7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb

General

Target

7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
Size

84KB
MD5

a86721e4f4b5e3c7466f44f2bee3cb62
SHA1

fd286e66ef6a555797340adb395c894d7d857dd9
SHA256

7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb
SHA512

92002579dfa20ce5afd9351eadc3eb749711414733218659ac4c8e75c1ccde1502326bdb6fc248e7123719c6c1817de957611389b0e216faa9b8e8d7a984dd30
SSDEEP

1536:Hlqls0GgUyj5JxdA4Oj3W2Fsdq4FaG+sxriw+d9bHrkT5gUHz7Fxtf:HQC/yj5JO3MnaG+2rBkfkT5xHzB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4988	MSWDM.EXE
1244	MSWDM.EXE
3540	7F99DA5D252F03A7345AC3EA2AF005BE84924366E7A76C6492E52E249D247DFB.EXE
3204	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
File opened for modification	C:\Windows\dev9B46.tmp	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
File opened for modification	C:\Windows\dev9B46.tmp	MSWDM.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1244	MSWDM.EXE
1244	MSWDM.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4988	4296	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	83
PID 4296 wrote to memory of 4988	4296	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	83
PID 4296 wrote to memory of 4988	4296	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	83
PID 4296 wrote to memory of 1244	4296	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	84
PID 4296 wrote to memory of 1244	4296	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	84
PID 4296 wrote to memory of 1244	4296	7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe	84
PID 1244 wrote to memory of 3540	1244	MSWDM.EXE	85
PID 1244 wrote to memory of 3540	1244	MSWDM.EXE	85
PID 1244 wrote to memory of 3204	1244	MSWDM.EXE	86
PID 1244 wrote to memory of 3204	1244	MSWDM.EXE	86
PID 1244 wrote to memory of 3204	1244	MSWDM.EXE	86

C:\Users\Admin\AppData\Local\Temp\7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe
"C:\Users\Admin\AppData\Local\Temp\7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4988
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\dev9B46.tmp!C:\Users\Admin\AppData\Local\Temp\7f99da5d252f03a7345ac3ea2af005be84924366e7a76c6492e52e249d247dfb.exe! !
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\7F99DA5D252F03A7345AC3EA2AF005BE84924366E7A76C6492E52E249D247DFB.EXE
    3⤵
    - Executes dropped EXE
    PID:3540
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\dev9B46.tmp!C:\Users\Admin\AppData\Local\Temp\7F99DA5D252F03A7345AC3EA2AF005BE84924366E7A76C6492E52E249D247DFB.EXE!
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7F99DA5D252F03A7345AC3EA2AF005BE84924366E7A76C6492E52E249D247DFB.EXE

Filesize
84KB

MD5
9fbb5b9ad5f6281ee69b2a12e78519cd

SHA1
110f990882b2e6b026962add2a947613b5d8ebbe

SHA256
df8389cf24ff19740354454dae1ecbedd061e51034d493d3cff2a82681be69e5

SHA512
d83bff2aebdea0d1ccea6f8387ca9be97f2bc6f050db6177cd28ee83ddb16d8ff2e96ef1d81378a9d82813ba616fd588b4a25a8079faac1b864fbd31f843a30f

Download Submit
C:\Windows\MSWDM.EXE

Filesize
47KB

MD5
0b68b857a7e40217c3dc0fbccd74c48c

SHA1
8eca09de54246a76db602e9bb2e7447ed8861bae

SHA256
8891f8c76109255aff00be5f3ee7fe70a781371158d83f25ebf15d1a0fa7a22c

SHA512
eed10fb03056f0760046505b06e378b697821ab37179e751168f1e2c9a92d0f0b318a8189618f9929a8f5b65c4f986dd3fcac5514ce398ee371ade5c8143f9dd

Download Submit
C:\Windows\dev9B46.tmp

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
memory/1244-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1244-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3204-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4296-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4296-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4988-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads