1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9

General

Target

1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
Size

115KB
MD5

8f1f37cecd02967f7a19d25d6bd91a4d
SHA1

f494429215c32b1bb9793a3be8e85c62fdda9e4a
SHA256

1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9
SHA512

1904e77afe2d0bd2986ae76303938b8e6aa2581f1e1dcda4515259e06990ea6a4aa4952fcfef4733706aeeb15b9973cbb713955e93be3826ea1f25b56453ea2f
SSDEEP

3072:HQC/yj5JO3MnlgG+Hu54Fx4xE8GgPkXYLBDlxw:wlj7cMn3+OEXHoA2y

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 8 IoCs

resource	yara_rule
behavioral1/memory/2340-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x000d000000012327-5.dat	UPX
behavioral1/memory/2332-15-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2340-14-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/files/0x0011000000014318-30.dat	UPX
behavioral1/memory/1296-32-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2636-29-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2332-33-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
2332	MSWDM.EXE
1296	MSWDM.EXE
3060	1075ADE4297AD0FCE67DDDEF5A12B0AAEDB5C53A11997B7B5451CD26D7A594D9.EXE
2636	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
1296	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
File opened for modification	C:\Windows\dev1CA5.tmp	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
File opened for modification	C:\Windows\dev1CA5.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1296	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2332	2340	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	28
PID 2340 wrote to memory of 2332	2340	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	28
PID 2340 wrote to memory of 2332	2340	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	28
PID 2340 wrote to memory of 2332	2340	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	28
PID 2340 wrote to memory of 1296	2340	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	29
PID 2340 wrote to memory of 1296	2340	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	29
PID 2340 wrote to memory of 1296	2340	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	29
PID 2340 wrote to memory of 1296	2340	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	29
PID 1296 wrote to memory of 3060	1296	MSWDM.EXE	30
PID 1296 wrote to memory of 3060	1296	MSWDM.EXE	30
PID 1296 wrote to memory of 3060	1296	MSWDM.EXE	30
PID 1296 wrote to memory of 3060	1296	MSWDM.EXE	30
PID 1296 wrote to memory of 2636	1296	MSWDM.EXE	31
PID 1296 wrote to memory of 2636	1296	MSWDM.EXE	31
PID 1296 wrote to memory of 2636	1296	MSWDM.EXE	31
PID 1296 wrote to memory of 2636	1296	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
"C:\Users\Admin\AppData\Local\Temp\1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2340
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2332
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1CA5.tmp!C:\Users\Admin\AppData\Local\Temp\1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\1075ADE4297AD0FCE67DDDEF5A12B0AAEDB5C53A11997B7B5451CD26D7A594D9.EXE
    3⤵
    - Executes dropped EXE
    PID:3060
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1CA5.tmp!C:\Users\Admin\AppData\Local\Temp\1075ADE4297AD0FCE67DDDEF5A12B0AAEDB5C53A11997B7B5451CD26D7A594D9.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1075ADE4297AD0FCE67DDDEF5A12B0AAEDB5C53A11997B7B5451CD26D7A594D9.EXE

Filesize
115KB

MD5
fcafaa398b21135589019b8394fc448e

SHA1
c98e61f14be7e1bec98ea8846fc19a65bd1f9cbf

SHA256
639a1f660d72e3c3d0d02949e21518ae8b9ed93f6d32db13e9ce9dee0ab5d57a

SHA512
69edea423c0e16ba4629618d281412f31368477404ee26c9ab46a1fe6f3a36731acd4a06c7e5bdb5cc879baa971539f167889f94eed2975cae97e77c536a5a62

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
17f839c1b36aa7df4bbd73a247689d6a

SHA1
b49095efb08f54a91bcfb47bf93453179707bbcb

SHA256
c6ddd49456130b3007242e59ea7f5dbc4ba5fd11abf9c54ad5a1d6163104305c

SHA512
89d0f81951735e5afa7f027d2e14144a8dfe884f85a37641962ff02326d17a03eb1f51dbf1a6154e33208d6adaf271ec64db3aa8faea3acc3604a401fe296c9b

Download Submit
C:\Windows\dev1CA5.tmp

Filesize
35KB

MD5
19e25386a9c5cb66495e0d4be8869822

SHA1
a44d071ee432576f7d10917ac33fe84000c67c65

SHA256
d56174b1ba2af749549e8140f8e5bec2a1cb5a62f8e7163a0a400852f1d6b926

SHA512
2120f0a140329e3f586d4d0e81b83afb6fc4a0728baa4de7421496f4e1a5ec982edfc1e24d72a17df7108eb95e59840b7a3dc3abca9b92a95fd6869cddf5b30b

Download Submit
memory/1296-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1296-24-0x0000000000270000-0x000000000028B000-memory.dmp

Filesize
108KB

Download
memory/2332-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2332-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2340-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2340-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2340-7-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/2636-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads