0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb

General

Target

0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe
Size

408KB
MD5

49317b85a5e6350c8a15fb091c73350c
SHA1

ce61c5c61ca03f2c783fe14a351a0d3d1cdde932
SHA256

0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb
SHA512

d5af1546004cb48a195eadc9f4716b2e3c88c45b86f02d702ee50860568c4eb42c1e1a62884fb751251d5b142089b6085fb7ec0a92883d073dfcfc21178b156d
SSDEEP

6144:wlj7cMnO+LP2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYt:wlbO+cahVy4e

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\WINDOWS\MSWDM.EXE	UPX
behavioral1/memory/3056-19-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2516-18-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2872-12-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2516-32-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\0A29A4FA9EF61774C0B63A276B8ECBB332EB1A33C9B796291C6E809058182ADB.EXE	UPX
behavioral1/memory/2936-29-0x0000000000400000-0x000000000041B000-memory.dmp	UPX
behavioral1/memory/2516-23-0x0000000000260000-0x000000000027B000-memory.dmp	UPX
behavioral1/memory/3056-33-0x0000000000400000-0x000000000041B000-memory.dmp	UPX

Executes dropped EXE 4 IoCs

Processes:

MSWDM.EXEMSWDM.EXE0A29A4FA9EF61774C0B63A276B8ECBB332EB1A33C9B796291C6E809058182ADB.EXEMSWDM.EXE

pid process

2516 MSWDM.EXE
3056 MSWDM.EXE
2756 0A29A4FA9EF61774C0B63A276B8ECBB332EB1A33C9B796291C6E809058182ADB.EXE
2936 MSWDM.EXE
Loads dropped DLL 1 IoCs

Processes:

MSWDM.EXE

pid process

2516 MSWDM.EXE

pid	process
2516	MSWDM.EXE
3056	MSWDM.EXE
2756	0A29A4FA9EF61774C0B63A276B8ECBB332EB1A33C9B796291C6E809058182ADB.EXE
2936	MSWDM.EXE

pid	process
2516	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exeMSWDM.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe

Drops file in Windows directory 3 IoCs

Processes:

0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exeMSWDM.EXE

description	ioc	process
File created	C:\WINDOWS\MSWDM.EXE	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe
File opened for modification	C:\Windows\dev2839.tmp	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe
File opened for modification	C:\Windows\dev2839.tmp	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSWDM.EXE

pid process

2516 MSWDM.EXE

pid	process
2516	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exeMSWDM.EXE

description	pid	process	target process
PID 2872 wrote to memory of 3056	2872	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe	MSWDM.EXE
PID 2872 wrote to memory of 3056	2872	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe	MSWDM.EXE
PID 2872 wrote to memory of 3056	2872	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe	MSWDM.EXE
PID 2872 wrote to memory of 3056	2872	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe	MSWDM.EXE
PID 2872 wrote to memory of 2516	2872	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe	MSWDM.EXE
PID 2872 wrote to memory of 2516	2872	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe	MSWDM.EXE
PID 2872 wrote to memory of 2516	2872	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe	MSWDM.EXE
PID 2872 wrote to memory of 2516	2872	0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe	MSWDM.EXE
PID 2516 wrote to memory of 2756	2516	MSWDM.EXE	0A29A4FA9EF61774C0B63A276B8ECBB332EB1A33C9B796291C6E809058182ADB.EXE
PID 2516 wrote to memory of 2756	2516	MSWDM.EXE	0A29A4FA9EF61774C0B63A276B8ECBB332EB1A33C9B796291C6E809058182ADB.EXE
PID 2516 wrote to memory of 2756	2516	MSWDM.EXE	0A29A4FA9EF61774C0B63A276B8ECBB332EB1A33C9B796291C6E809058182ADB.EXE
PID 2516 wrote to memory of 2756	2516	MSWDM.EXE	0A29A4FA9EF61774C0B63A276B8ECBB332EB1A33C9B796291C6E809058182ADB.EXE
PID 2516 wrote to memory of 2936	2516	MSWDM.EXE	MSWDM.EXE
PID 2516 wrote to memory of 2936	2516	MSWDM.EXE	MSWDM.EXE
PID 2516 wrote to memory of 2936	2516	MSWDM.EXE	MSWDM.EXE
PID 2516 wrote to memory of 2936	2516	MSWDM.EXE	MSWDM.EXE

C:\Users\Admin\AppData\Local\Temp\0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe
"C:\Users\Admin\AppData\Local\Temp\0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2872

C:\WINDOWS\MSWDM.EXE
"C:\WINDOWS\MSWDM.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3056

C:\WINDOWS\MSWDM.EXE
-r!C:\Windows\dev2839.tmp!C:\Users\Admin\AppData\Local\Temp\0a29a4fa9ef61774c0b63a276b8ecbb332eb1a33c9b796291c6e809058182adb.exe! !
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\0A29A4FA9EF61774C0B63A276B8ECBB332EB1A33C9B796291C6E809058182ADB.EXE
3⤵
- Executes dropped EXE
PID:2756

C:\WINDOWS\MSWDM.EXE
-e!C:\Windows\dev2839.tmp!C:\Users\Admin\AppData\Local\Temp\0A29A4FA9EF61774C0B63A276B8ECBB332EB1A33C9B796291C6E809058182ADB.EXE!
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0A29A4FA9EF61774C0B63A276B8ECBB332EB1A33C9B796291C6E809058182ADB.EXE

Filesize
408KB

MD5
0d6c99733c17dfcb36f9dddaf1ef1561

SHA1
65608ac1b04aae895d5c18569aaafa29db1ccbaa

SHA256
308a7642e067f1694e0c596611c3d19979d989c4d55088dfd525e35e21763cb3

SHA512
483c91ceed0818de1136ff39bd01d30cd7b4a9b005186cbca2654b08e34bb90feb165fcbb0ad185d8afa75a94fc6b3eec11c43306888b7cf77fd35f5ac53b21f

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
47KB

MD5
12700490b3d7885c337502e53cf57339

SHA1
7e5ca1cc75a6134589d1aac4b15fb2b34c0938f5

SHA256
79d2518715c3169b08a792d2a38e738a6ed4493922eb4ab7650de7997437d6c7

SHA512
7d288ba7029af71242e7722ac3b95fa5944a108fb5df41cc0806d0ba5726c43b52f104dd25f1f92c52ddae9d2e301b3e63765096cb9c1b99f23f203404badaf1

Download Submit
C:\Windows\dev2839.tmp

Filesize
360KB

MD5
5fbd45261a2de3bb42f489e825a9a935

SHA1
ff388f6e9efe651ec62c4152c1739783e7899293

SHA256
9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

SHA512
7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

Download Submit
memory/2516-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2516-23-0x0000000000260000-0x000000000027B000-memory.dmp

Filesize
108KB

Download
memory/2872-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2936-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads