ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f

General

Target

ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe
Size

75KB
MD5

23ab6f6bf3f969ab8b8182e3ba7a582f
SHA1

5597554b0f067355545ee61de44d2dc68003b9e7
SHA256

ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f
SHA512

db910852d9dc2702ed24402e37a4a0e3379b64ff5f68b8a8ef95509c4741b589a1ac8fdd2ec9bc7f0c44d6b4a4f9cd68e39d54bf855dc27245377b6425b47fd8
SSDEEP

1536:rxG0+a0V7JCaTYnSGMX/6riw+d9bHrkT5gUHz7FxtB:rlIV7JCaMnSrP6rBkfkT5xHzb

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 7 IoCs

resource	yara_rule
behavioral1/memory/2328-0-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/files/0x000c000000013413-4.dat	UPX
behavioral1/memory/2328-13-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/2732-30-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/files/0x000e000000013a6e-28.dat	UPX
behavioral1/memory/2640-27-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/1508-31-0x0000000000400000-0x0000000000418000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
2732	MSWDM.EXE
1508	MSWDM.EXE
2572	CE5753E39168DCBC491E86F26F293579C42B7B6004B9B491E4F5AAC8DAA0111F.EXE
2640	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2732	MSWDM.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2328-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000c000000013413-4.dat	upx
behavioral1/memory/2328-13-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2732-30-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000e000000013a6e-28.dat	upx
behavioral1/memory/2640-27-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1508-31-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe
File opened for modification	C:\Windows\dev1120.tmp	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe
File opened for modification	C:\Windows\dev1120.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2732	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1508	2328	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe	28
PID 2328 wrote to memory of 1508	2328	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe	28
PID 2328 wrote to memory of 1508	2328	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe	28
PID 2328 wrote to memory of 1508	2328	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe	28
PID 2328 wrote to memory of 2732	2328	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe	29
PID 2328 wrote to memory of 2732	2328	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe	29
PID 2328 wrote to memory of 2732	2328	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe	29
PID 2328 wrote to memory of 2732	2328	ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe	29
PID 2732 wrote to memory of 2572	2732	MSWDM.EXE	30
PID 2732 wrote to memory of 2572	2732	MSWDM.EXE	30
PID 2732 wrote to memory of 2572	2732	MSWDM.EXE	30
PID 2732 wrote to memory of 2572	2732	MSWDM.EXE	30
PID 2732 wrote to memory of 2640	2732	MSWDM.EXE	31
PID 2732 wrote to memory of 2640	2732	MSWDM.EXE	31
PID 2732 wrote to memory of 2640	2732	MSWDM.EXE	31
PID 2732 wrote to memory of 2640	2732	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe
"C:\Users\Admin\AppData\Local\Temp\ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2328
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1508
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1120.tmp!C:\Users\Admin\AppData\Local\Temp\ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\CE5753E39168DCBC491E86F26F293579C42B7B6004B9B491E4F5AAC8DAA0111F.EXE
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1120.tmp!C:\Users\Admin\AppData\Local\Temp\CE5753E39168DCBC491E86F26F293579C42B7B6004B9B491E4F5AAC8DAA0111F.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CE5753E39168DCBC491E86F26F293579C42B7B6004B9B491E4F5AAC8DAA0111F.EXE

Filesize
75KB

MD5
b85403ec0ebf441dca30474eb5dc65ed

SHA1
9ae779ef09dade5f0167fcf674e2add095252a95

SHA256
ff71ffaf2014ec77071ad2fb4fedc45ae81687c080ddcaace245fdb3327d10e0

SHA512
08fac5bf9cbb78ae7d58c59a5e06a61eb866f97ac6e21a694ea7d60857ae1e42e0db0098110f15d708d95f56a977958a0c4448a74fb0ce5da9891fc8004deb5c

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
446f667d5ed0edf5ee1b0942d4cb915d

SHA1
f127585abc5e64a15ff1ec7d48a839815f4e4b8e

SHA256
679d9c3d8c6eee6c1d355f81b6978869acc6f2278c00d57be1dd24a929fa1a09

SHA512
08b3f6c07120dff1572102f7f55d2d240c1f4ae0f3dc6f512eac73e4629bed1e8ffa1775eb24dc2cc17a36f983b4b58055a56cef417236251956675048121d68

Download Submit
\Users\Admin\AppData\Local\Temp\ce5753e39168dcbc491e86f26f293579c42b7b6004b9b491e4f5aac8daa0111f.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
memory/1508-31-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2328-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2328-13-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2328-12-0x00000000003E0000-0x00000000003F8000-memory.dmp

Filesize
96KB

Download
memory/2640-27-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2732-30-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads