aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507

General

Target

aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe
Size

80KB
MD5

659b265e13e2af7291f50d53000ecb2a
SHA1

a318f7fee62a7e77731b7722084b6618d1de6f78
SHA256

aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507
SHA512

700c4528345e27be6c3a9414235c644a61a82bfc5a9684bbaee04092f95623100aebc70c8c60aefa7a7e538e3b7ef73f5997b5a7b3fc5e69c7f077554d29c12f
SSDEEP

1536:rxG0+a0V7JCaTYnSGMv/WEToa9D4ZQKbgZi1dst7x9Pxx:rlIV7JCaMnSrH6lZQKbgZi1St7xx

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/2364-12-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/files/0x000c0000000143a8-19.dat	UPX
behavioral1/memory/1716-21-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/3040-20-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/3040-32-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/files/0x00110000000146f8-30.dat	UPX
behavioral1/memory/2568-29-0x0000000000400000-0x0000000000418000-memory.dmp	UPX
behavioral1/memory/1716-33-0x0000000000400000-0x0000000000418000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

pid	Process
3040	MSWDM.EXE
1716	MSWDM.EXE
2724	ACA0B5D30D0DC7FE57C662C1C7B30956FC39B30CD05EFDB1D34A12971CABE507.EXE
2568	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
3040	MSWDM.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/2364-12-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x000c0000000143a8-19.dat	upx
behavioral1/memory/1716-21-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/3040-20-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/3040-32-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/files/0x00110000000146f8-30.dat	upx
behavioral1/memory/2568-29-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1716-33-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe
File opened for modification	C:\Windows\dev8F6.tmp	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe
File opened for modification	C:\Windows\dev8F6.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3040	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1716	2364	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe	28
PID 2364 wrote to memory of 1716	2364	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe	28
PID 2364 wrote to memory of 1716	2364	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe	28
PID 2364 wrote to memory of 1716	2364	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe	28
PID 2364 wrote to memory of 3040	2364	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe	29
PID 2364 wrote to memory of 3040	2364	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe	29
PID 2364 wrote to memory of 3040	2364	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe	29
PID 2364 wrote to memory of 3040	2364	aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe	29
PID 3040 wrote to memory of 2724	3040	MSWDM.EXE	30
PID 3040 wrote to memory of 2724	3040	MSWDM.EXE	30
PID 3040 wrote to memory of 2724	3040	MSWDM.EXE	30
PID 3040 wrote to memory of 2724	3040	MSWDM.EXE	30
PID 3040 wrote to memory of 2568	3040	MSWDM.EXE	31
PID 3040 wrote to memory of 2568	3040	MSWDM.EXE	31
PID 3040 wrote to memory of 2568	3040	MSWDM.EXE	31
PID 3040 wrote to memory of 2568	3040	MSWDM.EXE	31

C:\Users\Admin\AppData\Local\Temp\aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe
"C:\Users\Admin\AppData\Local\Temp\aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2364
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1716
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev8F6.tmp!C:\Users\Admin\AppData\Local\Temp\aca0b5d30d0dc7fe57c662c1c7b30956fc39b30cd05efdb1d34a12971cabe507.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Local\Temp\ACA0B5D30D0DC7FE57C662C1C7B30956FC39B30CD05EFDB1D34A12971CABE507.EXE
    3⤵
    - Executes dropped EXE
    PID:2724
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev8F6.tmp!C:\Users\Admin\AppData\Local\Temp\ACA0B5D30D0DC7FE57C662C1C7B30956FC39B30CD05EFDB1D34A12971CABE507.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ACA0B5D30D0DC7FE57C662C1C7B30956FC39B30CD05EFDB1D34A12971CABE507.EXE

Filesize
80KB

MD5
27611f714ff10fb2ac45439ef6b23efa

SHA1
7cf158d871e533b1683b8f0f09bf7b455b3d5af2

SHA256
0632088a7d46a3a286416b1bdd4c6ae6ba49bb05270460048fd51ef1923591bc

SHA512
985d654aa7aa7cc7aca3224b7592f36bc4e3b187991fa603a5c7a51ecfd82e2b5d1e2bc6eb8238726df8451870479346e37c349d6de7ab684ff3e813fe33009e

Download Submit
C:\Windows\MSWDM.EXE

Filesize
39KB

MD5
038a80f6ff06e190d78b3bedd45af903

SHA1
03cd1e273e4b40a9cc526b78064d105acb101a29

SHA256
4b837f79d5ff950caaefb026da5c8d46a394091b7730982afbed4d37254c8e8d

SHA512
fff2b1fed475ce75314f102063f4f7968cf8812269d72e56049fdc5f4836f28bf3ed8b075aca46fc24176f26f45868d4e80e2eac855f5c858d5a39ae001d2ec0

Download Submit
C:\Windows\dev8F6.tmp

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
memory/1716-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1716-33-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2364-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2364-12-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2568-29-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3040-20-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3040-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3040-24-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads