62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99

General

Target

62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe
Size

497KB
MD5

c707c31ddb67a3aee4f307475a099290
SHA1

720778cf9513e965023122b3d7408b4f0d501d73
SHA256

62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99
SHA512

4bd8affa5a290fc93ed0f30369335001b566e433aae0f4d22d6744df6f486543f1f391c6d9103565d402aef5127dc848d71d69b289117aebf19ad96e3bd6a5c6
SSDEEP

6144:J89MA7jz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayN:+n1gL5pRTcAkS/3hzN8qE43fm78VZ

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral2/memory/2400-0-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/files/0x000a000000023400-3.dat	UPX
behavioral2/memory/1192-12-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/4576-11-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/2400-10-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/2044-20-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/files/0x0007000000023412-19.dat	UPX
behavioral2/memory/1192-24-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral2/memory/4576-25-0x0000000000400000-0x0000000000418000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
4576	MSWDM.EXE
1192	MSWDM.EXE
2492	62BB3659EDF950A1473D368C03B7B0F537A48ACCBA7C27695FE6E805E107CF99.EXE
2044	MSWDM.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2400-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x000a000000023400-3.dat	upx
behavioral2/memory/1192-12-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4576-11-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/2400-10-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/2044-20-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x0007000000023412-19.dat	upx
behavioral2/memory/1192-24-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4576-25-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe
File opened for modification	C:\Windows\dev4508.tmp	62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe
File opened for modification	C:\Windows\dev4508.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1192	MSWDM.EXE
1192	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 4576	2400	62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe	83
PID 2400 wrote to memory of 4576	2400	62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe	83
PID 2400 wrote to memory of 4576	2400	62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe	83
PID 2400 wrote to memory of 1192	2400	62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe	84
PID 2400 wrote to memory of 1192	2400	62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe	84
PID 2400 wrote to memory of 1192	2400	62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe	84
PID 1192 wrote to memory of 2492	1192	MSWDM.EXE	85
PID 1192 wrote to memory of 2492	1192	MSWDM.EXE	85
PID 1192 wrote to memory of 2044	1192	MSWDM.EXE	87
PID 1192 wrote to memory of 2044	1192	MSWDM.EXE	87
PID 1192 wrote to memory of 2044	1192	MSWDM.EXE	87

C:\Users\Admin\AppData\Local\Temp\62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe
"C:\Users\Admin\AppData\Local\Temp\62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2400
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4576
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev4508.tmp!C:\Users\Admin\AppData\Local\Temp\62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\62BB3659EDF950A1473D368C03B7B0F537A48ACCBA7C27695FE6E805E107CF99.EXE
    3⤵
    - Executes dropped EXE
    PID:2492
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev4508.tmp!C:\Users\Admin\AppData\Local\Temp\62BB3659EDF950A1473D368C03B7B0F537A48ACCBA7C27695FE6E805E107CF99.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62bb3659edf950a1473d368c03b7b0f537a48accba7c27695fe6e805e107cf99.exe

Filesize
497KB

MD5
cdb9af074e1f48584fcf5f36a2870dcf

SHA1
4e68e5eea03746cd5cf0bca6fa7373c7000ad36e

SHA256
483d7596023e6f4866868b09de524bfc5931644c5c037097a9b321911a923d85

SHA512
782d97f4506139a83af8155d8caf44aae7864f3d6724c070f57ae203fd117226e37bcc53cbf975872bcdce038b0e14615f0ad584a3d6ba9e48df2ad61d2675ed

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
2b2ae7457a177dedaed7f72e1d149c4d

SHA1
c63ab6db2b24d55201ddac556cc00eb98fe77aaf

SHA256
ab6323a4a0d3bdabcab6e1e390da56d69a83c3f2cc522ec062a566f27fd837d8

SHA512
603ce8614256a05fb6e048af4098b3caaa2e1b071cb75617b3eac281dad36341811f2cd985358d38f3b7ed170b2527ac6bf0a63db30df5cf36c129cde09e9782

Download Submit
C:\Windows\dev4508.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1192-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1192-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2044-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2400-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2400-10-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4576-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4576-25-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads