62b6b0c1e38a972b6a7a9f9654ea2e8230601e3010e1daf82f2d7cfc157b6971

General

Target

bbb35ace2a20cfc40b70b453e8b38220N.exe
Size

121KB
MD5

bbb35ace2a20cfc40b70b453e8b38220
SHA1

b884c4960edb36360236ed7d1f68cc94fd6c25c6
SHA256

62b6b0c1e38a972b6a7a9f9654ea2e8230601e3010e1daf82f2d7cfc157b6971
SHA512

7478d3cb85b5d7ad329e7bf75da15ff184e839b151d5bb603c59f0e1fb97c3db04307d0d3cf69f701fb9d64c5429c7dd7317bf9a98726ab4fecce4f9e5c80da3
SSDEEP

3072:HQC/yj5JO3MnMG+Hu54Fx4xE8plZQKbgZi1St7xS:wlj7cMnd+OEXAwKbgZU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1824	MSWDM.EXE
2704	MSWDM.EXE
3044	BBB35ACE2A20CFC40B70B453E8B38220N.EXE
2360	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2704	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	bbb35ace2a20cfc40b70b453e8b38220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	bbb35ace2a20cfc40b70b453e8b38220N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	bbb35ace2a20cfc40b70b453e8b38220N.exe
File opened for modification	C:\Windows\dev981B.tmp	bbb35ace2a20cfc40b70b453e8b38220N.exe
File opened for modification	C:\Windows\dev981B.tmp	MSWDM.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbb35ace2a20cfc40b70b453e8b38220N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2704	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1824	1748	bbb35ace2a20cfc40b70b453e8b38220N.exe	29
PID 1748 wrote to memory of 1824	1748	bbb35ace2a20cfc40b70b453e8b38220N.exe	29
PID 1748 wrote to memory of 1824	1748	bbb35ace2a20cfc40b70b453e8b38220N.exe	29
PID 1748 wrote to memory of 1824	1748	bbb35ace2a20cfc40b70b453e8b38220N.exe	29
PID 1748 wrote to memory of 2704	1748	bbb35ace2a20cfc40b70b453e8b38220N.exe	30
PID 1748 wrote to memory of 2704	1748	bbb35ace2a20cfc40b70b453e8b38220N.exe	30
PID 1748 wrote to memory of 2704	1748	bbb35ace2a20cfc40b70b453e8b38220N.exe	30
PID 1748 wrote to memory of 2704	1748	bbb35ace2a20cfc40b70b453e8b38220N.exe	30
PID 2704 wrote to memory of 3044	2704	MSWDM.EXE	31
PID 2704 wrote to memory of 3044	2704	MSWDM.EXE	31
PID 2704 wrote to memory of 3044	2704	MSWDM.EXE	31
PID 2704 wrote to memory of 3044	2704	MSWDM.EXE	31
PID 2704 wrote to memory of 2360	2704	MSWDM.EXE	32
PID 2704 wrote to memory of 2360	2704	MSWDM.EXE	32
PID 2704 wrote to memory of 2360	2704	MSWDM.EXE	32
PID 2704 wrote to memory of 2360	2704	MSWDM.EXE	32

C:\Users\Admin\AppData\Local\Temp\bbb35ace2a20cfc40b70b453e8b38220N.exe
"C:\Users\Admin\AppData\Local\Temp\bbb35ace2a20cfc40b70b453e8b38220N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1824
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev981B.tmp!C:\Users\Admin\AppData\Local\Temp\bbb35ace2a20cfc40b70b453e8b38220N.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\BBB35ACE2A20CFC40B70B453E8B38220N.EXE
    3⤵
    - Executes dropped EXE
    PID:3044
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev981B.tmp!C:\Users\Admin\AppData\Local\Temp\BBB35ACE2A20CFC40B70B453E8B38220N.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BBB35ACE2A20CFC40B70B453E8B38220N.EXE

Filesize
121KB

MD5
2b8f98ff396a990fe3600ea8debe31a3

SHA1
cf0c2941fd8476eb76572170ca7362f38e8b621b

SHA256
4b8926618ff86189d9805a9d7c1d2a1aff39941af18b1c477ed6e9c2f5698096

SHA512
b2f3bbba11d25431afcf6baa5ab903953b4041735ac4d32337867c418847f6709313230894830e88d34a50e8e80f4c2ba839d599db9bb910249e5d7c9e269ff1

Download Submit
C:\Windows\MSWDM.EXE

Filesize
80KB

MD5
ca1665aebc386a9e1e00e62a6f24bccd

SHA1
ace8a60b685b6e870d0952fd7de8b1157112db6a

SHA256
9a7574d09ccc52c090ac586db59b15f7295fb15f6c2a1492558cb6d4cfdd5d3d

SHA512
bd227870c2e6b67e11e532e43aecdd0af65745a31cc0beed86032bb00879a3eddeb9ddeae7bcc7089fee758179e2b7b9f567957f7f2fcfc69ed766d5feaa6d17

Download Submit
C:\Windows\dev981B.tmp

Filesize
41KB

MD5
977e405c109268909fd24a94cc23d4f0

SHA1
af5d032c2b6caa2164cf298e95b09060665c4188

SHA256
cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f

SHA512
12b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5

Download Submit
memory/1748-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1748-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1824-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2704-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2704-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads