421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d

General

Target

421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Size

111KB
MD5

7c0819e9653d87eefb342897769b4ca0
SHA1

1d3e69ed465c8b785673d70ec99e92d9e799bb4f
SHA256

421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d
SHA512

a5960efb0401ba78c4faff32bec49454c272a543845b00b448824db870fbaa7ab04f183782943b5188c115e9898d5068512c2ed9128c7e1d3297f4ce82e32a1b
SSDEEP

768:HhjTt2ipzYdZ6uJX/YmmJY5Pvrgaum+s:BjZs6ul/mazum

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe:*:Enabled:Cftmon32"	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe

Executes dropped EXE 2 IoCs

pid	Process
1108	afd.exe
364	afd.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1088	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Cftmon32 = "afd.exe"	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Services\Disk\Enum	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Services\Disk\Enum	afd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	afd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1184 set thread context of 1172	1184	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	26
PID 1108 set thread context of 364	1108	afd.exe	29

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\afd.exe	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
File opened for modification	C:\Windows\afd.exe	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
364	afd.exe
364	afd.exe
364	afd.exe
364	afd.exe
364	afd.exe
364	afd.exe
364	afd.exe
364	afd.exe
364	afd.exe
364	afd.exe
364	afd.exe
364	afd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1172	1184	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	26
PID 1184 wrote to memory of 1172	1184	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	26
PID 1184 wrote to memory of 1172	1184	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	26
PID 1184 wrote to memory of 1172	1184	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	26
PID 1184 wrote to memory of 1172	1184	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	26
PID 1184 wrote to memory of 1172	1184	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	26
PID 1172 wrote to memory of 1088	1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	27
PID 1172 wrote to memory of 1088	1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	27
PID 1172 wrote to memory of 1088	1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	27
PID 1172 wrote to memory of 1088	1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	27
PID 1172 wrote to memory of 1108	1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	28
PID 1172 wrote to memory of 1108	1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	28
PID 1172 wrote to memory of 1108	1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	28
PID 1172 wrote to memory of 1108	1172	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	28
PID 1108 wrote to memory of 364	1108	afd.exe	29
PID 1108 wrote to memory of 364	1108	afd.exe	29
PID 1108 wrote to memory of 364	1108	afd.exe	29
PID 1108 wrote to memory of 364	1108	afd.exe	29
PID 1108 wrote to memory of 364	1108	afd.exe	29
PID 1108 wrote to memory of 364	1108	afd.exe	29

C:\Users\Admin\AppData\Local\Temp\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
"C:\Users\Admin\AppData\Local\Temp\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
  "C:\Users\Admin\AppData\Local\Temp\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe"
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram 1.exe 1 ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1088
- - C:\Windows\afd.exe
    "C:\Windows\afd.exe"
    3⤵
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\afd.exe
      "C:\Windows\afd.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\afd.exe

Filesize
111KB

MD5
7c0819e9653d87eefb342897769b4ca0

SHA1
1d3e69ed465c8b785673d70ec99e92d9e799bb4f

SHA256
421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d

SHA512
a5960efb0401ba78c4faff32bec49454c272a543845b00b448824db870fbaa7ab04f183782943b5188c115e9898d5068512c2ed9128c7e1d3297f4ce82e32a1b

Download Submit
C:\Windows\afd.exe

Filesize
111KB

MD5
7c0819e9653d87eefb342897769b4ca0

SHA1
1d3e69ed465c8b785673d70ec99e92d9e799bb4f

SHA256
421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d

SHA512
a5960efb0401ba78c4faff32bec49454c272a543845b00b448824db870fbaa7ab04f183782943b5188c115e9898d5068512c2ed9128c7e1d3297f4ce82e32a1b

Download Submit
C:\Windows\afd.exe

Filesize
111KB

MD5
7c0819e9653d87eefb342897769b4ca0

SHA1
1d3e69ed465c8b785673d70ec99e92d9e799bb4f

SHA256
421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d

SHA512
a5960efb0401ba78c4faff32bec49454c272a543845b00b448824db870fbaa7ab04f183782943b5188c115e9898d5068512c2ed9128c7e1d3297f4ce82e32a1b

Download Submit
memory/364-84-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/364-83-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1108-80-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1108-70-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1172-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1172-64-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1172-68-0x0000000001EF0000-0x0000000001F13000-memory.dmp

Filesize
140KB

Download
memory/1172-69-0x0000000001EF0000-0x0000000001F13000-memory.dmp

Filesize
140KB

Download
memory/1172-63-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1172-71-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1172-62-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1172-57-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1172-55-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1184-54-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/1184-59-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads