f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac

General

Target

f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe
Size

172KB
MD5

cca214ae774b9a98ac3e28fdb91df3ea
SHA1

5ea3776425284cd021f5ee70965955ad3950342d
SHA256

f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac
SHA512

41f71b7623325b9c1825490e8d7bbc56b874036031e18b97c4954698c5a80d32d16da1735a44cc13c45210a1626b02a323a36befbe2531b62d669905462ae236
SSDEEP

3072:xCqPc8+4xLKGPQb6pLnq1AbpaMAePjT9273c0Iy8onzK98:ltxLKGPQbWqliF27MHsKq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exewdfaow.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wdfaow.exe

Executes dropped EXE 1 IoCs

Processes:

wdfaow.exe

pid process

2300 wdfaow.exe

pid	process
2300	wdfaow.exe

Loads dropped DLL 2 IoCs

Processes:

f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe

pid	process
2236	f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe
2236	f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wdfaow.exef7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /r"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /j"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /f"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /n"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /x"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /c"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /w"	f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /z"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /o"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /i"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /e"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /s"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /a"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /t"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /k"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /q"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /p"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /l"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /b"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /y"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /h"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /u"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /m"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /g"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /d"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /v"	wdfaow.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdfaow = "C:\\Users\\Admin\\wdfaow.exe /w"	wdfaow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exewdfaow.exe

pid	process
2236	f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe
2300	wdfaow.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exewdfaow.exe

pid process

2236 f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe
2300 wdfaow.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe

description	pid	process	target process
PID 2236 wrote to memory of 2300	2236	f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe	wdfaow.exe
PID 2236 wrote to memory of 2300	2236	f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe	wdfaow.exe
PID 2236 wrote to memory of 2300	2236	f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe	wdfaow.exe
PID 2236 wrote to memory of 2300	2236	f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe	wdfaow.exe

C:\Users\Admin\AppData\Local\Temp\f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe
"C:\Users\Admin\AppData\Local\Temp\f7754181967c56864c6dc02c49cac8e963097e88108a116a4deb330a43b7cfac.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\wdfaow.exe
  "C:\Users\Admin\wdfaow.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wdfaow.exe

Filesize
172KB

MD5
554b28b480f3b86d36bf9c31767a7c18

SHA1
d053b84f3140199e05e9b822a933efd46fdafed5

SHA256
561a343de4569853160986d7443271cb5b9318ee4d1c7f9bdc37fe4ca3504d4a

SHA512
7eb04f164edf3e9de9013c45a5478fcb1710fd155a3d73c57b0740aed604ece987ad4a0b1c0f31066576f0e9821ed8f8a209891ccb88d09424cb1d0d7ed8e757

Download Submit
memory/2236-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2236-14-0x0000000003190000-0x00000000031BE000-memory.dmp

Filesize
184KB

Download
memory/2236-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2300-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2300-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads