fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34

General

Target

fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe
Size

121KB
MD5

1ad00bf27488f759b6a5e2f5ca7c55fe
SHA1

05a7c30d3645d0c5b216959b6e499e6fc5e1e256
SHA256

fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34
SHA512

0dd860c2326d9c3bd1957f806d6adb5e3081452836cca1f2e8ed1db76c4b750babb90d61fbcdb7bfebe5bcf676168aea91d9f3e6c87e13b121594f4e55ab1931
SSDEEP

3072:HQC/yj5JO3MnqG+Hu54Fx4xE8plZQKbgZi1St7xj:wlj7cMnT+OEXAwKbgZZ

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral2/memory/3972-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x0008000000022f51-3.dat	UPX
behavioral2/memory/3972-9-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3240-10-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x00070000000233e3-16.dat	UPX
behavioral2/memory/3384-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3384-21-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3612-24-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/3240-25-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
3240	MSWDM.EXE
3612	MSWDM.EXE
3116	FE30A9F27E2444F4A669C6E7586836293F048403EF29CD88EA50C6E36DCFBA34.EXE
3384	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe
File opened for modification	C:\Windows\dev41EB.tmp	fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe
File opened for modification	C:\Windows\dev41EB.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3612	MSWDM.EXE
3612	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 3240	3972	fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe	83
PID 3972 wrote to memory of 3240	3972	fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe	83
PID 3972 wrote to memory of 3240	3972	fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe	83
PID 3972 wrote to memory of 3612	3972	fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe	84
PID 3972 wrote to memory of 3612	3972	fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe	84
PID 3972 wrote to memory of 3612	3972	fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe	84
PID 3612 wrote to memory of 3116	3612	MSWDM.EXE	85
PID 3612 wrote to memory of 3116	3612	MSWDM.EXE	85
PID 3612 wrote to memory of 3384	3612	MSWDM.EXE	86
PID 3612 wrote to memory of 3384	3612	MSWDM.EXE	86
PID 3612 wrote to memory of 3384	3612	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe
"C:\Users\Admin\AppData\Local\Temp\fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3972
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3240
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev41EB.tmp!C:\Users\Admin\AppData\Local\Temp\fe30a9f27e2444f4a669c6e7586836293f048403ef29cd88ea50c6e36dcfba34.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\FE30A9F27E2444F4A669C6E7586836293F048403EF29CD88EA50C6E36DCFBA34.EXE
    3⤵
    - Executes dropped EXE
    PID:3116
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev41EB.tmp!C:\Users\Admin\AppData\Local\Temp\FE30A9F27E2444F4A669C6E7586836293F048403EF29CD88EA50C6E36DCFBA34.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FE30A9F27E2444F4A669C6E7586836293F048403EF29CD88EA50C6E36DCFBA34.EXE

Filesize
121KB

MD5
b16c6f631ebccc6e464e27360f3e79a2

SHA1
643c4d80c36a3ce0fb24f908cfa4d9cb09c9abd4

SHA256
d8555f2962b97e811881f30a09af00c547db15888150fe527fcf7450edc4db33

SHA512
75ef158e8f6e6d58053dd13b72dfba4b3fda33556f2e6eb4c00e54e69c078159f8de64be972e16c81a5932d80afea37f19cd86825fda9592a6ea3ec95ecfc295

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
d0e204dce245b02e736fe85cdc06899d

SHA1
96705b9907a4628f5ce69a7af2c865f813f8b048

SHA256
8b518a03539e2582ab0c73180f8a506fce1329a6375f640543492bf2b570ea2d

SHA512
2c93a266f781e14a794be325e8cab3f574a45e5a6f58712c37b28322ce5fcc31406c97823ca130a60d794b4a1d58359d0eeb1090054a7b0cdf67020febec1532

Download Submit
C:\Windows\dev41EB.tmp

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
memory/3240-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3240-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3384-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3384-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3612-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3972-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3972-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads