Analysis
-
max time kernel
30s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 02:27
Static task
static1
Behavioral task
behavioral1
Sample
b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe
Resource
win10v2004-20240426-en
General
-
Target
b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe
-
Size
505KB
-
MD5
04ba890ac557cfb84aaba1523d6e3027
-
SHA1
c7a85852f04dcdae96b92195206fd2dd5e50208b
-
SHA256
b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48
-
SHA512
3a16e3039c7b70a75af4467782c1b250c366d5a5a670f64f5f19843a5d40836f938fc0e619a93fca3a6472ac423897d82579aad8df06ac312a6399f95aa74e1f
-
SSDEEP
12288:wlbI+b1gL5pRTcAkS/3hzN8qE43fm78Vx:WbI+G5jcAkSYqyEx
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 9 IoCs
resource yara_rule behavioral2/memory/404-0-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/files/0x000800000002342a-5.dat UPX behavioral2/memory/404-9-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/2788-11-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/3456-10-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/files/0x000700000002342f-19.dat UPX behavioral2/memory/5040-21-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/2788-24-0x0000000000400000-0x000000000041B000-memory.dmp UPX behavioral2/memory/3456-25-0x0000000000400000-0x000000000041B000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
pid Process 3456 MSWDM.EXE 2788 MSWDM.EXE 800 B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE 5040 MSWDM.EXE -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\WINDOWS\MSWDM.EXE b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe File opened for modification C:\Windows\dev632E.tmp b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe File opened for modification C:\Windows\dev632E.tmp MSWDM.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2788 MSWDM.EXE 2788 MSWDM.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 404 wrote to memory of 3456 404 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 83 PID 404 wrote to memory of 3456 404 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 83 PID 404 wrote to memory of 3456 404 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 83 PID 404 wrote to memory of 2788 404 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 84 PID 404 wrote to memory of 2788 404 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 84 PID 404 wrote to memory of 2788 404 b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe 84 PID 2788 wrote to memory of 800 2788 MSWDM.EXE 85 PID 2788 wrote to memory of 800 2788 MSWDM.EXE 85 PID 2788 wrote to memory of 5040 2788 MSWDM.EXE 87 PID 2788 wrote to memory of 5040 2788 MSWDM.EXE 87 PID 2788 wrote to memory of 5040 2788 MSWDM.EXE 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe"C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:404 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3456
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev632E.tmp!C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe! !2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE3⤵
- Executes dropped EXE
PID:800
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev632E.tmp!C:\Users\Admin\AppData\Local\Temp\B8944517A45B4D983B70D6920D24B2D834BEA77057749F997A1B9832A176AA48.EXE!3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5040
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b8944517a45b4d983b70d6920d24b2d834bea77057749f997a1b9832a176aa48.exe
Filesize505KB
MD55761559e4f8a3b6eb23b19adaa77ce03
SHA19b7497876f209b9e74df687c52e346dbf25b0e84
SHA256a8c2949e0198a3c0a3b8672774a7abd7bbee08e4c937e4eea636bf8c9fe67ca2
SHA512db91f61871f868fb9be38481d043d7bfb645b62322cf33b6f2c17b9de4830b1df48cfd554e9f1ca8ddadaeb9747342a371145df440a756c7c62212272a34f562
-
Filesize
47KB
MD58281630c34398a6569e720407a61ca05
SHA1d983308e8fe1bab035342cd8d2ddc63cd9ce1ac0
SHA2568f0e45e4b02d7e47c2a82eaf263756167dbc07fb1e50eaf7f8f0b232d4d097e0
SHA512483fab964c6e7899af972bc14101ef225722ff09f544ab2e2dc37f0af781c20b3a526610922c0fe2a1d7dc53ffc7ee0ee6a030bc73b1f2b35f7ea36568945187
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628