a25d86e42fceb3b3f018bb0d98a212e092dc14cfe1abbff853f5f6f50effafea

General

Target

6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe
Size

383KB
MD5

6c0b7c4e9f9c642dbb08155aa9a93ff0
SHA1

d4aac1ad39725efdf0b71c3610665a506dffe4ce
SHA256

a25d86e42fceb3b3f018bb0d98a212e092dc14cfe1abbff853f5f6f50effafea
SHA512

93fc2377609c4a4c23cf7ae52044f5dd361ef585b9e7cea9d70005b24c7f6caaf17ecf4eee0a9f801312fdb7c4afa5b73e7b76224e79b8758b37f8ac70321110
SSDEEP

6144:wlj7cMnR+UzU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqCl:wlbR+8U66b5zhVymA/XSRhs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1404	MSWDM.EXE
3056	MSWDM.EXE
3644	6C0B7C4E9F9C642DBB08155AA9A93FF0N.EXE
2908	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe
File opened for modification	C:\Windows\devDA81.tmp	6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe
File opened for modification	C:\Windows\devDA81.tmp	MSWDM.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3056	MSWDM.EXE
3056	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 1404	4328	6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe	84
PID 4328 wrote to memory of 1404	4328	6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe	84
PID 4328 wrote to memory of 1404	4328	6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe	84
PID 4328 wrote to memory of 3056	4328	6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe	85
PID 4328 wrote to memory of 3056	4328	6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe	85
PID 4328 wrote to memory of 3056	4328	6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe	85
PID 3056 wrote to memory of 3644	3056	MSWDM.EXE	87
PID 3056 wrote to memory of 3644	3056	MSWDM.EXE	87
PID 3056 wrote to memory of 2908	3056	MSWDM.EXE	88
PID 3056 wrote to memory of 2908	3056	MSWDM.EXE	88
PID 3056 wrote to memory of 2908	3056	MSWDM.EXE	88

C:\Users\Admin\AppData\Local\Temp\6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe
"C:\Users\Admin\AppData\Local\Temp\6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4328
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1404
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devDA81.tmp!C:\Users\Admin\AppData\Local\Temp\6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe! !
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\6C0B7C4E9F9C642DBB08155AA9A93FF0N.EXE
    3⤵
    - Executes dropped EXE
    PID:3644
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devDA81.tmp!C:\Users\Admin\AppData\Local\Temp\6C0B7C4E9F9C642DBB08155AA9A93FF0N.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6C0B7C4E9F9C642DBB08155AA9A93FF0N.EXE

Filesize
383KB

MD5
9444eb00394136e5445d13d79dcc9751

SHA1
2f87c63c5c278555a156435416863121f9e9e486

SHA256
e18d594443d403d20930be80f14af1118027363dc451b0e57c143f1e0757059f

SHA512
1dc8257378d2f467099502b80758c8854df4219067abcd5e553554a863ff1036efb5de38d084df2ac4c4270383ce33f6e73ba3703210761841e54b3d4bf80431

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c0b7c4e9f9c642dbb08155aa9a93ff0N.exe

Filesize
383KB

MD5
0ad1d65a4bd9548ab0ddce7e1181b3c5

SHA1
3a842e58ac80796e2a4e2f994eea5c09a714c3a4

SHA256
8281ee85ea3cb68ca1ad898ae2466893e26c3aa8ef5594aa92ebeb3c892471d8

SHA512
f479a8df4923ab74c06f0d386e4e18753e68171e3156bae4c941e48d32c7900693a900177dd8cbcb35add3f076ca3db4c7c6afc5ad6ab5b43124d6d41ec19bde

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
cd730dc4892b338bbdb1219b8b46ffec

SHA1
487d5c74e23f01489b67305e102df9e4d5efb9d0

SHA256
ea09b6c7f3551c2b7884fcca215fbcb189e1267152226bf8cb0dff81b0e41319

SHA512
d22c6e988fa2f2eba75fd5e16ea7646426dcb339a7ced8b3e0cc75af215799fe024901213d8da8338489a32bea48458f979160ae23f91192f712804d1f9c59b0

Download Submit
C:\Windows\devDA81.tmp

Filesize
335KB

MD5
40ac62c087648ccc2c58dae066d34c98

SHA1
0e87efb6ddfe59e534ea9e829cad35be8563e5f7

SHA256
482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

SHA512
0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

Download Submit
memory/1404-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2908-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3056-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4328-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4328-9-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads