Analysis
-
max time kernel
22s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 20:57
Static task
static1
Behavioral task
behavioral1
Sample
402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe
Resource
win10v2004-20240226-en
General
-
Target
402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe
-
Size
634KB
-
MD5
c2b1afa4cd3ccc694e2ff9e64a9ee61d
-
SHA1
a634d4cce71baf24e1b36d06cfdd087acc9274d4
-
SHA256
402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a
-
SHA512
28641cf1227d01c04c10dcbe4fb405115dc7bb052d2db28118af42b5feaf81b1c34e50b59591f6bd6174ea02d77eb254b834c3b86c0f7340e012b298cd1ba8df
-
SSDEEP
6144:IooZIFH5nZz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1N:ISF1B1gL5pRTcAkS/3hzN8qE43fm78VZ
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 8 IoCs
resource yara_rule behavioral1/memory/2208-0-0x0000000000400000-0x000000000042C000-memory.dmp UPX behavioral1/files/0x000c000000015cb1-12.dat UPX behavioral1/memory/2088-20-0x0000000000400000-0x000000000042C000-memory.dmp UPX behavioral1/memory/2252-19-0x0000000000400000-0x000000000042C000-memory.dmp UPX behavioral1/memory/2208-11-0x0000000000400000-0x000000000042C000-memory.dmp UPX behavioral1/memory/2620-27-0x0000000000400000-0x000000000042C000-memory.dmp UPX behavioral1/memory/2252-29-0x0000000000400000-0x000000000042C000-memory.dmp UPX behavioral1/memory/2088-30-0x0000000000400000-0x000000000042C000-memory.dmp UPX -
Executes dropped EXE 5 IoCs
pid Process 2252 MSWDM.EXE 2088 MSWDM.EXE 2780 402694BD6789E4946F28471BE64B9C1EF44C3472F1622171305AF2B46884FE8A.EXE 1068 Process not Found 2620 MSWDM.EXE -
Loads dropped DLL 3 IoCs
pid Process 2252 MSWDM.EXE 2584 Process not Found 1068 Process not Found -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE" MSWDM.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE" MSWDM.EXE -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\dev1BDA.tmp 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe File created C:\WINDOWS\MSWDM.EXE 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2252 MSWDM.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2088 2208 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe 28 PID 2208 wrote to memory of 2088 2208 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe 28 PID 2208 wrote to memory of 2088 2208 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe 28 PID 2208 wrote to memory of 2088 2208 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe 28 PID 2208 wrote to memory of 2252 2208 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe 29 PID 2208 wrote to memory of 2252 2208 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe 29 PID 2208 wrote to memory of 2252 2208 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe 29 PID 2208 wrote to memory of 2252 2208 402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe 29 PID 2252 wrote to memory of 2780 2252 MSWDM.EXE 30 PID 2252 wrote to memory of 2780 2252 MSWDM.EXE 30 PID 2252 wrote to memory of 2780 2252 MSWDM.EXE 30 PID 2252 wrote to memory of 2780 2252 MSWDM.EXE 30 PID 2252 wrote to memory of 2620 2252 MSWDM.EXE 32 PID 2252 wrote to memory of 2620 2252 MSWDM.EXE 32 PID 2252 wrote to memory of 2620 2252 MSWDM.EXE 32 PID 2252 wrote to memory of 2620 2252 MSWDM.EXE 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe"C:\Users\Admin\AppData\Local\Temp\402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\WINDOWS\MSWDM.EXE"C:\WINDOWS\MSWDM.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2088
-
-
C:\WINDOWS\MSWDM.EXE-r!C:\Windows\dev1BDA.tmp!C:\Users\Admin\AppData\Local\Temp\402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe! !2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\402694BD6789E4946F28471BE64B9C1EF44C3472F1622171305AF2B46884FE8A.EXE
- Executes dropped EXE
PID:2780
-
-
C:\WINDOWS\MSWDM.EXE-e!C:\Windows\dev1BDA.tmp!C:\Users\Admin\AppData\Local\Temp\402694BD6789E4946F28471BE64B9C1EF44C3472F1622171305AF2B46884FE8A.EXE!3⤵
- Executes dropped EXE
PID:2620
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\402694bd6789e4946f28471be64b9c1ef44c3472f1622171305af2b46884fe8a.exe
Filesize458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
176KB
MD5fe5dbdd0d20b39781a33618419547f23
SHA13f455a298bd39b634947920519da042f62e63a81
SHA2568ba68836b20d52cfccaa7511e25103bc247e6d7e1e257d667f8de709dc92f31e
SHA51237468e465e4d0306d1f85c72a6216fe1d9fa4127dba4d0f0accbb80847c5c53a9a5d59a8ad6420105bd9a7e0967b34caa183e0f2c0a8dc272aba7810153b120d