cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be

Analysis

max time kernel
189s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
Size

15KB
MD5

2b2e57226761ead5e85fa3c9a00b4aa0
SHA1

0029de105b266e5b0d8a15daeacb38d0232e3991
SHA256

cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be
SHA512

33c53f308ae21939da5992846f3e61253e922a27921e3e55a3d20c2e98699c1f2bc71daa1fef386c8425d6596989a8ea82acc46a5bcf020fa1e49593faa3bdd2
SSDEEP

192:aWWbDk684j//uieX2+rz5utWW6y26MuExHmgZ3h68gIOE7zrTy26CcCnaLnc7:aWWbwfO/uhRzmlUx9OorTyecCh

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DasDNF = "C:\\Windows\\system32\\DasDNF.exe"	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DasDNF.exe	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
File opened for modification	C:\Windows\SysWOW64\DasDNF.exe	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\DasDNF.exe"	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2036	cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe

C:\Users\Admin\AppData\Local\Temp\cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe
"C:\Users\Admin\AppData\Local\Temp\cf82fa4d7d48418b6e4f12e7d3482079fd6bd40bf5de9295b46db08c2a6ac4be.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...