a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282

General

Target

a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
Size

554KB
MD5

aa171ed652d51e671d3499351cd1f2c8
SHA1

b6313a4d16630d0298da5752858da72f3f5267b9
SHA256

a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282
SHA512

56d66fb5ee600f52e41672fc82f7e935e89a60530904008a07bb40883278fb9241f8262663610ce2f493fd8fdbe1c7cc12ebd5cf27739aa749a1b60ceed1e336
SSDEEP

12288:+5rZ1I51gL5pRTcAkS/3hzN8qE43fm78V/:+VZuo5jcAkSYqyE/

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4236-0-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral2/memory/4232-10-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/4236-8-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	UPX
behavioral2/memory/4728-20-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/1460-23-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/4232-24-0x0000000000400000-0x0000000000418000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXEA7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXEMSWDM.EXE

pid process

4232 MSWDM.EXE
1460 MSWDM.EXE
3492 A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
4728 MSWDM.EXE

pid	process
4232	MSWDM.EXE
1460	MSWDM.EXE
3492	A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
4728	MSWDM.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4236-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Windows\MSWDM.EXE	upx
behavioral2/memory/4232-10-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4236-8-0x0000000000400000-0x0000000000418000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	upx
behavioral2/memory/4728-20-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1460-23-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4232-24-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
File opened for modification	C:\Windows\devE6B6.tmp	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
File opened for modification	C:\Windows\devE6B6.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

1460 MSWDM.EXE
1460 MSWDM.EXE

pid	process
1460	MSWDM.EXE
1460	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exeMSWDM.EXE

description	pid	process	target process
PID 4236 wrote to memory of 4232	4236	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 4236 wrote to memory of 4232	4236	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 4236 wrote to memory of 4232	4236	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 4236 wrote to memory of 1460	4236	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 4236 wrote to memory of 1460	4236	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 4236 wrote to memory of 1460	4236	a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe	MSWDM.EXE
PID 1460 wrote to memory of 3492	1460	MSWDM.EXE	A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
PID 1460 wrote to memory of 3492	1460	MSWDM.EXE	A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
PID 1460 wrote to memory of 4728	1460	MSWDM.EXE	MSWDM.EXE
PID 1460 wrote to memory of 4728	1460	MSWDM.EXE	MSWDM.EXE
PID 1460 wrote to memory of 4728	1460	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe
"C:\Users\Admin\AppData\Local\Temp\a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4236

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4232

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\devE6B6.tmp!C:\Users\Admin\AppData\Local\Temp\a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE
3⤵
- Executes dropped EXE
PID:3492

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\devE6B6.tmp!C:\Users\Admin\AppData\Local\Temp\A7BE9E56ADB280595DEC7E77ABD65F17C3A1D059BF9D1BF04FBB2E2B47657282.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3888,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a7be9e56adb280595dec7e77abd65f17c3a1d059bf9d1bf04fbb2e2b47657282.exe

Filesize
554KB

MD5
6ae414770a0fac90b6328ef5cf2aa479

SHA1
5f55e22a722c54f82f063d87ede0a4da069ba865

SHA256
7400b49e27f1aa8584d5e0d5bd9c21733b26d07fcab385a7ac706da2307ee134

SHA512
0b20df5cc83d347b61a3d1e957652635ce7ef71027b8259fd2cc83145ca4a507f9a5729e46a0cf3f4ebd207e78efd1d0ccc8a09c4893a1871bdf76a239650539

Download Submit
C:\Windows\MSWDM.EXE

Filesize
96KB

MD5
e56e5f730a3e9f86675b2307c1f4f346

SHA1
303676e53702ff3de7761d79781620f1c06a2801

SHA256
c46de8447193bdfba6d4310accc5a3a7ec1ad1fd53aea39c1604d0f93a63d884

SHA512
986c39e9f0a81018658648a363e906a6f6c8423e1dd901a237db7c57463d2cb1c473d44d111eadd3a6b854a1bb39e61a0ee0a53426d1fd3fe4179a98f68571dd

Download Submit
C:\Windows\devE6B6.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1460-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4232-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4232-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4236-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4236-8-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4728-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads