b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d

General

Target

b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe
Size

501KB
MD5

70e86cb3ebf353a1b6369c8ab8b429a8
SHA1

9e251b94787143b8349c31d13a291d0e2fdf7fc7
SHA256

b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d
SHA512

e5f6c40bf05e845578855eb7bf0dd70b2e6a8ffc3e29656d97c3afad2f2d2eb2ed0bced13c1bcd0afda476233211cb9cf2f2b90012487efa867d362ea8ea5571
SSDEEP

6144:wlj7cMnI+c78n5Qw0tneDA/sqhleIc0HftDrkYY1hj63hgDonsogCh6NEpAF8:wlbI+285bM3npxYfj63hgD1Ziz

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2352-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Windows\MSWDM.EXE	UPX
behavioral1/memory/2516-22-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/3056-23-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2352-14-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2352-8-0x0000000000250000-0x000000000026B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE	UPX
behavioral1/memory/2732-32-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2732-27-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2516-35-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2516-26-0x0000000000250000-0x000000000026B000-memory.dmp	UPX
behavioral1/memory/3056-36-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXEB98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXEMSWDM.EXE

pid process

3056 MSWDM.EXE
2516 MSWDM.EXE
2652 B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
2732 MSWDM.EXE
Loads dropped DLL 1 IoCs

Processes:

MSWDM.EXE

pid process

2516 MSWDM.EXE

pid	process
3056	MSWDM.EXE
2516	MSWDM.EXE
2652	B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
2732	MSWDM.EXE

pid	process
2516	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSWDM.EXEb98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe

Drops file in Windows directory 3 IoCs

Processes:

b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe
File opened for modification	C:\Windows\dev11CC.tmp	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe
File opened for modification	C:\Windows\dev11CC.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

2516 MSWDM.EXE

pid	process
2516	MSWDM.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE

pid	process
2652	B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
2652	B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
2652	B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exeMSWDM.EXE

description	pid	process	target process
PID 2352 wrote to memory of 3056	2352	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe	MSWDM.EXE
PID 2352 wrote to memory of 3056	2352	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe	MSWDM.EXE
PID 2352 wrote to memory of 3056	2352	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe	MSWDM.EXE
PID 2352 wrote to memory of 3056	2352	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe	MSWDM.EXE
PID 2352 wrote to memory of 2516	2352	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe	MSWDM.EXE
PID 2352 wrote to memory of 2516	2352	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe	MSWDM.EXE
PID 2352 wrote to memory of 2516	2352	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe	MSWDM.EXE
PID 2352 wrote to memory of 2516	2352	b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe	MSWDM.EXE
PID 2516 wrote to memory of 2652	2516	MSWDM.EXE	B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
PID 2516 wrote to memory of 2652	2516	MSWDM.EXE	B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
PID 2516 wrote to memory of 2652	2516	MSWDM.EXE	B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
PID 2516 wrote to memory of 2652	2516	MSWDM.EXE	B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
PID 2516 wrote to memory of 2652	2516	MSWDM.EXE	B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
PID 2516 wrote to memory of 2652	2516	MSWDM.EXE	B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
PID 2516 wrote to memory of 2652	2516	MSWDM.EXE	B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
PID 2516 wrote to memory of 2732	2516	MSWDM.EXE	MSWDM.EXE
PID 2516 wrote to memory of 2732	2516	MSWDM.EXE	MSWDM.EXE
PID 2516 wrote to memory of 2732	2516	MSWDM.EXE	MSWDM.EXE
PID 2516 wrote to memory of 2732	2516	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe
"C:\Users\Admin\AppData\Local\Temp\b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2352

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3056

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev11CC.tmp!C:\Users\Admin\AppData\Local\Temp\b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2652

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev11CC.tmp!C:\Users\Admin\AppData\Local\Temp\B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
Filesize
501KB

MD5
599a7f2fcc2ad48534a85fad6fdbfa46

SHA1
8e64b597cc283b562a2c1a078b5a4cdd39340aab

SHA256
8f8874c96da42281b764df328ccbbeb7b98e3186003ec17dee58f2ef3f472574

SHA512
6bc8429474caa693b4b9dc394408bedfa41d460b0009d1f572d6e3ed0674ceb7051e29be10858924eee681601924c96707fdc468f2d9d353a4dc8aad1fd50691

Download Submit
C:\Windows\MSWDM.EXE
Filesize
47KB

MD5
8281630c34398a6569e720407a61ca05

SHA1
d983308e8fe1bab035342cd8d2ddc63cd9ce1ac0

SHA256
8f0e45e4b02d7e47c2a82eaf263756167dbc07fb1e50eaf7f8f0b232d4d097e0

SHA512
483fab964c6e7899af972bc14101ef225722ff09f544ab2e2dc37f0af781c20b3a526610922c0fe2a1d7dc53ffc7ee0ee6a030bc73b1f2b35f7ea36568945187

Download Submit
C:\Windows\dev11CC.tmp
Filesize
453KB

MD5
96f7cb9f7481a279bd4bc0681a3b993e

SHA1
deaedb5becc6c0bd263d7cf81e0909b912a1afd4

SHA256
d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290

SHA512
694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149

Download Submit
memory/2352-8-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2352-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2352-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-26-0x0000000000250000-0x000000000026B000-memory.dmp

Filesize
108KB

Download
memory/2732-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2732-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads