Analysis
-
max time kernel
27s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 02:27
Static task
static1
Behavioral task
behavioral1
Sample
b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe
Resource
win10v2004-20240426-en
General
-
Target
b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe
-
Size
501KB
-
MD5
70e86cb3ebf353a1b6369c8ab8b429a8
-
SHA1
9e251b94787143b8349c31d13a291d0e2fdf7fc7
-
SHA256
b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d
-
SHA512
e5f6c40bf05e845578855eb7bf0dd70b2e6a8ffc3e29656d97c3afad2f2d2eb2ed0bced13c1bcd0afda476233211cb9cf2f2b90012487efa867d362ea8ea5571
-
SSDEEP
6144:wlj7cMnI+c78n5Qw0tneDA/sqhleIc0HftDrkYY1hj63hgDonsogCh6NEpAF8:wlbI+285bM3npxYfj63hgD1Ziz
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 9 IoCs
Processes:
resource yara_rule behavioral2/memory/4420-0-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/4420-10-0x0000000000400000-0x000000000041B000-memory.dmp UPX C:\Windows\MSWDM.EXE UPX behavioral2/memory/3628-12-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/3556-6-0x0000000000400000-0x000000000041B000-memory.dmp UPX C:\Users\Admin\AppData\Local\Temp\b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe UPX behavioral2/memory/3628-24-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/376-21-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/3556-25-0x0000000000400000-0x000000000041B000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
Processes:
MSWDM.EXEMSWDM.EXEB98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXEMSWDM.EXEpid process 3556 MSWDM.EXE 3628 MSWDM.EXE 712 B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE 376 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exeMSWDM.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
Processes:
b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exeMSWDM.EXEdescription ioc process File created C:\WINDOWS\MSWDM.EXE b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe File opened for modification C:\Windows\dev3652.tmp b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe File opened for modification C:\Windows\dev3652.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSWDM.EXEpid process 3628 MSWDM.EXE 3628 MSWDM.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXEpid process 712 B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE 712 B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE 712 B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exeMSWDM.EXEdescription pid process target process PID 4420 wrote to memory of 3556 4420 b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe MSWDM.EXE PID 4420 wrote to memory of 3556 4420 b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe MSWDM.EXE PID 4420 wrote to memory of 3556 4420 b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe MSWDM.EXE PID 4420 wrote to memory of 3628 4420 b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe MSWDM.EXE PID 4420 wrote to memory of 3628 4420 b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe MSWDM.EXE PID 4420 wrote to memory of 3628 4420 b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe MSWDM.EXE PID 3628 wrote to memory of 712 3628 MSWDM.EXE B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE PID 3628 wrote to memory of 712 3628 MSWDM.EXE B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE PID 3628 wrote to memory of 712 3628 MSWDM.EXE B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE PID 3628 wrote to memory of 376 3628 MSWDM.EXE MSWDM.EXE PID 3628 wrote to memory of 376 3628 MSWDM.EXE MSWDM.EXE PID 3628 wrote to memory of 376 3628 MSWDM.EXE MSWDM.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe"C:\Users\Admin\AppData\Local\Temp\b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3556 -
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev3652.tmp!C:\Users\Admin\AppData\Local\Temp\b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:712 -
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev3652.tmp!C:\Users\Admin\AppData\Local\Temp\B98EC7BBEA5D13AA9720B2C6BF3148A080AB3AC63876D8D0EED56F88F95EA73D.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b98ec7bbea5d13aa9720b2c6bf3148a080ab3ac63876d8d0eed56f88f95ea73d.exeFilesize
501KB
MD5599a7f2fcc2ad48534a85fad6fdbfa46
SHA18e64b597cc283b562a2c1a078b5a4cdd39340aab
SHA2568f8874c96da42281b764df328ccbbeb7b98e3186003ec17dee58f2ef3f472574
SHA5126bc8429474caa693b4b9dc394408bedfa41d460b0009d1f572d6e3ed0674ceb7051e29be10858924eee681601924c96707fdc468f2d9d353a4dc8aad1fd50691
-
C:\Windows\MSWDM.EXEFilesize
47KB
MD58281630c34398a6569e720407a61ca05
SHA1d983308e8fe1bab035342cd8d2ddc63cd9ce1ac0
SHA2568f0e45e4b02d7e47c2a82eaf263756167dbc07fb1e50eaf7f8f0b232d4d097e0
SHA512483fab964c6e7899af972bc14101ef225722ff09f544ab2e2dc37f0af781c20b3a526610922c0fe2a1d7dc53ffc7ee0ee6a030bc73b1f2b35f7ea36568945187
-
C:\Windows\dev3652.tmpFilesize
453KB
MD596f7cb9f7481a279bd4bc0681a3b993e
SHA1deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149
-
memory/376-21-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3556-6-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3556-25-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3628-12-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3628-24-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4420-0-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4420-10-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB