Analysis
-
max time kernel
31s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 01:01
Static task
static1
Behavioral task
behavioral1
Sample
a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe
Resource
win10v2004-20240426-en
General
-
Target
a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe
-
Size
2.2MB
-
MD5
1cb3bcb19205c9b4800ffd47ef3cb6e6
-
SHA1
40e7bc859eecfd52fd366b395c9ec6ddd58a960e
-
SHA256
a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f
-
SHA512
5411c14b445a6228d8e7d2e1a143c02115cbf7f53c3a6390dc439bbda082d9969ae7c33df115ec6f09920d2f63e5ee5edca76b04ccf36fa184dcb75d8120a33e
-
SSDEEP
49152:WbD+QCbRquA/m2yL5zbfFiV+XenmE3/zw:WbD+5oq2VjnmH
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 9 IoCs
resource yara_rule behavioral2/memory/1076-1-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/files/0x000800000002327d-3.dat UPX behavioral2/memory/4560-12-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/3640-10-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/1076-7-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/3960-20-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/files/0x0007000000023411-19.dat UPX behavioral2/memory/3640-24-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/4560-25-0x0000000000400000-0x000000000041B000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
pid Process 4560 MSWDM.EXE 3640 MSWDM.EXE 3088 A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE 3960 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe File opened for modification C:\Windows\dev379A.tmp a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe File opened for modification C:\Windows\dev379A.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3640 MSWDM.EXE 3640 MSWDM.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1076 wrote to memory of 4560 1076 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 82 PID 1076 wrote to memory of 4560 1076 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 82 PID 1076 wrote to memory of 4560 1076 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 82 PID 1076 wrote to memory of 3640 1076 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 83 PID 1076 wrote to memory of 3640 1076 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 83 PID 1076 wrote to memory of 3640 1076 a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe 83 PID 3640 wrote to memory of 3088 3640 MSWDM.EXE 84 PID 3640 wrote to memory of 3088 3640 MSWDM.EXE 84 PID 3640 wrote to memory of 3960 3640 MSWDM.EXE 88 PID 3640 wrote to memory of 3960 3640 MSWDM.EXE 88 PID 3640 wrote to memory of 3960 3640 MSWDM.EXE 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe"C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4560
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev379A.tmp!C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE3⤵
- Executes dropped EXE
PID:3088
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev379A.tmp!C:\Users\Admin\AppData\Local\Temp\A7A37735EADF11931D27DA28CBD3B7AF132BE6300F40A4B6E5CD3AFB9E298D6F.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3960
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe
Filesize2.2MB
MD560ba1219b473263a4471e8e25118e4cf
SHA19b7ec1b278cb87a3b684820f23784e605eada716
SHA256b0d78983ee9bd9e9bd629225d1449e8c735e752aaf7ab8eb888fea47eb2142fa
SHA5126b606b201ef10f4df76e982b6415901e235a1a4881277e6de7c6da72baa9dc2dd8c2fec59291af837791916049ff4b73f79db0370f5a76203e175b23c7288af3
-
C:\Users\Admin\AppData\Local\Temp\a7a37735eadf11931d27da28cbd3b7af132be6300f40a4b6e5cd3afb9e298d6f.exe
Filesize2.2MB
MD584a75736d5fddf6bf97d86a11b47d1ab
SHA1b1845ee95269b0f10068edb4a0e70260ca074d8a
SHA256a6a2d36c3371533edc725244e3eaa8f9ac0f16408117909c524b79df898d7bb7
SHA512bec6c2131452b5faab5cae51940110a6858e60da17939f5846a180ded5aa3889635fedcf7b543462bcdc4ae9c0f219079afa9d2709bc2f327b7cae0c9b3bb931
-
Filesize
80KB
MD57953ee2765fd7f56ef2cbc7181d1149d
SHA1c649e183ef7ea9d5f758e061432c2707f7591b6f
SHA25679d8f0ced4322e8274ed093c31cc3685048212c192d549c8d31a19f16b1d6da9
SHA512351b443e4145ddaccef9de847b142b240fb44594d6bee7b7fbe16a865df6dccd93559b437b254093f0f790bb3b66d0972d879b931c8f2e9ed9fdd4c931dbe7b7
-
Filesize
2.1MB
MD5b8d69fa2755c3ab1f12f8866a8e2a4f7
SHA18e3cdfb20e158c2906323ba0094a18c7dd2aaf2d
SHA2567e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd
SHA5125acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18