1ea6a49460127637c82333d02adb9e53bfe041bac802b5983a9dc055c43b5c7d

General

Target

0014191a7a693e9b3cf674eb16ebb650N.exe
Size

634KB
MD5

0014191a7a693e9b3cf674eb16ebb650
SHA1

0d0414a68e5c8a1f4d8d32cf6892e66d112b0217
SHA256

1ea6a49460127637c82333d02adb9e53bfe041bac802b5983a9dc055c43b5c7d
SHA512

b587bae04449e45818c848705d866c082073aa8edbb00df5e0361bdcb1fb03e6215e8393569042ebae033b1b46ee6aec6e7c43ea141248d92df912a428509d24
SSDEEP

6144:IooZIFH5nfYz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtlB:ISF1O1gL5pRTcAkS/3hzN8qE43fm78VX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4044	MSWDM.EXE
1456	MSWDM.EXE
1128	0014191A7A693E9B3CF674EB16EBB650N.EXE
1808	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	0014191a7a693e9b3cf674eb16ebb650N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	0014191a7a693e9b3cf674eb16ebb650N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	0014191a7a693e9b3cf674eb16ebb650N.exe
File opened for modification	C:\Windows\dev9673.tmp	0014191a7a693e9b3cf674eb16ebb650N.exe
File opened for modification	C:\Windows\dev9673.tmp	MSWDM.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2384	1808	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1456	MSWDM.EXE
1456	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4044	4504	0014191a7a693e9b3cf674eb16ebb650N.exe	84
PID 4504 wrote to memory of 4044	4504	0014191a7a693e9b3cf674eb16ebb650N.exe	84
PID 4504 wrote to memory of 4044	4504	0014191a7a693e9b3cf674eb16ebb650N.exe	84
PID 4504 wrote to memory of 1456	4504	0014191a7a693e9b3cf674eb16ebb650N.exe	85
PID 4504 wrote to memory of 1456	4504	0014191a7a693e9b3cf674eb16ebb650N.exe	85
PID 4504 wrote to memory of 1456	4504	0014191a7a693e9b3cf674eb16ebb650N.exe	85
PID 1456 wrote to memory of 1128	1456	MSWDM.EXE	86
PID 1456 wrote to memory of 1128	1456	MSWDM.EXE	86
PID 1456 wrote to memory of 1808	1456	MSWDM.EXE	88
PID 1456 wrote to memory of 1808	1456	MSWDM.EXE	88
PID 1456 wrote to memory of 1808	1456	MSWDM.EXE	88

C:\Users\Admin\AppData\Local\Temp\0014191a7a693e9b3cf674eb16ebb650N.exe
"C:\Users\Admin\AppData\Local\Temp\0014191a7a693e9b3cf674eb16ebb650N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4504
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4044
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev9673.tmp!C:\Users\Admin\AppData\Local\Temp\0014191a7a693e9b3cf674eb16ebb650N.exe! !
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\0014191A7A693E9B3CF674EB16EBB650N.EXE
    3⤵
    - Executes dropped EXE
    PID:1128
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev9673.tmp!C:\Users\Admin\AppData\Local\Temp\0014191A7A693E9B3CF674EB16EBB650N.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 340
      4⤵
      Program crash
      PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1808 -ip 1808
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0014191A7A693E9B3CF674EB16EBB650N.EXE

Filesize
634KB

MD5
c44d5790e57a8ade3e1e11896ade1f22

SHA1
917645ed30ca8dd9e0acb2f461d08878c4dae4ea

SHA256
a8c4374750bf84ce7f26f843c0fe849ba0e913f671bf681ba1fcb2d6e44ea905

SHA512
27f524d905194f95b0a2763b16c700b63b90ed5f41cbc716a33d5573b701e9d0d5c4247f90c9391eabf21893844eada102bdd66720e3ea7fbe41cf9f599c3ebc

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
176KB

MD5
e47fbba037ae23d415b4b9f8221522df

SHA1
b966d6d5fbf15a234a85bc77ab9afcef9af6021f

SHA256
05a488d691805b11aa41780d6f7e39545d7543edfc5b8bcd238c645bd4b49c3d

SHA512
2d6038d2addf36fc0ee63acca180e1fa0501c48c88edf460f899454b32315433d94b805f3c2a678e87df6fa71bdd1f6b43e4e26d298cf60f64282223febe4e7e

Download Submit
C:\Windows\dev9673.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/1456-19-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1808-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4044-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4044-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4504-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4504-7-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads