b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b

General

Target

b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe
Size

91KB
MD5

2601f6e8ef5bed215f7bba75d7d91d64
SHA1

02a0c550c0d8cea51035fee1c2f6aa738a94cc7f
SHA256

b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b
SHA512

4d5d6f6565db3ac716be7f41bc787598a28d92c81d4160cce6f1012b74c5e20b613621f0a70c887850a538966322816eed4b547c5ef20ed4880b13084ffda165
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FRG+sdguxnSngBNpT/mzNnxPAxEAz0+/Sf:HQC/yj5JO3MnRG+Hu54Fx4xE8qf

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4936-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral2/memory/3192-12-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3800-11-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4936-8-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe	UPX
behavioral2/memory/1148-21-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3192-25-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3800-26-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fakerdtsc\ImagePath = 5c003f003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c00540065006d0070005c00660061006b006500720064007400730063002e007300790073000000	B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXEB7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXEMSWDM.EXE

pid process

3800 MSWDM.EXE
3192 MSWDM.EXE
872 B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE
1148 MSWDM.EXE

pid	process
3800	MSWDM.EXE
3192	MSWDM.EXE
872	B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE
1148	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

Processes:

MSWDM.EXEb7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe

description	ioc	process
File opened for modification	C:\Windows\dev4A38.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe
File opened for modification	C:\Windows\dev4A38.tmp	b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSWDM.EXE

pid process

3192 MSWDM.EXE
3192 MSWDM.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE

pid process

872 B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE

description pid process

Token: SeLoadDriverPrivilege 872 B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE

pid	process
3192	MSWDM.EXE
3192	MSWDM.EXE

pid	process
872	B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE

description	pid	process
Token: SeLoadDriverPrivilege	872	B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exeMSWDM.EXE

description	pid	process	target process
PID 4936 wrote to memory of 3800	4936	b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe	MSWDM.EXE
PID 4936 wrote to memory of 3800	4936	b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe	MSWDM.EXE
PID 4936 wrote to memory of 3800	4936	b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe	MSWDM.EXE
PID 4936 wrote to memory of 3192	4936	b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe	MSWDM.EXE
PID 4936 wrote to memory of 3192	4936	b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe	MSWDM.EXE
PID 4936 wrote to memory of 3192	4936	b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe	MSWDM.EXE
PID 3192 wrote to memory of 872	3192	MSWDM.EXE	B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE
PID 3192 wrote to memory of 872	3192	MSWDM.EXE	B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE
PID 3192 wrote to memory of 872	3192	MSWDM.EXE	B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE
PID 3192 wrote to memory of 1148	3192	MSWDM.EXE	MSWDM.EXE
PID 3192 wrote to memory of 1148	3192	MSWDM.EXE	MSWDM.EXE
PID 3192 wrote to memory of 1148	3192	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe
"C:\Users\Admin\AppData\Local\Temp\b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4936

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3800

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev4A38.tmp!C:\Users\Admin\AppData\Local\Temp\b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe! !
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE
3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev4A38.tmp!C:\Users\Admin\AppData\Local\Temp\B7D8D828CAB9F9444C060AF5B2A72F147EDCE17325ABAFBB6AAE62C5E7AE857B.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b7d8d828cab9f9444c060af5b2a72f147edce17325abafbb6aae62c5e7ae857b.exe
Filesize
91KB

MD5
536ccb971ad213b1699e9f9d0c5c2095

SHA1
eed66b5c68fe5e1ccfdf6e2cd546f089c901811b

SHA256
088fd23573c2616f47e4808a30e02489e190ec7f8d00a7ab8c544e3c04712db0

SHA512
f98f8b7b023bc592f55bcd3eb94cd65bacd0b55300a2861927330380b39a0e00614f8b930f359479f29aba82461066e353f640027c9d3c8c0954d3883c133c8a

Download Submit
C:\Windows\MSWDM.EXE
Filesize
80KB

MD5
c3fa6e4c285aaf0628228a83b1a4dda3

SHA1
709df8148cb34fbf487f221058a65050329631bd

SHA256
c90a8a614282f2fc61fc182742f59fc5d8c2bd2417249d27699828e525610ae3

SHA512
f0a6c1cfd62d74d0bd9dc3e9bda8891c98eaaad629843792c4e1b6ca592b95f7ba49ec8417d67b16b067deb68fffc50da84db6df8260c5bc643afaf2ecc99ccd

Download Submit
C:\Windows\dev4A38.tmp
Filesize
11KB

MD5
b5f8d0c67b41eb650ddf4cc59ce48cae

SHA1
288f7a4b88df49875f534313cb32bd974d3278dd

SHA256
a495a79d9640aa57b33850b0594b4477659fcb1aa754ce0f3867252a8966ba27

SHA512
fdaf1dc4f20893cfbd525ef27dc7f719133751df33ff17e95f9abe430f880c140e8874e8fb499e9f94fcb3505d178974e2474002afa0f7fbc8978a1e188df6d5

Download Submit
memory/872-16-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1148-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3192-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3192-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3800-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3800-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4936-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4936-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads