4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a

General

Target

4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Size

502KB
MD5

d1f11654b552fc73c74548de914aaad5
SHA1

61cab1d17ae4cccdb6e7a1d8c50a830c7a1a9042
SHA256

4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a
SHA512

76865b1fc5c027327fe958caa0ecca7b119b2170976816a2fc343eafdbe3d7ee6e4d9661263e9184fd065e979905767aee118b3b0f65f605b886a7d50d20e74c

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HCfm323

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Users\\Admin\\AppData\\Local\\wkfydmss\\fqwlnmcg.exe"	HCfm323
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\wkfydmss\\fqwlnmcg.exe"	HCfm323

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	HCfm323

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	HCfm323

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

HCfm323

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HCfm323

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	HCfm323

Executes dropped EXE 1 IoCs

Processes:

HCfm323

pid process

896 HCfm323

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/896-61-0x0000000015190000-0x00000000151D3000-memory.dmp	upx
behavioral1/memory/896-64-0x0000000015190000-0x00000000151D3000-memory.dmp	upx
behavioral1/memory/1708-65-0x0000000015190000-0x0000000015212000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

HCfm323

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqwlnmcg.exe	HCfm323
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fqwlnmcg.exe	HCfm323

Loads dropped DLL 1 IoCs

Processes:

4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe

pid process

1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	HCfm323

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HCfm323

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\FqwLnmcg = "C:\\Users\\Admin\\AppData\\Local\\wkfydmss\\fqwlnmcg.exe"	HCfm323

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

HCfm323

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HCfm323

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

HCfm3234a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe

pid	process
896	HCfm323
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exeHCfm323

pid process

1708 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896 HCfm323

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exeHCfm323

description	pid	process
Token: SeSecurityPrivilege	1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	896	HCfm323
Token: SeSecurityPrivilege	896	HCfm323
Token: SeSecurityPrivilege	896	HCfm323
Token: SeSecurityPrivilege	896	HCfm323
Token: SeSecurityPrivilege	896	HCfm323
Token: SeSecurityPrivilege	896	HCfm323
Token: SeSecurityPrivilege	896	HCfm323
Token: SeRestorePrivilege	896	HCfm323
Token: SeBackupPrivilege	896	HCfm323
Token: SeShutdownPrivilege	896	HCfm323
Token: SeSecurityPrivilege	1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe

Suspicious use of SetWindowsHookAW 64 IoCs

Processes:

4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exeHCfm323

pid	process
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
896	HCfm323
1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe

description	pid	process	target process
PID 1708 wrote to memory of 896	1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe	HCfm323
PID 1708 wrote to memory of 896	1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe	HCfm323
PID 1708 wrote to memory of 896	1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe	HCfm323
PID 1708 wrote to memory of 896	1708	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe	HCfm323

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

HCfm323

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HCfm323

C:\Users\Admin\AppData\Local\Temp\4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
"C:\Users\Admin\AppData\Local\Temp\4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookAW
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\HCfm323
"HCfm323"
2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookAW
- System policy modification
PID:896

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

8

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HCfm323
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCfm323
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
\Users\Admin\AppData\Local\Temp\HCfm323
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
memory/896-56-0x0000000000000000-mapping.dmp

Download
memory/896-60-0x0000000002380000-0x00000000023A1000-memory.dmp

Filesize
132KB

Download
memory/896-61-0x0000000015190000-0x00000000151D3000-memory.dmp

Filesize
268KB

Download
memory/896-64-0x0000000015190000-0x00000000151D3000-memory.dmp

Filesize
268KB

Download
memory/1708-54-0x00000000758D1000-0x00000000758D3000-memory.dmp

Filesize
8KB

Download
memory/1708-59-0x0000000002290000-0x00000000022B1000-memory.dmp

Filesize
132KB

Download
memory/1708-65-0x0000000015190000-0x0000000015212000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads