dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b

Analysis

max time kernel
206s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
Size

272KB
MD5

fd39caeeaeedfc6fbeb24a1486f5d58b
SHA1

8e741953da8e772a197b74d4e6408683ef5448cb
SHA256

dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b
SHA512

c7955b87034989a6026b800123203c031a59e7abfd4d67f4c61ecbb01fe49401e2e600d5c3996cf4cd8ae29db2052c7d5c1b23c381667f8c16cb29cc627039d1
SSDEEP

3072:14lQFnWjl4tYHv3iJHwxmOFuBsXpuN78UIaGWNBRyf9D2gss7jTHPkNZW9:9FnWR4tYPyN3WXpu1JIdWzRyfZ2/s9

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firewall Manager\\cfmmon.exe"	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe

Executes dropped EXE 3 IoCs

pid	Process
1352	cfmmon.exe
680	cfmmon.exe
1256	cfmmon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfmmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firewall Manager\\cfmmon.exe"	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
File opened for modification	\??\PhysicalDrive0	cfmmon.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 2608	2420	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	84
PID 2608 set thread context of 732	2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	85
PID 1352 set thread context of 680	1352	cfmmon.exe	89
PID 680 set thread context of 1256	680	cfmmon.exe	90

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2420	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
1352	cfmmon.exe
680	cfmmon.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2608	2420	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	84
PID 2420 wrote to memory of 2608	2420	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	84
PID 2420 wrote to memory of 2608	2420	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	84
PID 2420 wrote to memory of 2608	2420	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	84
PID 2420 wrote to memory of 2608	2420	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	84
PID 2420 wrote to memory of 2608	2420	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	84
PID 2420 wrote to memory of 2608	2420	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	84
PID 2420 wrote to memory of 2608	2420	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	84
PID 2608 wrote to memory of 732	2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	85
PID 2608 wrote to memory of 732	2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	85
PID 2608 wrote to memory of 732	2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	85
PID 2608 wrote to memory of 732	2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	85
PID 2608 wrote to memory of 732	2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	85
PID 2608 wrote to memory of 732	2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	85
PID 2608 wrote to memory of 732	2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	85
PID 2608 wrote to memory of 732	2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	85
PID 2608 wrote to memory of 732	2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	85
PID 2608 wrote to memory of 732	2608	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	85
PID 732 wrote to memory of 1352	732	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	86
PID 732 wrote to memory of 1352	732	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	86
PID 732 wrote to memory of 1352	732	dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe	86
PID 1352 wrote to memory of 680	1352	cfmmon.exe	89
PID 1352 wrote to memory of 680	1352	cfmmon.exe	89
PID 1352 wrote to memory of 680	1352	cfmmon.exe	89
PID 1352 wrote to memory of 680	1352	cfmmon.exe	89
PID 1352 wrote to memory of 680	1352	cfmmon.exe	89
PID 1352 wrote to memory of 680	1352	cfmmon.exe	89
PID 1352 wrote to memory of 680	1352	cfmmon.exe	89
PID 1352 wrote to memory of 680	1352	cfmmon.exe	89
PID 680 wrote to memory of 1256	680	cfmmon.exe	90
PID 680 wrote to memory of 1256	680	cfmmon.exe	90
PID 680 wrote to memory of 1256	680	cfmmon.exe	90
PID 680 wrote to memory of 1256	680	cfmmon.exe	90
PID 680 wrote to memory of 1256	680	cfmmon.exe	90
PID 680 wrote to memory of 1256	680	cfmmon.exe	90
PID 680 wrote to memory of 1256	680	cfmmon.exe	90
PID 680 wrote to memory of 1256	680	cfmmon.exe	90
PID 680 wrote to memory of 1256	680	cfmmon.exe	90
PID 680 wrote to memory of 1256	680	cfmmon.exe	90

C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
"C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
  "C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe
    "C:\Users\Admin\AppData\Local\Temp\dd50ecfd845e8204cb8857f6d79d77cc5ddaf80848fd37ad747f603a525e3f1b.exe"
    3⤵
    - Modifies firewall policy service
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe
      "C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe" in
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe
        
        "C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe" in
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:680
      - C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe
        
        "C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe" in
        6⤵
        Executes dropped EXE
        
        PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe

Filesize
272KB

MD5
bda6b369db06b283652fc33556e1d8c7

SHA1
c4465a70b23b32883b5bad41a908da0cb6d7262e

SHA256
8007e91f9526d5066c8c9481255ef13ec895ba339b4a49eb88af0321a94c29f5

SHA512
e97d71c2a46ebe5eeda943d5249ea722e4cb90a63e6b60925ab2862c58a40730108db0156b6e711f3954fe9dc29d10461847ff8b11ce944bf302c1e312419289

Download Submit
C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe

Filesize
272KB

MD5
bda6b369db06b283652fc33556e1d8c7

SHA1
c4465a70b23b32883b5bad41a908da0cb6d7262e

SHA256
8007e91f9526d5066c8c9481255ef13ec895ba339b4a49eb88af0321a94c29f5

SHA512
e97d71c2a46ebe5eeda943d5249ea722e4cb90a63e6b60925ab2862c58a40730108db0156b6e711f3954fe9dc29d10461847ff8b11ce944bf302c1e312419289

Download Submit
C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe

Filesize
272KB

MD5
bda6b369db06b283652fc33556e1d8c7

SHA1
c4465a70b23b32883b5bad41a908da0cb6d7262e

SHA256
8007e91f9526d5066c8c9481255ef13ec895ba339b4a49eb88af0321a94c29f5

SHA512
e97d71c2a46ebe5eeda943d5249ea722e4cb90a63e6b60925ab2862c58a40730108db0156b6e711f3954fe9dc29d10461847ff8b11ce944bf302c1e312419289

Download Submit
C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe

Filesize
272KB

MD5
bda6b369db06b283652fc33556e1d8c7

SHA1
c4465a70b23b32883b5bad41a908da0cb6d7262e

SHA256
8007e91f9526d5066c8c9481255ef13ec895ba339b4a49eb88af0321a94c29f5

SHA512
e97d71c2a46ebe5eeda943d5249ea722e4cb90a63e6b60925ab2862c58a40730108db0156b6e711f3954fe9dc29d10461847ff8b11ce944bf302c1e312419289

Download Submit
memory/680-166-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/732-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/732-146-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/732-147-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/732-152-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1256-168-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1256-167-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-141-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-142-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-148-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads