Analysis
-
max time kernel
40s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 17:52
Static task
static1
Behavioral task
behavioral1
Sample
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
Resource
win10v2004-20221111-en
General
-
Target
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
-
Size
119KB
-
MD5
74b2a96c2c0551c3de1c682af7020e32
-
SHA1
6d27a411cb084c7f8c99f9a531a63116527c9249
-
SHA256
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5
-
SHA512
10f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586
-
SSDEEP
1536:5RahbT5TjgF4HYwKyiyoWsqwjXkUTTc8BNgUHjGpqTBFXXPx6NSrR:5RahHp0F3wKyzoWstkUrB1XPxoK
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 2 IoCs
Processes:
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firewall SysScan\\cfmmon.exe" c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe -
Executes dropped EXE 3 IoCs
Processes:
cfmmon.execfmmon.execfmmon.exepid process 1464 cfmmon.exe 1188 cfmmon.exe 728 cfmmon.exe -
Processes:
resource yara_rule behavioral1/memory/112-68-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/112-70-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/112-71-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/112-74-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/112-76-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/112-81-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/728-107-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral1/memory/728-109-0x0000000000400000-0x0000000000428000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exec3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.execfmmon.exepid process 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe 112 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe 112 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe 1464 cfmmon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\cfmmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firewall SysScan\\cfmmon.exe" c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exec3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.execfmmon.execfmmon.exedescription pid process target process PID 1976 set thread context of 2008 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 2008 set thread context of 112 2008 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 1464 set thread context of 1188 1464 cfmmon.exe cfmmon.exe PID 1188 set thread context of 728 1188 cfmmon.exe cfmmon.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exec3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exec3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.execfmmon.execfmmon.exedescription pid process target process PID 1976 wrote to memory of 2008 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 1976 wrote to memory of 2008 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 1976 wrote to memory of 2008 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 1976 wrote to memory of 2008 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 1976 wrote to memory of 2008 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 1976 wrote to memory of 2008 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 1976 wrote to memory of 2008 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 1976 wrote to memory of 2008 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 1976 wrote to memory of 2008 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 1976 wrote to memory of 2008 1976 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 2008 wrote to memory of 112 2008 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 2008 wrote to memory of 112 2008 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 2008 wrote to memory of 112 2008 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 2008 wrote to memory of 112 2008 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 2008 wrote to memory of 112 2008 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 2008 wrote to memory of 112 2008 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 2008 wrote to memory of 112 2008 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 2008 wrote to memory of 112 2008 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe PID 112 wrote to memory of 1464 112 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe cfmmon.exe PID 112 wrote to memory of 1464 112 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe cfmmon.exe PID 112 wrote to memory of 1464 112 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe cfmmon.exe PID 112 wrote to memory of 1464 112 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe cfmmon.exe PID 1464 wrote to memory of 1188 1464 cfmmon.exe cfmmon.exe PID 1464 wrote to memory of 1188 1464 cfmmon.exe cfmmon.exe PID 1464 wrote to memory of 1188 1464 cfmmon.exe cfmmon.exe PID 1464 wrote to memory of 1188 1464 cfmmon.exe cfmmon.exe PID 1464 wrote to memory of 1188 1464 cfmmon.exe cfmmon.exe PID 1464 wrote to memory of 1188 1464 cfmmon.exe cfmmon.exe PID 1464 wrote to memory of 1188 1464 cfmmon.exe cfmmon.exe PID 1464 wrote to memory of 1188 1464 cfmmon.exe cfmmon.exe PID 1464 wrote to memory of 1188 1464 cfmmon.exe cfmmon.exe PID 1464 wrote to memory of 1188 1464 cfmmon.exe cfmmon.exe PID 1188 wrote to memory of 728 1188 cfmmon.exe cfmmon.exe PID 1188 wrote to memory of 728 1188 cfmmon.exe cfmmon.exe PID 1188 wrote to memory of 728 1188 cfmmon.exe cfmmon.exe PID 1188 wrote to memory of 728 1188 cfmmon.exe cfmmon.exe PID 1188 wrote to memory of 728 1188 cfmmon.exe cfmmon.exe PID 1188 wrote to memory of 728 1188 cfmmon.exe cfmmon.exe PID 1188 wrote to memory of 728 1188 cfmmon.exe cfmmon.exe PID 1188 wrote to memory of 728 1188 cfmmon.exe cfmmon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe"C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe"C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe"C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe"3⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exe"C:\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exe" in4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exe"C:\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exe" in5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exe"C:\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exe" in6⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7asg9osapaf2gaacYSbl6.tmpFilesize
3KB
MD595f62965058baacadb83c2da94ca47de
SHA1b3115c8b56105e1eae02fda8b3536b3bf38436ca
SHA256d76b2bde3f59d34dbf1bba5917bfd17470703801b17984ad90b6cebcf914deb9
SHA5129fbd110938f1c0a97b1f2742c8233e28a7e2802477f9222d3e0db95c1959ed3a1183b57ca1c92f006e6dbdf3ab03297cba0c6e06e2e2778a6dfa1e4ac2d7cb77
-
C:\Users\Admin\AppData\Local\Temp\7asg9osapaf2gaacYSbl6.tmpFilesize
3KB
MD595f62965058baacadb83c2da94ca47de
SHA1b3115c8b56105e1eae02fda8b3536b3bf38436ca
SHA256d76b2bde3f59d34dbf1bba5917bfd17470703801b17984ad90b6cebcf914deb9
SHA5129fbd110938f1c0a97b1f2742c8233e28a7e2802477f9222d3e0db95c1959ed3a1183b57ca1c92f006e6dbdf3ab03297cba0c6e06e2e2778a6dfa1e4ac2d7cb77
-
C:\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exeFilesize
119KB
MD574b2a96c2c0551c3de1c682af7020e32
SHA16d27a411cb084c7f8c99f9a531a63116527c9249
SHA256c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5
SHA51210f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586
-
C:\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exeFilesize
119KB
MD574b2a96c2c0551c3de1c682af7020e32
SHA16d27a411cb084c7f8c99f9a531a63116527c9249
SHA256c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5
SHA51210f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586
-
C:\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exeFilesize
119KB
MD574b2a96c2c0551c3de1c682af7020e32
SHA16d27a411cb084c7f8c99f9a531a63116527c9249
SHA256c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5
SHA51210f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586
-
C:\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exeFilesize
119KB
MD574b2a96c2c0551c3de1c682af7020e32
SHA16d27a411cb084c7f8c99f9a531a63116527c9249
SHA256c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5
SHA51210f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586
-
\Users\Admin\AppData\Local\Temp\7asg9osapaf2gaacYSbl6.tmpFilesize
3KB
MD595f62965058baacadb83c2da94ca47de
SHA1b3115c8b56105e1eae02fda8b3536b3bf38436ca
SHA256d76b2bde3f59d34dbf1bba5917bfd17470703801b17984ad90b6cebcf914deb9
SHA5129fbd110938f1c0a97b1f2742c8233e28a7e2802477f9222d3e0db95c1959ed3a1183b57ca1c92f006e6dbdf3ab03297cba0c6e06e2e2778a6dfa1e4ac2d7cb77
-
\Users\Admin\AppData\Local\Temp\7asg9osapaf2gaacYSbl6.tmpFilesize
3KB
MD595f62965058baacadb83c2da94ca47de
SHA1b3115c8b56105e1eae02fda8b3536b3bf38436ca
SHA256d76b2bde3f59d34dbf1bba5917bfd17470703801b17984ad90b6cebcf914deb9
SHA5129fbd110938f1c0a97b1f2742c8233e28a7e2802477f9222d3e0db95c1959ed3a1183b57ca1c92f006e6dbdf3ab03297cba0c6e06e2e2778a6dfa1e4ac2d7cb77
-
\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exeFilesize
119KB
MD574b2a96c2c0551c3de1c682af7020e32
SHA16d27a411cb084c7f8c99f9a531a63116527c9249
SHA256c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5
SHA51210f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586
-
\Users\Admin\AppData\Roaming\Firewall SysScan\cfmmon.exeFilesize
119KB
MD574b2a96c2c0551c3de1c682af7020e32
SHA16d27a411cb084c7f8c99f9a531a63116527c9249
SHA256c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5
SHA51210f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586
-
memory/112-76-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/112-67-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/112-71-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/112-72-0x0000000000425F90-mapping.dmp
-
memory/112-74-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/112-68-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/112-70-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/112-81-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/728-109-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/728-107-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/728-103-0x0000000000425F90-mapping.dmp
-
memory/1188-93-0x000000000040258C-mapping.dmp
-
memory/1464-80-0x0000000000000000-mapping.dmp
-
memory/2008-63-0x000000000040258C-mapping.dmp
-
memory/2008-60-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2008-59-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2008-58-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2008-62-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2008-65-0x0000000074D81000-0x0000000074D83000-memory.dmpFilesize
8KB
-
memory/2008-56-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2008-66-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2008-55-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2008-75-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB