dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b

Analysis

max time kernel
46s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
Size

272KB
MD5

fd39caeeaeedfc6fbeb24a1486f5d58b
SHA1

8e741953da8e772a197b74d4e6408683ef5448cb
SHA256

dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b
SHA512

c7955b87034989a6026b800123203c031a59e7abfd4d67f4c61ecbb01fe49401e2e600d5c3996cf4cd8ae29db2052c7d5c1b23c381667f8c16cb29cc627039d1
SSDEEP

3072:14lQFnWjl4tYHv3iJHwxmOFuBsXpuN78UIaGWNBRyf9D2gss7jTHPkNZW9:9FnWR4tYPyN3WXpu1JIdWzRyfZ2/s9

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firewall Loader\\cfmmon.exe"	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe

Executes dropped EXE 3 IoCs

pid	Process
540	cfmmon.exe
1756	cfmmon.exe
1500	cfmmon.exe

Loads dropped DLL 2 IoCs

pid	Process
560	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
560	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\cfmmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firewall Loader\\cfmmon.exe"	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
File opened for modification	\??\PhysicalDrive0	cfmmon.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1308 set thread context of 1252	1308	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	27
PID 1252 set thread context of 560	1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	28
PID 540 set thread context of 1756	540	cfmmon.exe	30
PID 1756 set thread context of 1500	1756	cfmmon.exe	31

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1308	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
540	cfmmon.exe
1756	cfmmon.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 1252	1308	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	27
PID 1308 wrote to memory of 1252	1308	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	27
PID 1308 wrote to memory of 1252	1308	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	27
PID 1308 wrote to memory of 1252	1308	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	27
PID 1308 wrote to memory of 1252	1308	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	27
PID 1308 wrote to memory of 1252	1308	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	27
PID 1308 wrote to memory of 1252	1308	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	27
PID 1308 wrote to memory of 1252	1308	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	27
PID 1308 wrote to memory of 1252	1308	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	27
PID 1252 wrote to memory of 560	1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	28
PID 1252 wrote to memory of 560	1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	28
PID 1252 wrote to memory of 560	1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	28
PID 1252 wrote to memory of 560	1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	28
PID 1252 wrote to memory of 560	1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	28
PID 1252 wrote to memory of 560	1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	28
PID 1252 wrote to memory of 560	1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	28
PID 1252 wrote to memory of 560	1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	28
PID 1252 wrote to memory of 560	1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	28
PID 1252 wrote to memory of 560	1252	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	28
PID 560 wrote to memory of 540	560	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	29
PID 560 wrote to memory of 540	560	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	29
PID 560 wrote to memory of 540	560	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	29
PID 560 wrote to memory of 540	560	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	29
PID 540 wrote to memory of 1756	540	cfmmon.exe	30
PID 540 wrote to memory of 1756	540	cfmmon.exe	30
PID 540 wrote to memory of 1756	540	cfmmon.exe	30
PID 540 wrote to memory of 1756	540	cfmmon.exe	30
PID 540 wrote to memory of 1756	540	cfmmon.exe	30
PID 540 wrote to memory of 1756	540	cfmmon.exe	30
PID 540 wrote to memory of 1756	540	cfmmon.exe	30
PID 540 wrote to memory of 1756	540	cfmmon.exe	30
PID 540 wrote to memory of 1756	540	cfmmon.exe	30
PID 1756 wrote to memory of 1500	1756	cfmmon.exe	31
PID 1756 wrote to memory of 1500	1756	cfmmon.exe	31
PID 1756 wrote to memory of 1500	1756	cfmmon.exe	31
PID 1756 wrote to memory of 1500	1756	cfmmon.exe	31
PID 1756 wrote to memory of 1500	1756	cfmmon.exe	31
PID 1756 wrote to memory of 1500	1756	cfmmon.exe	31
PID 1756 wrote to memory of 1500	1756	cfmmon.exe	31
PID 1756 wrote to memory of 1500	1756	cfmmon.exe	31
PID 1756 wrote to memory of 1500	1756	cfmmon.exe	31
PID 1756 wrote to memory of 1500	1756	cfmmon.exe	31

C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
"C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
  "C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
    "C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe"
    3⤵
    - Modifies firewall policy service
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe
      "C:\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe" in
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe
        
        "C:\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe" in
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe
        
        "C:\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe" in
        6⤵
        Executes dropped EXE
        
        PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe

Filesize
272KB

MD5
bda6b369db06b283652fc33556e1d8c7

SHA1
c4465a70b23b32883b5bad41a908da0cb6d7262e

SHA256
8007e91f9526d5066c8c9481255ef13ec895ba339b4a49eb88af0321a94c29f5

SHA512
e97d71c2a46ebe5eeda943d5249ea722e4cb90a63e6b60925ab2862c58a40730108db0156b6e711f3954fe9dc29d10461847ff8b11ce944bf302c1e312419289

Download Submit
C:\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe

Filesize
272KB

MD5
bda6b369db06b283652fc33556e1d8c7

SHA1
c4465a70b23b32883b5bad41a908da0cb6d7262e

SHA256
8007e91f9526d5066c8c9481255ef13ec895ba339b4a49eb88af0321a94c29f5

SHA512
e97d71c2a46ebe5eeda943d5249ea722e4cb90a63e6b60925ab2862c58a40730108db0156b6e711f3954fe9dc29d10461847ff8b11ce944bf302c1e312419289

Download Submit
C:\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe

Filesize
272KB

MD5
bda6b369db06b283652fc33556e1d8c7

SHA1
c4465a70b23b32883b5bad41a908da0cb6d7262e

SHA256
8007e91f9526d5066c8c9481255ef13ec895ba339b4a49eb88af0321a94c29f5

SHA512
e97d71c2a46ebe5eeda943d5249ea722e4cb90a63e6b60925ab2862c58a40730108db0156b6e711f3954fe9dc29d10461847ff8b11ce944bf302c1e312419289

Download Submit
C:\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe

Filesize
272KB

MD5
bda6b369db06b283652fc33556e1d8c7

SHA1
c4465a70b23b32883b5bad41a908da0cb6d7262e

SHA256
8007e91f9526d5066c8c9481255ef13ec895ba339b4a49eb88af0321a94c29f5

SHA512
e97d71c2a46ebe5eeda943d5249ea722e4cb90a63e6b60925ab2862c58a40730108db0156b6e711f3954fe9dc29d10461847ff8b11ce944bf302c1e312419289

Download Submit
\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe

Filesize
272KB

MD5
bda6b369db06b283652fc33556e1d8c7

SHA1
c4465a70b23b32883b5bad41a908da0cb6d7262e

SHA256
8007e91f9526d5066c8c9481255ef13ec895ba339b4a49eb88af0321a94c29f5

SHA512
e97d71c2a46ebe5eeda943d5249ea722e4cb90a63e6b60925ab2862c58a40730108db0156b6e711f3954fe9dc29d10461847ff8b11ce944bf302c1e312419289

Download Submit
\Users\Admin\AppData\Roaming\Firewall Loader\cfmmon.exe

Filesize
272KB

MD5
bda6b369db06b283652fc33556e1d8c7

SHA1
c4465a70b23b32883b5bad41a908da0cb6d7262e

SHA256
8007e91f9526d5066c8c9481255ef13ec895ba339b4a49eb88af0321a94c29f5

SHA512
e97d71c2a46ebe5eeda943d5249ea722e4cb90a63e6b60925ab2862c58a40730108db0156b6e711f3954fe9dc29d10461847ff8b11ce944bf302c1e312419289

Download Submit
memory/560-78-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/560-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/560-72-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/560-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/560-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/560-71-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/560-82-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/560-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/560-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1252-77-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1252-56-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1252-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1252-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1252-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1500-111-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1500-113-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1756-110-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1756-112-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads