c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5

General

Target

c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
Size

119KB
MD5

74b2a96c2c0551c3de1c682af7020e32
SHA1

6d27a411cb084c7f8c99f9a531a63116527c9249
SHA256

c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5
SHA512

10f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586
SSDEEP

1536:5RahbT5TjgF4HYwKyiyoWsqwjXkUTTc8BNgUHjGpqTBFXXPx6NSrR:5RahHp0F3wKyzoWstkUrB1XPxoK

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firewall Manager\\cfmmon.exe"	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe

Executes dropped EXE 3 IoCs

Processes:

cfmmon.execfmmon.execfmmon.exe

pid process

3464 cfmmon.exe
3080 cfmmon.exe
2024 cfmmon.exe

pid	process
3464	cfmmon.exe
3080	cfmmon.exe
2024	cfmmon.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1688-140-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/1688-138-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/1688-142-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/1688-147-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/2024-159-0x0000000000400000-0x0000000000428000-memory.dmp	upx
behavioral2/memory/2024-161-0x0000000000400000-0x0000000000428000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.execfmmon.exe

pid process

3164 c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
3464 cfmmon.exe

pid	process
3164	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
3464	cfmmon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfmmon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firewall Manager\\cfmmon.exe"	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exec3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.execfmmon.execfmmon.exe

description	pid	process	target process
PID 3164 set thread context of 2440	3164	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 2440 set thread context of 1688	2440	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 3464 set thread context of 3080	3464	cfmmon.exe	cfmmon.exe
PID 3080 set thread context of 2024	3080	cfmmon.exe	cfmmon.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exec3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exec3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.execfmmon.execfmmon.exe

description	pid	process	target process
PID 3164 wrote to memory of 2440	3164	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 3164 wrote to memory of 2440	3164	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 3164 wrote to memory of 2440	3164	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 3164 wrote to memory of 2440	3164	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 3164 wrote to memory of 2440	3164	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 3164 wrote to memory of 2440	3164	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 3164 wrote to memory of 2440	3164	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 3164 wrote to memory of 2440	3164	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 3164 wrote to memory of 2440	3164	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 2440 wrote to memory of 1688	2440	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 2440 wrote to memory of 1688	2440	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 2440 wrote to memory of 1688	2440	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 2440 wrote to memory of 1688	2440	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 2440 wrote to memory of 1688	2440	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 2440 wrote to memory of 1688	2440	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 2440 wrote to memory of 1688	2440	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 2440 wrote to memory of 1688	2440	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
PID 1688 wrote to memory of 3464	1688	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	cfmmon.exe
PID 1688 wrote to memory of 3464	1688	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	cfmmon.exe
PID 1688 wrote to memory of 3464	1688	c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe	cfmmon.exe
PID 3464 wrote to memory of 3080	3464	cfmmon.exe	cfmmon.exe
PID 3464 wrote to memory of 3080	3464	cfmmon.exe	cfmmon.exe
PID 3464 wrote to memory of 3080	3464	cfmmon.exe	cfmmon.exe
PID 3464 wrote to memory of 3080	3464	cfmmon.exe	cfmmon.exe
PID 3464 wrote to memory of 3080	3464	cfmmon.exe	cfmmon.exe
PID 3464 wrote to memory of 3080	3464	cfmmon.exe	cfmmon.exe
PID 3464 wrote to memory of 3080	3464	cfmmon.exe	cfmmon.exe
PID 3464 wrote to memory of 3080	3464	cfmmon.exe	cfmmon.exe
PID 3464 wrote to memory of 3080	3464	cfmmon.exe	cfmmon.exe
PID 3080 wrote to memory of 2024	3080	cfmmon.exe	cfmmon.exe
PID 3080 wrote to memory of 2024	3080	cfmmon.exe	cfmmon.exe
PID 3080 wrote to memory of 2024	3080	cfmmon.exe	cfmmon.exe
PID 3080 wrote to memory of 2024	3080	cfmmon.exe	cfmmon.exe
PID 3080 wrote to memory of 2024	3080	cfmmon.exe	cfmmon.exe
PID 3080 wrote to memory of 2024	3080	cfmmon.exe	cfmmon.exe
PID 3080 wrote to memory of 2024	3080	cfmmon.exe	cfmmon.exe
PID 3080 wrote to memory of 2024	3080	cfmmon.exe	cfmmon.exe

C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
"C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
"C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe
"C:\Users\Admin\AppData\Local\Temp\c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5.exe"
3⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe
"C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe" in
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe
"C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe" in
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3080

C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe
"C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe" in
6⤵
- Executes dropped EXE
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7asg9osapaf2gaacYSbl6.tmp
Filesize
3KB

MD5
95f62965058baacadb83c2da94ca47de

SHA1
b3115c8b56105e1eae02fda8b3536b3bf38436ca

SHA256
d76b2bde3f59d34dbf1bba5917bfd17470703801b17984ad90b6cebcf914deb9

SHA512
9fbd110938f1c0a97b1f2742c8233e28a7e2802477f9222d3e0db95c1959ed3a1183b57ca1c92f006e6dbdf3ab03297cba0c6e06e2e2778a6dfa1e4ac2d7cb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7asg9osapaf2gaacYSbl6.tmp
Filesize
3KB

MD5
95f62965058baacadb83c2da94ca47de

SHA1
b3115c8b56105e1eae02fda8b3536b3bf38436ca

SHA256
d76b2bde3f59d34dbf1bba5917bfd17470703801b17984ad90b6cebcf914deb9

SHA512
9fbd110938f1c0a97b1f2742c8233e28a7e2802477f9222d3e0db95c1959ed3a1183b57ca1c92f006e6dbdf3ab03297cba0c6e06e2e2778a6dfa1e4ac2d7cb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7asg9osapaf2gaacYSbl6.tmp
Filesize
3KB

MD5
95f62965058baacadb83c2da94ca47de

SHA1
b3115c8b56105e1eae02fda8b3536b3bf38436ca

SHA256
d76b2bde3f59d34dbf1bba5917bfd17470703801b17984ad90b6cebcf914deb9

SHA512
9fbd110938f1c0a97b1f2742c8233e28a7e2802477f9222d3e0db95c1959ed3a1183b57ca1c92f006e6dbdf3ab03297cba0c6e06e2e2778a6dfa1e4ac2d7cb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7asg9osapaf2gaacYSbl6.tmp
Filesize
3KB

MD5
95f62965058baacadb83c2da94ca47de

SHA1
b3115c8b56105e1eae02fda8b3536b3bf38436ca

SHA256
d76b2bde3f59d34dbf1bba5917bfd17470703801b17984ad90b6cebcf914deb9

SHA512
9fbd110938f1c0a97b1f2742c8233e28a7e2802477f9222d3e0db95c1959ed3a1183b57ca1c92f006e6dbdf3ab03297cba0c6e06e2e2778a6dfa1e4ac2d7cb77

Download Submit
C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe
Filesize
119KB

MD5
74b2a96c2c0551c3de1c682af7020e32

SHA1
6d27a411cb084c7f8c99f9a531a63116527c9249

SHA256
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5

SHA512
10f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586

Download Submit
C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe
Filesize
119KB

MD5
74b2a96c2c0551c3de1c682af7020e32

SHA1
6d27a411cb084c7f8c99f9a531a63116527c9249

SHA256
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5

SHA512
10f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586

Download Submit
C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe
Filesize
119KB

MD5
74b2a96c2c0551c3de1c682af7020e32

SHA1
6d27a411cb084c7f8c99f9a531a63116527c9249

SHA256
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5

SHA512
10f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586

Download Submit
C:\Users\Admin\AppData\Roaming\Firewall Manager\cfmmon.exe
Filesize
119KB

MD5
74b2a96c2c0551c3de1c682af7020e32

SHA1
6d27a411cb084c7f8c99f9a531a63116527c9249

SHA256
c3177df89ab8007712e644e3d904e06d8bc1bced59473ea3989482eb474930f5

SHA512
10f8b14193127b21b757164bbb62bd0fef03e41aca7aec0a7c96a627c105d0340fb9dd79b6294df60beb5f47aba0e1bf89018f1e1d64f8a0f26d37ae69ffc586

Download Submit
memory/1688-140-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1688-138-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1688-147-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1688-137-0x0000000000000000-mapping.dmp

Download
memory/1688-142-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2024-154-0x0000000000000000-mapping.dmp

Download
memory/2024-161-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2024-159-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2440-133-0x0000000000000000-mapping.dmp

Download
memory/2440-136-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2440-134-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2440-141-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3080-149-0x0000000000000000-mapping.dmp

Download
memory/3464-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads