ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df

General

Target

ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe
Size

1024KB
MD5

42bb29ede66f4db50a75c1a507658aca
SHA1

c048235714e7856645e352d5e0901f4cca181276
SHA256

ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df
SHA512

46bf5b4fa80cab81e31c952afdca731f81e838cc421fac89cb39f27d3d73b249dd71b6a05b1f760b9733733b7699879504f05f5638d28c3ba7ff4b8959809360
SSDEEP

6144:CAkyLqS1lXT/tPnXGS9COsvX6/a5o2BAHFEWP0DiSqVLTAJ97Jhn6V70ttJ:xvTll9DG6/aBGECIiLLTf70t

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firewall Manager\\cfmmon.exe"	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
1540	cfmmon.exe

Loads dropped DLL 1 IoCs

pid	Process
396	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cfmmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firewall Manager\\cfmmon.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1448 set thread context of 396	1448	vbc.exe	29

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1516 wrote to memory of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1516 wrote to memory of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1516 wrote to memory of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1516 wrote to memory of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1516 wrote to memory of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1516 wrote to memory of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1516 wrote to memory of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1516 wrote to memory of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1516 wrote to memory of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1516 wrote to memory of 1448	1516	ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe	28
PID 1448 wrote to memory of 396	1448	vbc.exe	29
PID 1448 wrote to memory of 396	1448	vbc.exe	29
PID 1448 wrote to memory of 396	1448	vbc.exe	29
PID 1448 wrote to memory of 396	1448	vbc.exe	29
PID 1448 wrote to memory of 396	1448	vbc.exe	29
PID 1448 wrote to memory of 396	1448	vbc.exe	29
PID 1448 wrote to memory of 396	1448	vbc.exe	29
PID 1448 wrote to memory of 396	1448	vbc.exe	29
PID 1448 wrote to memory of 396	1448	vbc.exe	29
PID 396 wrote to memory of 1540	396	vbc.exe	30
PID 396 wrote to memory of 1540	396	vbc.exe	30
PID 396 wrote to memory of 1540	396	vbc.exe	30
PID 396 wrote to memory of 1540	396	vbc.exe	30

C:\Users\Admin\AppData\Local\Temp\ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe
"C:\Users\Admin\AppData\Local\Temp\ace5375c3af06262bad57cb5060ca7cd30a24f586e4a4e86129f32f6d10708df.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Modifies firewall policy service
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe
      "C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe" in
      4⤵
      Executes dropped EXE
      PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe

Filesize
1.1MB

MD5
5dcf3b1c908361d8d3e4247e4cef608f

SHA1
d0f63b1215812ee7a95420392e1d4059d8ee7519

SHA256
f293f89f197d1e50302d7990f18b744cb0bba464044da761b7de7d0c7eda2251

SHA512
3b0af7f2db47c73cc4cfa108dab770095c41b33556a444d94ee981f85155cffc7d61cce765f727f99e90ebd566a3004a43b7051b75f4b1907d6438d1383fb7d8

Download Submit
C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe

Filesize
1.1MB

MD5
5dcf3b1c908361d8d3e4247e4cef608f

SHA1
d0f63b1215812ee7a95420392e1d4059d8ee7519

SHA256
f293f89f197d1e50302d7990f18b744cb0bba464044da761b7de7d0c7eda2251

SHA512
3b0af7f2db47c73cc4cfa108dab770095c41b33556a444d94ee981f85155cffc7d61cce765f727f99e90ebd566a3004a43b7051b75f4b1907d6438d1383fb7d8

Download Submit
\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe

Filesize
1.1MB

MD5
5dcf3b1c908361d8d3e4247e4cef608f

SHA1
d0f63b1215812ee7a95420392e1d4059d8ee7519

SHA256
f293f89f197d1e50302d7990f18b744cb0bba464044da761b7de7d0c7eda2251

SHA512
3b0af7f2db47c73cc4cfa108dab770095c41b33556a444d94ee981f85155cffc7d61cce765f727f99e90ebd566a3004a43b7051b75f4b1907d6438d1383fb7d8

Download Submit
memory/396-74-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/396-89-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/396-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/396-79-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/396-75-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/396-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/396-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/396-80-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/396-84-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1448-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-59-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-82-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-54-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/1516-72-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-55-0x0000000073FA0000-0x000000007454B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads