421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Size

111KB
MD5

7c0819e9653d87eefb342897769b4ca0
SHA1

1d3e69ed465c8b785673d70ec99e92d9e799bb4f
SHA256

421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d
SHA512

a5960efb0401ba78c4faff32bec49454c272a543845b00b448824db870fbaa7ab04f183782943b5188c115e9898d5068512c2ed9128c7e1d3297f4ce82e32a1b
SSDEEP

768:HhjTt2ipzYdZ6uJX/YmmJY5Pvrgaum+s:BjZs6ul/mazum

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe:*:Enabled:Cftmon32"	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe

Executes dropped EXE 2 IoCs

pid	Process
3820	afd.exe
1196	afd.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4760	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cftmon32 = "afd.exe"	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Services\Disk\Enum	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
Key opened	\REGISTRY\MACHINE\System\ControlSet001\Services\Disk\Enum	afd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	afd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2976 set thread context of 4636	2976	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	85
PID 3820 set thread context of 1196	3820	afd.exe	90

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\afd.exe	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
File opened for modification	C:\Windows\afd.exe	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4340	2976	WerFault.exe	80
344	3820	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 4636	2976	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	85
PID 2976 wrote to memory of 4636	2976	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	85
PID 2976 wrote to memory of 4636	2976	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	85
PID 2976 wrote to memory of 4636	2976	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	85
PID 2976 wrote to memory of 4636	2976	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	85
PID 4636 wrote to memory of 4760	4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	86
PID 4636 wrote to memory of 4760	4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	86
PID 4636 wrote to memory of 4760	4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	86
PID 4636 wrote to memory of 3820	4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	87
PID 4636 wrote to memory of 3820	4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	87
PID 4636 wrote to memory of 3820	4636	421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe	87
PID 3820 wrote to memory of 1196	3820	afd.exe	90
PID 3820 wrote to memory of 1196	3820	afd.exe	90
PID 3820 wrote to memory of 1196	3820	afd.exe	90
PID 3820 wrote to memory of 1196	3820	afd.exe	90
PID 3820 wrote to memory of 1196	3820	afd.exe	90

C:\Users\Admin\AppData\Local\Temp\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
"C:\Users\Admin\AppData\Local\Temp\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 324
  2⤵
  - Program crash
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe
  "C:\Users\Admin\AppData\Local\Temp\421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d.exe"
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram 1.exe 1 ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4760
- - C:\Windows\afd.exe
    "C:\Windows\afd.exe"
    3⤵
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 324
      4⤵
      Program crash
      PID:344
  - - C:\Windows\afd.exe
      "C:\Windows\afd.exe"
      4⤵
      Executes dropped EXE
      PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2976 -ip 2976
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3820 -ip 3820
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\afd.exe

Filesize
111KB

MD5
7c0819e9653d87eefb342897769b4ca0

SHA1
1d3e69ed465c8b785673d70ec99e92d9e799bb4f

SHA256
421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d

SHA512
a5960efb0401ba78c4faff32bec49454c272a543845b00b448824db870fbaa7ab04f183782943b5188c115e9898d5068512c2ed9128c7e1d3297f4ce82e32a1b

Download Submit
C:\Windows\afd.exe

Filesize
111KB

MD5
7c0819e9653d87eefb342897769b4ca0

SHA1
1d3e69ed465c8b785673d70ec99e92d9e799bb4f

SHA256
421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d

SHA512
a5960efb0401ba78c4faff32bec49454c272a543845b00b448824db870fbaa7ab04f183782943b5188c115e9898d5068512c2ed9128c7e1d3297f4ce82e32a1b

Download Submit
C:\Windows\afd.exe

Filesize
111KB

MD5
7c0819e9653d87eefb342897769b4ca0

SHA1
1d3e69ed465c8b785673d70ec99e92d9e799bb4f

SHA256
421364047a2cd220a057e86fa288f102d69f62c9014d06c681e9d18ac513196d

SHA512
a5960efb0401ba78c4faff32bec49454c272a543845b00b448824db870fbaa7ab04f183782943b5188c115e9898d5068512c2ed9128c7e1d3297f4ce82e32a1b

Download Submit
memory/1196-153-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1196-152-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2976-136-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/2976-132-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3820-145-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/3820-149-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/4636-144-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4636-139-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/4636-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4636-137-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4636-134-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download