0dbb9e1eeff7b45a3ea1b87d06b2d041532f167c09167d73152820dc2d63d000

General

Target

bade6ff42998612d4ae147e9a6126130N.exe
Size

505KB
MD5

bade6ff42998612d4ae147e9a6126130
SHA1

de027a946e4a07ef6af4124bc98efe849e59b9b7
SHA256

0dbb9e1eeff7b45a3ea1b87d06b2d041532f167c09167d73152820dc2d63d000
SHA512

f84e9cc9ba92d06d647b2b177fefe24f9438c4a26881f8cc3303755c97ed14e881e4da66c261692c8024306cdabe54819c57fa1c8e771338f4c5b41b4662f624
SSDEEP

12288:wlbU+b1gL5pRTcAkS/3hzN8qE43fm78Ve:WbU+G5jcAkSYqyEe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4528	MSWDM.EXE
4556	MSWDM.EXE
4264	BADE6FF42998612D4AE147E9A6126130N.EXE
2320	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	bade6ff42998612d4ae147e9a6126130N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	bade6ff42998612d4ae147e9a6126130N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	bade6ff42998612d4ae147e9a6126130N.exe
File opened for modification	C:\Windows\dev8666.tmp	bade6ff42998612d4ae147e9a6126130N.exe
File opened for modification	C:\Windows\dev8666.tmp	MSWDM.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bade6ff42998612d4ae147e9a6126130N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4556	MSWDM.EXE
4556	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4528	2428	bade6ff42998612d4ae147e9a6126130N.exe	84
PID 2428 wrote to memory of 4528	2428	bade6ff42998612d4ae147e9a6126130N.exe	84
PID 2428 wrote to memory of 4528	2428	bade6ff42998612d4ae147e9a6126130N.exe	84
PID 2428 wrote to memory of 4556	2428	bade6ff42998612d4ae147e9a6126130N.exe	85
PID 2428 wrote to memory of 4556	2428	bade6ff42998612d4ae147e9a6126130N.exe	85
PID 2428 wrote to memory of 4556	2428	bade6ff42998612d4ae147e9a6126130N.exe	85
PID 4556 wrote to memory of 4264	4556	MSWDM.EXE	86
PID 4556 wrote to memory of 4264	4556	MSWDM.EXE	86
PID 4556 wrote to memory of 2320	4556	MSWDM.EXE	88
PID 4556 wrote to memory of 2320	4556	MSWDM.EXE	88
PID 4556 wrote to memory of 2320	4556	MSWDM.EXE	88

C:\Users\Admin\AppData\Local\Temp\bade6ff42998612d4ae147e9a6126130N.exe
"C:\Users\Admin\AppData\Local\Temp\bade6ff42998612d4ae147e9a6126130N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4528
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev8666.tmp!C:\Users\Admin\AppData\Local\Temp\bade6ff42998612d4ae147e9a6126130N.exe! !
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Users\Admin\AppData\Local\Temp\BADE6FF42998612D4AE147E9A6126130N.EXE
    3⤵
    - Executes dropped EXE
    PID:4264
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev8666.tmp!C:\Users\Admin\AppData\Local\Temp\BADE6FF42998612D4AE147E9A6126130N.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bade6ff42998612d4ae147e9a6126130N.exe

Filesize
505KB

MD5
c40225b4babe9bb6b6b1e6b5467c166d

SHA1
14e6c4f8827a4903e19558d09c073d325a45be7e

SHA256
fa31378e59d9f6a7bc749c20586c2cb56a47d00e01d54f72f2b233e060f367a8

SHA512
d9e87431531e4c4deff6d19873d9f5c66428772f0fa11960b1f4ea2905cf0ed13a5e0c122030d89520a16fab89846cddc0c4f527281b5323386b73ff5c3f1d57

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
2af966e7672f1e9c626245551247fb3a

SHA1
e951cfe9ab27dad1f3df6e8189d0cf9b6dbbf66c

SHA256
6b493904f292ff29033f7c6570485a7bef4d83eb9a71b2e64b9fc3308017a6c8

SHA512
dfa2ae6cf2ff64bb9e3f884c02d348a9e615e94e6cbd05ce8bc98ec98d22dead2b6007e7da9e1d9e2317d53366c58611100146a68ff44526e93ea71d2561c98e

Download Submit
C:\Windows\dev8666.tmp

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2320-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2428-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2428-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4528-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4528-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4556-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4556-25-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads