9bf060851e7b6e76975fdc681194f201e5995b98bb639c50523a01fdf77fdedb

General

Target

ef47db9bcf65935ccd52fac41b062c20N.exe
Size

95KB
MD5

ef47db9bcf65935ccd52fac41b062c20
SHA1

a5c1d4e1999f06a810ce2ce332b8a5d68f06b04c
SHA256

9bf060851e7b6e76975fdc681194f201e5995b98bb639c50523a01fdf77fdedb
SHA512

e358fcb2aac1a7755f78aa52285319cb6443e3feb945e5da7127cd8832e5c808dab4a5bfcc48bdd2174745aca7c1e6305ce6def3e6c1aec6124c3a503ccc62d0
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FYG+sdguxnSngBNpT/mzNnxPAxEAz0+/8omC3:HQC/yj5JO3MnYG+Hu54Fx4xE8EomCP1Z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2664	MSWDM.EXE
2928	MSWDM.EXE
2104	EF47DB9BCF65935CCD52FAC41B062C20N.EXE

Loads dropped DLL 1 IoCs

pid	Process
2928	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	ef47db9bcf65935ccd52fac41b062c20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	ef47db9bcf65935ccd52fac41b062c20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dev34F5.tmp	ef47db9bcf65935ccd52fac41b062c20N.exe
File created	C:\WINDOWS\MSWDM.EXE	ef47db9bcf65935ccd52fac41b062c20N.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef47db9bcf65935ccd52fac41b062c20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EF47DB9BCF65935CCD52FAC41B062C20N.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2928	MSWDM.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2664	2096	ef47db9bcf65935ccd52fac41b062c20N.exe	30
PID 2096 wrote to memory of 2664	2096	ef47db9bcf65935ccd52fac41b062c20N.exe	30
PID 2096 wrote to memory of 2664	2096	ef47db9bcf65935ccd52fac41b062c20N.exe	30
PID 2096 wrote to memory of 2664	2096	ef47db9bcf65935ccd52fac41b062c20N.exe	30
PID 2096 wrote to memory of 2928	2096	ef47db9bcf65935ccd52fac41b062c20N.exe	31
PID 2096 wrote to memory of 2928	2096	ef47db9bcf65935ccd52fac41b062c20N.exe	31
PID 2096 wrote to memory of 2928	2096	ef47db9bcf65935ccd52fac41b062c20N.exe	31
PID 2096 wrote to memory of 2928	2096	ef47db9bcf65935ccd52fac41b062c20N.exe	31
PID 2928 wrote to memory of 2104	2928	MSWDM.EXE	32
PID 2928 wrote to memory of 2104	2928	MSWDM.EXE	32
PID 2928 wrote to memory of 2104	2928	MSWDM.EXE	32
PID 2928 wrote to memory of 2104	2928	MSWDM.EXE	32
PID 2928 wrote to memory of 2104	2928	MSWDM.EXE	32
PID 2928 wrote to memory of 2104	2928	MSWDM.EXE	32
PID 2928 wrote to memory of 2104	2928	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\ef47db9bcf65935ccd52fac41b062c20N.exe
"C:\Users\Admin\AppData\Local\Temp\ef47db9bcf65935ccd52fac41b062c20N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev34F5.tmp!C:\Users\Admin\AppData\Local\Temp\ef47db9bcf65935ccd52fac41b062c20N.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\EF47DB9BCF65935CCD52FAC41B062C20N.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
3714733484b2688717fdc12bb1347d95

SHA1
2abf6b186660c9f0e373b9bc09d499f8416105b6

SHA256
44d6e9eec89a91a136a5dbe0dd5e6b84fcf2eeeea7be810b35889e62550cf356

SHA512
808b5ec1bb1ee1810515d822dc4db3112225a868dff5ae895a39389da00a49b192cd6967b28e8bfab2d36d47410f4ebcfeeac131c4cf8c096f3f31ec5fa0f800

Download Submit
C:\Windows\dev34F5.tmp

Filesize
15KB

MD5
b0cec9f342bf95700b602ee376446577

SHA1
b955b1b64280bb0ea873538029cf5ea44081501b

SHA256
24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088

SHA512
05ebecfc8d3e2e7885d3cacc65bfd97db710c2cbc0fb76b19b7d6cc82b327b25df953a20affc8d84002167dd8ac7710622279d3579c6605e742a98fe7095aa4e

Download Submit
memory/2096-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2096-20-0x00000000002A0000-0x00000000002BB000-memory.dmp

Filesize
108KB

Download
memory/2664-21-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2664-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2928-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads