c798f3ecfc30da24747588a218a8673eb9080142f88150b926864095e1a3e161

General

Target

20bddb026fc8aa2e0ae2d16955afb750N.exe
Size

615KB
MD5

20bddb026fc8aa2e0ae2d16955afb750
SHA1

980976ba08c0f8f1e3d3d7fef9a34e726ca823d6
SHA256

c798f3ecfc30da24747588a218a8673eb9080142f88150b926864095e1a3e161
SHA512

4436c4f9a2afc103e8079d21aff0c2a29832902d52ef57a791f88f77cea281faba95caf6ec0d369379e93e0d1d6eded16456265abce1ec205846594786317cf9
SSDEEP

12288:wlbd+Waplw9U+qMi8CtdVldusIh6BBHCHrKZXCktSzIzWpX5/:Wbd+NYTqMi8CtBd2QHCHmTBW5/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2756	MSWDM.EXE
2684	MSWDM.EXE
2176	20BDDB026FC8AA2E0AE2D16955AFB750N.EXE
1216	Process not Found
2712	MSWDM.EXE

Loads dropped DLL 2 IoCs

pid	Process
2756	MSWDM.EXE
2756	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	20bddb026fc8aa2e0ae2d16955afb750N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	20bddb026fc8aa2e0ae2d16955afb750N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	20bddb026fc8aa2e0ae2d16955afb750N.exe
File opened for modification	C:\Windows\devB08.tmp	20bddb026fc8aa2e0ae2d16955afb750N.exe
File opened for modification	C:\Windows\devB08.tmp	MSWDM.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20bddb026fc8aa2e0ae2d16955afb750N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2756	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2684	3068	20bddb026fc8aa2e0ae2d16955afb750N.exe	30
PID 3068 wrote to memory of 2684	3068	20bddb026fc8aa2e0ae2d16955afb750N.exe	30
PID 3068 wrote to memory of 2684	3068	20bddb026fc8aa2e0ae2d16955afb750N.exe	30
PID 3068 wrote to memory of 2684	3068	20bddb026fc8aa2e0ae2d16955afb750N.exe	30
PID 3068 wrote to memory of 2756	3068	20bddb026fc8aa2e0ae2d16955afb750N.exe	31
PID 3068 wrote to memory of 2756	3068	20bddb026fc8aa2e0ae2d16955afb750N.exe	31
PID 3068 wrote to memory of 2756	3068	20bddb026fc8aa2e0ae2d16955afb750N.exe	31
PID 3068 wrote to memory of 2756	3068	20bddb026fc8aa2e0ae2d16955afb750N.exe	31
PID 2756 wrote to memory of 2176	2756	MSWDM.EXE	32
PID 2756 wrote to memory of 2176	2756	MSWDM.EXE	32
PID 2756 wrote to memory of 2176	2756	MSWDM.EXE	32
PID 2756 wrote to memory of 2176	2756	MSWDM.EXE	32
PID 2756 wrote to memory of 2712	2756	MSWDM.EXE	33
PID 2756 wrote to memory of 2712	2756	MSWDM.EXE	33
PID 2756 wrote to memory of 2712	2756	MSWDM.EXE	33
PID 2756 wrote to memory of 2712	2756	MSWDM.EXE	33

C:\Users\Admin\AppData\Local\Temp\20bddb026fc8aa2e0ae2d16955afb750N.exe
"C:\Users\Admin\AppData\Local\Temp\20bddb026fc8aa2e0ae2d16955afb750N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devB08.tmp!C:\Users\Admin\AppData\Local\Temp\20bddb026fc8aa2e0ae2d16955afb750N.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\20BDDB026FC8AA2E0AE2D16955AFB750N.EXE
    3⤵
    - Executes dropped EXE
    PID:2176
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devB08.tmp!C:\Users\Admin\AppData\Local\Temp\20BDDB026FC8AA2E0AE2D16955AFB750N.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\20BDDB026FC8AA2E0AE2D16955AFB750N.EXE

Filesize
615KB

MD5
5bea64dbc545271579be8f335c87d555

SHA1
305182c837b157491526637ba9c73ae4b74e96b1

SHA256
91c808fa7ed54db281aeb12a8810af3f3d30b39a21854aa2b7a123dd5f1e3c50

SHA512
bc25bb09e6ae311ca48074cbf1a734dabc644ca9c646c98b33ad2ff7dcf7a396fbfdad77e2289f4a883673e37679b0f83e9f178b6e3045c563e95bc1a1d8c1bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\20bddb026fc8aa2e0ae2d16955afb750N.exe

Filesize
568KB

MD5
04fb3ae7f05c8bc333125972ba907398

SHA1
df22612647e9404a515d48ebad490349685250de

SHA256
2fb898bacb587f2484c9c4aa6da2729079d93d1f923a017bb84beef87bf74fef

SHA512
94c164a0b884c939ece30f5038d07b756702998d46786f9f613fbea2eb30bed4bc19a409f347bb4cc565898473b18155d580b453683223beaf30ed4079c251b2

Download Submit
C:\WINDOWS\MSWDM.EXE

Filesize
47KB

MD5
5f8d409983914065297cec4d27496caa

SHA1
8cf39ec61445061b7642d36613de97c12850d821

SHA256
685ff783e760bf7ecffd7f2cf55e6f30d979703b7fa5e1138642c85d9741ed46

SHA512
b83a4763d6dfd579cac7960d623d7a94e0b4b9c5b12a58ba0f2422d71fdee2d97d8a7f163b12f2441273471d26389e885ff944ab3f27b78e8af36e6f8beb853c

Download Submit
memory/2684-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2684-36-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-32-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2756-35-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3068-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3068-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads