Analysis
-
max time kernel
20s -
max time network
1753s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 00:17
Static task
static1
Behavioral task
behavioral1
Sample
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Resource
win10v2004-20220414-en
General
-
Target
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
-
Size
502KB
-
MD5
d1f11654b552fc73c74548de914aaad5
-
SHA1
61cab1d17ae4cccdb6e7a1d8c50a830c7a1a9042
-
SHA256
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a
-
SHA512
76865b1fc5c027327fe958caa0ecca7b119b2170976816a2fc343eafdbe3d7ee6e4d9661263e9184fd065e979905767aee118b3b0f65f605b886a7d50d20e74c
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
HCfm323description ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Users\\Admin\\AppData\\Local\\wkfydmss\\fqwlnmcg.exe" HCfm323 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\wkfydmss\\fqwlnmcg.exe" HCfm323 -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
HCfm323description ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" HCfm323 Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" HCfm323 Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" HCfm323 -
Modifies security service 2 TTPs 4 IoCs
Processes:
HCfm323description ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" HCfm323 Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" HCfm323 Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" HCfm323 Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" HCfm323 -
Processes:
HCfm323description ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HCfm323 -
Processes:
HCfm323description ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" HCfm323 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" HCfm323 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" HCfm323 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" HCfm323 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" HCfm323 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" HCfm323 -
Executes dropped EXE 1 IoCs
Processes:
HCfm323pid process 896 HCfm323 -
Processes:
resource yara_rule behavioral1/memory/896-61-0x0000000015190000-0x00000000151D3000-memory.dmp upx behavioral1/memory/896-64-0x0000000015190000-0x00000000151D3000-memory.dmp upx behavioral1/memory/1708-65-0x0000000015190000-0x0000000015212000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
HCfm323description ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqwlnmcg.exe HCfm323 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqwlnmcg.exe HCfm323 -
Loads dropped DLL 1 IoCs
Processes:
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exepid process 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe -
Processes:
HCfm323description ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" HCfm323 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" HCfm323 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" HCfm323 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" HCfm323 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" HCfm323 Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" HCfm323 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HCfm323description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\FqwLnmcg = "C:\\Users\\Admin\\AppData\\Local\\wkfydmss\\fqwlnmcg.exe" HCfm323 -
Processes:
HCfm323description ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HCfm323 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
HCfm3234a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exepid process 896 HCfm323 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exeHCfm323pid process 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exeHCfm323description pid process Token: SeSecurityPrivilege 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe Token: SeSecurityPrivilege 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe Token: SeSecurityPrivilege 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe Token: SeSecurityPrivilege 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe Token: SeSecurityPrivilege 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe Token: SeSecurityPrivilege 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe Token: SeSecurityPrivilege 896 HCfm323 Token: SeSecurityPrivilege 896 HCfm323 Token: SeSecurityPrivilege 896 HCfm323 Token: SeSecurityPrivilege 896 HCfm323 Token: SeSecurityPrivilege 896 HCfm323 Token: SeSecurityPrivilege 896 HCfm323 Token: SeSecurityPrivilege 896 HCfm323 Token: SeRestorePrivilege 896 HCfm323 Token: SeBackupPrivilege 896 HCfm323 Token: SeShutdownPrivilege 896 HCfm323 Token: SeSecurityPrivilege 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe -
Suspicious use of SetWindowsHookAW 64 IoCs
Processes:
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exeHCfm323pid process 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe 896 HCfm323 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exedescription pid process target process PID 1708 wrote to memory of 896 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe HCfm323 PID 1708 wrote to memory of 896 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe HCfm323 PID 1708 wrote to memory of 896 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe HCfm323 PID 1708 wrote to memory of 896 1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe HCfm323 -
System policy modification 1 TTPs 1 IoCs
Processes:
HCfm323description ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HCfm323
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe"C:\Users\Admin\AppData\Local\Temp\4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookAW
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HCfm323"HCfm323"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookAW
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HCfm323Filesize
250KB
MD56eb541712dc7b736de250c89a915410f
SHA1a7d63500e18c5f8778254702d6ba553543b0f0ff
SHA256021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187
SHA5125d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7
-
C:\Users\Admin\AppData\Local\Temp\HCfm323Filesize
250KB
MD56eb541712dc7b736de250c89a915410f
SHA1a7d63500e18c5f8778254702d6ba553543b0f0ff
SHA256021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187
SHA5125d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7
-
\Users\Admin\AppData\Local\Temp\HCfm323Filesize
250KB
MD56eb541712dc7b736de250c89a915410f
SHA1a7d63500e18c5f8778254702d6ba553543b0f0ff
SHA256021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187
SHA5125d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7
-
memory/896-56-0x0000000000000000-mapping.dmp
-
memory/896-60-0x0000000002380000-0x00000000023A1000-memory.dmpFilesize
132KB
-
memory/896-61-0x0000000015190000-0x00000000151D3000-memory.dmpFilesize
268KB
-
memory/896-64-0x0000000015190000-0x00000000151D3000-memory.dmpFilesize
268KB
-
memory/1708-54-0x00000000758D1000-0x00000000758D3000-memory.dmpFilesize
8KB
-
memory/1708-59-0x0000000002290000-0x00000000022B1000-memory.dmpFilesize
132KB
-
memory/1708-65-0x0000000015190000-0x0000000015212000-memory.dmpFilesize
520KB