1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9

General

Target

1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
Size

115KB
MD5

8f1f37cecd02967f7a19d25d6bd91a4d
SHA1

f494429215c32b1bb9793a3be8e85c62fdda9e4a
SHA256

1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9
SHA512

1904e77afe2d0bd2986ae76303938b8e6aa2581f1e1dcda4515259e06990ea6a4aa4952fcfef4733706aeeb15b9973cbb713955e93be3826ea1f25b56453ea2f
SSDEEP

3072:HQC/yj5JO3MnlgG+Hu54Fx4xE8GgPkXYLBDlxw:wlj7cMn3+OEXHoA2y

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral2/memory/2112-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x00090000000235b7-3.dat	UPX
behavioral2/memory/2112-8-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/2996-11-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4980-10-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/1524-20-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/files/0x00070000000235bc-16.dat	UPX
behavioral2/memory/2996-23-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral2/memory/4980-24-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
4980	MSWDM.EXE
2996	MSWDM.EXE
4732	1075ADE4297AD0FCE67DDDEF5A12B0AAEDB5C53A11997B7B5451CD26D7A594D9.EXE
1524	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
File opened for modification	C:\Windows\devC30.tmp	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
File opened for modification	C:\Windows\devC30.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2996	MSWDM.EXE
2996	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 4980	2112	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	91
PID 2112 wrote to memory of 4980	2112	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	91
PID 2112 wrote to memory of 4980	2112	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	91
PID 2112 wrote to memory of 2996	2112	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	92
PID 2112 wrote to memory of 2996	2112	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	92
PID 2112 wrote to memory of 2996	2112	1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe	92
PID 2996 wrote to memory of 4732	2996	MSWDM.EXE	93
PID 2996 wrote to memory of 4732	2996	MSWDM.EXE	93
PID 2996 wrote to memory of 1524	2996	MSWDM.EXE	94
PID 2996 wrote to memory of 1524	2996	MSWDM.EXE	94
PID 2996 wrote to memory of 1524	2996	MSWDM.EXE	94

C:\Users\Admin\AppData\Local\Temp\1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe
"C:\Users\Admin\AppData\Local\Temp\1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2112
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4980
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devC30.tmp!C:\Users\Admin\AppData\Local\Temp\1075ade4297ad0fce67dddef5a12b0aaedb5c53a11997b7b5451cd26d7a594d9.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\1075ADE4297AD0FCE67DDDEF5A12B0AAEDB5C53A11997B7B5451CD26D7A594D9.EXE
    3⤵
    - Executes dropped EXE
    PID:4732
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devC30.tmp!C:\Users\Admin\AppData\Local\Temp\1075ADE4297AD0FCE67DDDEF5A12B0AAEDB5C53A11997B7B5451CD26D7A594D9.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:8
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1075ADE4297AD0FCE67DDDEF5A12B0AAEDB5C53A11997B7B5451CD26D7A594D9.EXE

Filesize
115KB

MD5
6e3b96c562faa5b79c0bd8b33d616be2

SHA1
30538d5778da7435a69ad8a6089d4b3769a58294

SHA256
acd5b4ef98818c6d1147199ca2ce10a5e8af447a1537aa78ec462effa9ff3a39

SHA512
37425ccc123934f2a01ff5f2a38fa4d5ce648ca4e0fdd9ebbbf9e10113717cb0e780c5c029d9b975eb2372e91a60715c4baded03938b139b6182198befbb6ceb

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
17f839c1b36aa7df4bbd73a247689d6a

SHA1
b49095efb08f54a91bcfb47bf93453179707bbcb

SHA256
c6ddd49456130b3007242e59ea7f5dbc4ba5fd11abf9c54ad5a1d6163104305c

SHA512
89d0f81951735e5afa7f027d2e14144a8dfe884f85a37641962ff02326d17a03eb1f51dbf1a6154e33208d6adaf271ec64db3aa8faea3acc3604a401fe296c9b

Download Submit
C:\Windows\devC30.tmp

Filesize
35KB

MD5
19e25386a9c5cb66495e0d4be8869822

SHA1
a44d071ee432576f7d10917ac33fe84000c67c65

SHA256
d56174b1ba2af749549e8140f8e5bec2a1cb5a62f8e7163a0a400852f1d6b926

SHA512
2120f0a140329e3f586d4d0e81b83afb6fc4a0728baa4de7421496f4e1a5ec982edfc1e24d72a17df7108eb95e59840b7a3dc3abca9b92a95fd6869cddf5b30b

Download Submit
memory/1524-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2112-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2112-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2996-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2996-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4980-10-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4980-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads