Analysis
-
max time kernel
17s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 01:01
Static task
static1
Behavioral task
behavioral1
Sample
a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe
Resource
win10v2004-20240426-en
General
-
Target
a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe
-
Size
2.2MB
-
MD5
1cb3bcb19205c9b4800ffd47ef3cb6e6
-
SHA1
40e7bc859eecfd52fd366b395c9ec6ddd58a960e
-
SHA256
a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f
-
SHA512
5411c14b445a6228d8e7d2e1a143c02115cbf7f53c3a6390dc439bbda082d9969ae7c33df115ec6f09920d2f63e5ee5edca76b04ccf36fa184dcb75d8120a33e
-
SSDEEP
49152:WbD+QCbRquA/m2yL5zbfFiV+XenmE3/zw:WbD+5oq2VjnmH
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 8 IoCs
resource yara_rule behavioral1/memory/3020-0-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/files/0x000b0000000153c7-4.dat UPX behavioral1/memory/2992-30-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2608-27-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/1524-21-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2992-20-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/3020-12-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/1524-31-0x0000000000400000-0x000000000041B000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
pid Process 2992 MSWDM.EXE 1524 MSWDM.EXE 2564 A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE 2608 MSWDM.EXE -
Loads dropped DLL 2 IoCs
pid Process 2992 MSWDM.EXE 2684 Process not Found -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe File opened for modification C:\Windows\dev164E.tmp a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2992 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3020 wrote to memory of 1524 3020 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 28 PID 3020 wrote to memory of 1524 3020 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 28 PID 3020 wrote to memory of 1524 3020 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 28 PID 3020 wrote to memory of 1524 3020 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 28 PID 3020 wrote to memory of 2992 3020 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 29 PID 3020 wrote to memory of 2992 3020 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 29 PID 3020 wrote to memory of 2992 3020 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 29 PID 3020 wrote to memory of 2992 3020 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 29 PID 2992 wrote to memory of 2564 2992 MSWDM.EXE 30 PID 2992 wrote to memory of 2564 2992 MSWDM.EXE 30 PID 2992 wrote to memory of 2564 2992 MSWDM.EXE 30 PID 2992 wrote to memory of 2564 2992 MSWDM.EXE 30 PID 2992 wrote to memory of 2608 2992 MSWDM.EXE 32 PID 2992 wrote to memory of 2608 2992 MSWDM.EXE 32 PID 2992 wrote to memory of 2608 2992 MSWDM.EXE 32 PID 2992 wrote to memory of 2608 2992 MSWDM.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe"C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1524
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev164E.tmp!C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE3⤵
- Executes dropped EXE
PID:2564
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev164E.tmp!C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE!3⤵
- Executes dropped EXE
PID:2608
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe
Filesize2.1MB
MD5b8d69fa2755c3ab1f12f8866a8e2a4f7
SHA18e3cdfb20e158c2906323ba0094a18c7dd2aaf2d
SHA2567e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd
SHA5125acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18
-
Filesize
80KB
MD57953ee2765fd7f56ef2cbc7181d1149d
SHA1c649e183ef7ea9d5f758e061432c2707f7591b6f
SHA25679d8f0ced4322e8274ed093c31cc3685048212c192d549c8d31a19f16b1d6da9
SHA512351b443e4145ddaccef9de847b142b240fb44594d6bee7b7fbe16a865df6dccd93559b437b254093f0f790bb3b66d0972d879b931c8f2e9ed9fdd4c931dbe7b7