782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173

General

Target

782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe
Size

501KB
MD5

093ce9a69fc120fe2838e3e1d7d6feb0
SHA1

de619d2a6c585d57b38ff3fae3ef74b06ac72e16
SHA256

782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173
SHA512

f4f5877b5dca88978d87e2b9b7f5d96735e9697a4b0162dbf3e6ca22fb3fac8da8ca1901e13f0aeb9aa3cfb5278c79f33129d90543f5bc20419909d90023c1e5
SSDEEP

6144:wlj7cMnI+c78n5Qw0tneDA/sqhleIc0HftDrkYY1hj63hgDonsogCh6NEpAFN:wlbI+285bM3npxYfj63hgD1Zie

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

MSWDM.EXEMSWDM.EXE782C886B9D782EE1A19E079EE299F69B090963A31BDE12D481B602A4CF21C173.EXE

pid process

2960 MSWDM.EXE
3972 MSWDM.EXE
3608 782C886B9D782EE1A19E079EE299F69B090963A31BDE12D481B602A4CF21C173.EXE

pid	process
2960	MSWDM.EXE
3972	MSWDM.EXE
3608	782C886B9D782EE1A19E079EE299F69B090963A31BDE12D481B602A4CF21C173.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSWDM.EXE782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

Processes:

782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe
File opened for modification	C:\Windows\dev1279.tmp	782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

3972 MSWDM.EXE
3972 MSWDM.EXE

pid	process
3972	MSWDM.EXE
3972	MSWDM.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

782C886B9D782EE1A19E079EE299F69B090963A31BDE12D481B602A4CF21C173.EXE

pid	process
3608	782C886B9D782EE1A19E079EE299F69B090963A31BDE12D481B602A4CF21C173.EXE
3608	782C886B9D782EE1A19E079EE299F69B090963A31BDE12D481B602A4CF21C173.EXE
3608	782C886B9D782EE1A19E079EE299F69B090963A31BDE12D481B602A4CF21C173.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exeMSWDM.EXE

description	pid	process	target process
PID 2132 wrote to memory of 2960	2132	782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe	MSWDM.EXE
PID 2132 wrote to memory of 2960	2132	782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe	MSWDM.EXE
PID 2132 wrote to memory of 2960	2132	782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe	MSWDM.EXE
PID 2132 wrote to memory of 3972	2132	782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe	MSWDM.EXE
PID 2132 wrote to memory of 3972	2132	782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe	MSWDM.EXE
PID 2132 wrote to memory of 3972	2132	782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe	MSWDM.EXE
PID 3972 wrote to memory of 3608	3972	MSWDM.EXE	782C886B9D782EE1A19E079EE299F69B090963A31BDE12D481B602A4CF21C173.EXE
PID 3972 wrote to memory of 3608	3972	MSWDM.EXE	782C886B9D782EE1A19E079EE299F69B090963A31BDE12D481B602A4CF21C173.EXE
PID 3972 wrote to memory of 3608	3972	MSWDM.EXE	782C886B9D782EE1A19E079EE299F69B090963A31BDE12D481B602A4CF21C173.EXE

C:\Users\Admin\AppData\Local\Temp\782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe
"C:\Users\Admin\AppData\Local\Temp\782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2132

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2960

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev1279.tmp!C:\Users\Admin\AppData\Local\Temp\782c886b9d782ee1a19e079ee299f69b090963a31bde12d481b602a4cf21c173.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\782C886B9D782EE1A19E079EE299F69B090963A31BDE12D481B602A4CF21C173.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3788 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE
Filesize
47KB

MD5
8281630c34398a6569e720407a61ca05

SHA1
d983308e8fe1bab035342cd8d2ddc63cd9ce1ac0

SHA256
8f0e45e4b02d7e47c2a82eaf263756167dbc07fb1e50eaf7f8f0b232d4d097e0

SHA512
483fab964c6e7899af972bc14101ef225722ff09f544ab2e2dc37f0af781c20b3a526610922c0fe2a1d7dc53ffc7ee0ee6a030bc73b1f2b35f7ea36568945187

Download Submit
C:\Windows\dev1279.tmp
Filesize
453KB

MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
memory/2132-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2132-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2960-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3972-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3972-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads