7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb

General

Target

7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
Size

84KB
MD5

a86721e4f4b5e3c7466f44f2bee3cb62
SHA1

fd286e66ef6a555797340adb395c894d7d857dd9
SHA256

7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb
SHA512

92002579dfa20ce5afd9351eadc3eb749711414733218659ac4c8e75c1ccde1502326bdb6fc248e7123719c6c1817de957611389b0e216faa9b8e8d7a984dd30
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FaG+sxriw+d9bHrkT5gUHz7Fxtf:HQC/yj5JO3MnaG+2rBkfkT5xHzB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2028	MSWDM.EXE
2192	MSWDM.EXE
2892	7F99DA5D252F03A7345AC3EA2AF005BE84924366E7A76C6492E52E249D247DFB.EXE
2668	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2028	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\devDDF0.tmp	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
File opened for modification	C:\Windows\devDDF0.tmp	MSWDM.EXE
File created	C:\WINDOWS\MSWDM.EXE	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2028	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2192	2072	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	31
PID 2072 wrote to memory of 2192	2072	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	31
PID 2072 wrote to memory of 2192	2072	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	31
PID 2072 wrote to memory of 2192	2072	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	31
PID 2072 wrote to memory of 2028	2072	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	32
PID 2072 wrote to memory of 2028	2072	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	32
PID 2072 wrote to memory of 2028	2072	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	32
PID 2072 wrote to memory of 2028	2072	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	32
PID 2028 wrote to memory of 2892	2028	MSWDM.EXE	33
PID 2028 wrote to memory of 2892	2028	MSWDM.EXE	33
PID 2028 wrote to memory of 2892	2028	MSWDM.EXE	33
PID 2028 wrote to memory of 2892	2028	MSWDM.EXE	33
PID 2028 wrote to memory of 2668	2028	MSWDM.EXE	34
PID 2028 wrote to memory of 2668	2028	MSWDM.EXE	34
PID 2028 wrote to memory of 2668	2028	MSWDM.EXE	34
PID 2028 wrote to memory of 2668	2028	MSWDM.EXE	34

C:\Users\Admin\AppData\Local\Temp\7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
"C:\Users\Admin\AppData\Local\Temp\7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devDDF0.tmp!C:\Users\Admin\AppData\Local\Temp\7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\7F99DA5D252F03A7345AC3EA2AF005BE84924366E7A76C6492E52E249D247DFB.EXE
    3⤵
    - Executes dropped EXE
    PID:2892
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devDDF0.tmp!C:\Users\Admin\AppData\Local\Temp\7F99DA5D252F03A7345AC3EA2AF005BE84924366E7A76C6492E52E249D247DFB.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7F99DA5D252F03A7345AC3EA2AF005BE84924366E7A76C6492E52E249D247DFB.EXE

Filesize
84KB

MD5
98a121311f7092069546aebf1b26b45a

SHA1
ac06a0d6d36c57902ddaedb8ed975e400a4c9335

SHA256
5bc07c7e9bdf91a92de7efd9ded30c84e516ce09f807822c304a57a9142853f6

SHA512
7d02e46802848e802bf8aa54d9857d7f670e522d8f561a94bb9f228a3611640a4a945fe169bfe7971c05e5db7eb6ce7509964c402aa24f137beaf50f58376e90

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
0b68b857a7e40217c3dc0fbccd74c48c

SHA1
8eca09de54246a76db602e9bb2e7447ed8861bae

SHA256
8891f8c76109255aff00be5f3ee7fe70a781371158d83f25ebf15d1a0fa7a22c

SHA512
eed10fb03056f0760046505b06e378b697821ab37179e751168f1e2c9a92d0f0b318a8189618f9929a8f5b65c4f986dd3fcac5514ce398ee371ade5c8143f9dd

Download Submit
\Users\Admin\AppData\Local\Temp\7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
memory/2028-29-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2072-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2072-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2192-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-26-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads