5752858da72f3f5267b9
SHA256

a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282
SHA512

56d66fb5ee600f52e41672fc82f7e935e89a60530904008a07bb40883278fb9241f8262663610ce2f493fd8fdbe1c7cc12ebd5cf27739aa749a1b60ceed1e336
SSDEEP

12288:+5rZ1I51gL5pRTcAkS/3hzN8qE43fm78V/:+VZuo5jcAkSYqyE/

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2456-0-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/2456-12-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/2984-14-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral1/memory/2892-29-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE	UPX
behavioral1/memory/2984-32-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/2616-33-0x0000000000400000-0x0000000000418000-memory.dmp	UPX

Executes dropped EXE 5 IoCs

Processes:

MSWDM.EXEMSWDM.EXEA7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXEMSWDM.EXE

pid process

2984 MSWDM.EXE
2616 MSWDM.EXE
2596 A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
1204
2892 MSWDM.EXE
Loads dropped DLL 2 IoCs

Processes:

MSWDM.EXE

pid process

2984 MSWDM.EXE
2580

pid	process
2984	MSWDM.EXE
2616	MSWDM.EXE
2596	A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
1204
2892	MSWDM.EXE

pid	process
2984	MSWDM.EXE
2580

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2456-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2456-12-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2984-14-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Windows\MSWDM.EXE	upx
behavioral1/memory/2892-29-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE	upx
behavioral1/memory/2984-32-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2616-33-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
File opened for modification	C:\Windows\dev95BA.tmp	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
File opened for modification	C:\Windows\dev95BA.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

2984 MSWDM.EXE

pid	process
2984	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exeMSWDM.EXE

description	pid	process	target process
PID 2456 wrote to memory of 2616	2456	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 2456 wrote to memory of 2616	2456	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 2456 wrote to memory of 2616	2456	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 2456 wrote to memory of 2616	2456	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 2456 wrote to memory of 2984	2456	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 2456 wrote to memory of 2984	2456	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 2456 wrote to memory of 2984	2456	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 2456 wrote to memory of 2984	2456	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 2984 wrote to memory of 2596	2984	MSWDM.EXE	A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
PID 2984 wrote to memory of 2596	2984	MSWDM.EXE	A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
PID 2984 wrote to memory of 2596	2984	MSWDM.EXE	A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
PID 2984 wrote to memory of 2596	2984	MSWDM.EXE	A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
PID 2984 wrote to memory of 2892	2984	MSWDM.EXE	MSWDM.EXE
PID 2984 wrote to memory of 2892	2984	MSWDM.EXE	MSWDM.EXE
PID 2984 wrote to memory of 2892	2984	MSWDM.EXE	MSWDM.EXE
PID 2984 wrote to memory of 2892	2984	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
"C:\Users\Admin\AppData\Local\Temp\a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2456

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2616

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev95BA.tmp!C:\Users\Admin\AppData\Local\Temp\a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
3⤵
- Executes dropped EXE
PID:2596

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev95BA.tmp!C:\Users\Admin\AppData\Local\Temp\A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
Filesize
554KB

MD5
c148c03d3fa771f1c7fb6134f6d4b89c

SHA1
0d403417a7e432495770a57be6fe55c19a0a74b9

SHA256
174c87582793d15a028873acb01452056fe490c2c5c33bd6323843a9200581fc

SHA512
7c3abd99123c8dab7f9c5f0469709bb6eb60f490f19dfb2baaa6d5f92255d9154b4c7e0d444c73c28826eadec20384f2933a945bae193cb3ef0573e600ab43ed

Download Submit
C:\Windows\MSWDM.EXE
Filesize
96KB

MD5
e56e5f730a3e9f86675b2307c1f4f346

SHA1
303676e53702ff3de7761d79781620f1c06a2801

SHA256
c46de8447193bdfba6d4310accc5a3a7ec1ad1fd53aea39c1604d0f93a63d884

SHA512
986c39e9f0a81018658648a363e906a6f6c8423e1dd901a237db7c57463d2cb1c473d44d111eadd3a6b854a1bb39e61a0ee0a53426d1fd3fe4179a98f68571dd

Download Submit
C:\Windows\dev95BA.tmp
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2456-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2456-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2616-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2892-29-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2984-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2984-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads