1ea6a49460127637c82333d02adb9e53bfe041bac802b5983a9dc055c43b5c7d

General

Target

0014191a7a693e9b3cf674eb16ebb650N.exe
Size

634KB
MD5

0014191a7a693e9b3cf674eb16ebb650
SHA1

0d0414a68e5c8a1f4d8d32cf6892e66d112b0217
SHA256

1ea6a49460127637c82333d02adb9e53bfe041bac802b5983a9dc055c43b5c7d
SHA512

b587bae04449e45818c848705d866c082073aa8edbb00df5e0361bdcb1fb03e6215e8393569042ebae033b1b46ee6aec6e7c43ea141248d92df912a428509d24
SSDEEP

6144:IooZIFH5nfYz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtlB:ISF1O1gL5pRTcAkS/3hzN8qE43fm78VX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2660	MSWDM.EXE
2756	MSWDM.EXE
2812	0014191A7A693E9B3CF674EB16EBB650N.EXE
2836	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2756	MSWDM.EXE
2232	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	0014191a7a693e9b3cf674eb16ebb650N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	0014191a7a693e9b3cf674eb16ebb650N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev1111.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	0014191a7a693e9b3cf674eb16ebb650N.exe
File opened for modification	C:\Windows\dev1111.tmp	0014191a7a693e9b3cf674eb16ebb650N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3056	2836	WerFault.exe	34

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2756	MSWDM.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2660	1152	0014191a7a693e9b3cf674eb16ebb650N.exe	30
PID 1152 wrote to memory of 2660	1152	0014191a7a693e9b3cf674eb16ebb650N.exe	30
PID 1152 wrote to memory of 2660	1152	0014191a7a693e9b3cf674eb16ebb650N.exe	30
PID 1152 wrote to memory of 2660	1152	0014191a7a693e9b3cf674eb16ebb650N.exe	30
PID 1152 wrote to memory of 2756	1152	0014191a7a693e9b3cf674eb16ebb650N.exe	31
PID 1152 wrote to memory of 2756	1152	0014191a7a693e9b3cf674eb16ebb650N.exe	31
PID 1152 wrote to memory of 2756	1152	0014191a7a693e9b3cf674eb16ebb650N.exe	31
PID 1152 wrote to memory of 2756	1152	0014191a7a693e9b3cf674eb16ebb650N.exe	31
PID 2756 wrote to memory of 2812	2756	MSWDM.EXE	32
PID 2756 wrote to memory of 2812	2756	MSWDM.EXE	32
PID 2756 wrote to memory of 2812	2756	MSWDM.EXE	32
PID 2756 wrote to memory of 2812	2756	MSWDM.EXE	32
PID 2756 wrote to memory of 2836	2756	MSWDM.EXE	34
PID 2756 wrote to memory of 2836	2756	MSWDM.EXE	34
PID 2756 wrote to memory of 2836	2756	MSWDM.EXE	34
PID 2756 wrote to memory of 2836	2756	MSWDM.EXE	34
PID 2836 wrote to memory of 3056	2836	MSWDM.EXE	35
PID 2836 wrote to memory of 3056	2836	MSWDM.EXE	35
PID 2836 wrote to memory of 3056	2836	MSWDM.EXE	35
PID 2836 wrote to memory of 3056	2836	MSWDM.EXE	35

C:\Users\Admin\AppData\Local\Temp\0014191a7a693e9b3cf674eb16ebb650N.exe
"C:\Users\Admin\AppData\Local\Temp\0014191a7a693e9b3cf674eb16ebb650N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1152
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2660
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev1111.tmp!C:\Users\Admin\AppData\Local\Temp\0014191a7a693e9b3cf674eb16ebb650N.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\0014191A7A693E9B3CF674EB16EBB650N.EXE
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev1111.tmp!C:\Users\Admin\AppData\Local\Temp\0014191A7A693E9B3CF674EB16EBB650N.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 124
      4⤵
      Program crash
      PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0014191A7A693E9B3CF674EB16EBB650N.EXE

Filesize
634KB

MD5
c47f8237dc09ccec7af6d79e370fde09

SHA1
69fa8e3f277f07a5bc76e0a91d66a7ce828e3a3e

SHA256
1c8f49eb2b2e50ad9e84edf86f56ceba33edbefa82d442dd4d5104f17817af79

SHA512
f5fe722438021387a3a412b73a9ed8fe92dffa2732b6fc764ae2deaa83e8d1640118788880106c74dcfd36cc946203c382a65bcf25d2b5ce329822939213cfa2

Download Submit
C:\Windows\MSWDM.EXE

Filesize
176KB

MD5
e47fbba037ae23d415b4b9f8221522df

SHA1
b966d6d5fbf15a234a85bc77ab9afcef9af6021f

SHA256
05a488d691805b11aa41780d6f7e39545d7543edfc5b8bcd238c645bd4b49c3d

SHA512
2d6038d2addf36fc0ee63acca180e1fa0501c48c88edf460f899454b32315433d94b805f3c2a678e87df6fa71bdd1f6b43e4e26d298cf60f64282223febe4e7e

Download Submit
\Users\Admin\AppData\Local\Temp\0014191a7a693e9b3cf674eb16ebb650N.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1152-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1152-6-0x00000000002E0000-0x000000000030C000-memory.dmp

Filesize
176KB

Download
memory/1152-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2756-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2836-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads