Analysis
-
max time kernel
19s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
11/06/2024, 02:27
Static task
static1
Behavioral task
behavioral1
Sample
b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe
Resource
win10v2004-20240426-en
General
-
Target
b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe
-
Size
505KB
-
MD5
04ba890ac557cfb84aaba1523d6e3027
-
SHA1
c7a85852f04dcdae96b92195206fd2dd5e50208b
-
SHA256
b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48
-
SHA512
3a16e3039c7b70a75af4467782c1b250c366d5a5a670f64f5f19843a5d40836f938fc0e619a93fca3a6472ac423897d82579aad8df06ac312a6399f95aa74e1f
-
SSDEEP
12288:wlbI+b1gL5pRTcAkS/3hzN8qE43fm78Vx:WbI+G5jcAkSYqyEx
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 7 IoCs
resource yara_rule behavioral1/memory/1392-0-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/1392-12-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/files/0x000b000000012279-13.dat UPX behavioral1/memory/2024-14-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2024-28-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2728-25-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral1/memory/2260-29-0x0000000000400000-0x000000000041B000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
pid Process 2024 MSWDM.EXE 2260 MSWDM.EXE 2772 B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE 2728 MSWDM.EXE -
Loads dropped DLL 2 IoCs
pid Process 2024 MSWDM.EXE 1680 Process not Found -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe File opened for modification C:\Windows\dev15C2.tmp b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2024 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1392 wrote to memory of 2260 1392 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 28 PID 1392 wrote to memory of 2260 1392 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 28 PID 1392 wrote to memory of 2260 1392 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 28 PID 1392 wrote to memory of 2260 1392 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 28 PID 1392 wrote to memory of 2024 1392 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 29 PID 1392 wrote to memory of 2024 1392 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 29 PID 1392 wrote to memory of 2024 1392 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 29 PID 1392 wrote to memory of 2024 1392 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 29 PID 2024 wrote to memory of 2772 2024 MSWDM.EXE 30 PID 2024 wrote to memory of 2772 2024 MSWDM.EXE 30 PID 2024 wrote to memory of 2772 2024 MSWDM.EXE 30 PID 2024 wrote to memory of 2772 2024 MSWDM.EXE 30 PID 2024 wrote to memory of 2728 2024 MSWDM.EXE 32 PID 2024 wrote to memory of 2728 2024 MSWDM.EXE 32 PID 2024 wrote to memory of 2728 2024 MSWDM.EXE 32 PID 2024 wrote to memory of 2728 2024 MSWDM.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe"C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2260
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev15C2.tmp!C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE3⤵
- Executes dropped EXE
PID:2772
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev15C2.tmp!C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE!3⤵
- Executes dropped EXE
PID:2728
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe
Filesize458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
47KB
MD58281630c34398a6569e720407a61ca05
SHA1d983308e8fe1bab035342cd8d2ddc63cd9ce1ac0
SHA2568f0e45e4b02d7e47c2a82eaf263756167dbc07fb1e50eaf7f8f0b232d4d097e0
SHA512483fab964c6e7899af972bc14101ef225722ff09f544ab2e2dc37f0af781c20b3a526610922c0fe2a1d7dc53ffc7ee0ee6a030bc73b1f2b35f7ea36568945187