db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7

General

Target

db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe
Size

591KB
MD5

20a0ece635cda9c4f4484ed8e15ef130
SHA1

d15518b0730110d94f34e128be490e19545bb318
SHA256

db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7
SHA512

ca8ed9a873bc5a45c593121b726078ca7971881c358b58b14e9f1d8c96cae7b34a15851e034a3664ec8d765361a451896fd9ba50047d9fa2dafe19f879431567
SSDEEP

6144:WcNhJgX9z0f57STB0YRX8npzU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC7:phJ6mfBSTOYREtU66b5zhVymA/XSRhy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2516	MSWDM.EXE
2608	MSWDM.EXE
1228	DB85A694365D94758F7E657860E61727FC52F8571BC534C6BAA5AD8432220CA7N.EXE
2208	MSWDM.EXE

Loads dropped DLL 1 IoCs

pid	Process
2608	MSWDM.EXE

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM = "MSWDM.EXE"	MSWDM.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM = "MSWDM.EXE"	MSWDM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\MSWDM.EXE	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe
File opened for modification	C:\Windows\devD44F.tmp	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSWDM.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2608	MSWDM.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2516	2292	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe	31
PID 2292 wrote to memory of 2516	2292	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe	31
PID 2292 wrote to memory of 2516	2292	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe	31
PID 2292 wrote to memory of 2516	2292	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe	31
PID 2292 wrote to memory of 2608	2292	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe	32
PID 2292 wrote to memory of 2608	2292	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe	32
PID 2292 wrote to memory of 2608	2292	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe	32
PID 2292 wrote to memory of 2608	2292	db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe	32
PID 2608 wrote to memory of 1228	2608	MSWDM.EXE	33
PID 2608 wrote to memory of 1228	2608	MSWDM.EXE	33
PID 2608 wrote to memory of 1228	2608	MSWDM.EXE	33
PID 2608 wrote to memory of 1228	2608	MSWDM.EXE	33
PID 2608 wrote to memory of 2208	2608	MSWDM.EXE	34
PID 2608 wrote to memory of 2208	2608	MSWDM.EXE	34
PID 2608 wrote to memory of 2208	2608	MSWDM.EXE	34
PID 2608 wrote to memory of 2208	2608	MSWDM.EXE	34

C:\Users\Admin\AppData\Local\Temp\db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe
"C:\Users\Admin\AppData\Local\Temp\db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\WINDOWS\MSWDM.EXE
  "C:\WINDOWS\MSWDM.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\WINDOWS\MSWDM.EXE
  -r!C:\Windows\devD44F.tmp!C:\Users\Admin\AppData\Local\Temp\db85a694365d94758f7e657860e61727fc52f8571bc534c6baa5ad8432220ca7N.exe! !
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\DB85A694365D94758F7E657860E61727FC52F8571BC534C6BAA5AD8432220CA7N.EXE
    3⤵
    - Executes dropped EXE
    PID:1228
- - C:\WINDOWS\MSWDM.EXE
    -e!C:\Windows\devD44F.tmp!C:\Users\Admin\AppData\Local\Temp\DB85A694365D94758F7E657860E61727FC52F8571BC534C6BAA5AD8432220CA7N.EXE!
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MSWDM.EXE

Filesize
256KB

MD5
16a243b85f60d6da5f8cf544c196f96f

SHA1
6963a9ab685755e8ac10d0d6c300ad8b7963f2ac

SHA256
b580e3621992cfcf6701b16d94ee759d935957c459d51a53672a893f9c199b83

SHA512
7a1bb138b760bfced490c51d22a6838dd8947cd1038825514a96d340a437c7e7425e54334bf006062bf2c46282760bf019adcecfcd4e8842744db5c358f10d1a

Download Submit
C:\Windows\devD44F.tmp

Filesize
335KB

MD5
40ac62c087648ccc2c58dae066d34c98

SHA1
0e87efb6ddfe59e534ea9e829cad35be8563e5f7

SHA256
482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

SHA512
0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads