c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb

Analysis

max time kernel
146s
max time network
75s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 07:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe
Size

354KB
MD5

62a9ad59cfe91beebbba0d5320642a1b
SHA1

6412658c64937408c0b0d95998efcf2e4ed28a7a
SHA256

c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb
SHA512

65be3dc0afef1a5867fa6530e1dba5d3c69a5af2c4568b03958c572fd3b7e70a626b069622dc71add170ad6fb7edd32808709ea5925e618bc5e28a40b1d787b1
SSDEEP

6144:t+LTf773NZUR+vwKvLz2EpWzEvRyIeE8YV/RrNthQnIt16NApKsGCkK3I:t+LTf7737cRYvRyIeE559Nf2Itxp3GC8

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cpciix.exe

Executes dropped EXE 4 IoCs

pid	Process
1784	xUvo706504cexCvmaMo7l9.exe
1744	1.exe
2040	2.exe
764	cpciix.exe

Deletes itself 1 IoCs

pid	Process
956	cmd.exe

Loads dropped DLL 7 IoCs

pid	Process
1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe
1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe
1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe
1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe
1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe
1784	xUvo706504cexCvmaMo7l9.exe
1784	xUvo706504cexCvmaMo7l9.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	cpciix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cpciix = "C:\\Users\\Admin\\cpciix.exe /K"	cpciix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cpciix = "C:\\Users\\Admin\\cpciix.exe /n"	cpciix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cpciix = "C:\\Users\\Admin\\cpciix.exe /R"	cpciix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cpciix = "C:\\Users\\Admin\\cpciix.exe /k"	cpciix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cpciix = "C:\\Users\\Admin\\cpciix.exe /V"	cpciix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cpciix = "C:\\Users\\Admin\\cpciix.exe /d"	cpciix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cpciix = "C:\\Users\\Admin\\cpciix.exe /M"	cpciix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cpciix = "C:\\Users\\Admin\\cpciix.exe /Y"	cpciix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cpciix = "C:\\Users\\Admin\\cpciix.exe /y"	cpciix.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\physicaldrive0	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1808	tasklist.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	1.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1784	xUvo706504cexCvmaMo7l9.exe
764	cpciix.exe
764	cpciix.exe
764	cpciix.exe
764	cpciix.exe
764	cpciix.exe
764	cpciix.exe
764	cpciix.exe
764	cpciix.exe
764	cpciix.exe
764	cpciix.exe
764	cpciix.exe
764	cpciix.exe
764	cpciix.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2040	2.exe
Token: SeDebugPrivilege	1808	tasklist.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1784	xUvo706504cexCvmaMo7l9.exe
764	cpciix.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1784	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	28
PID 1780 wrote to memory of 1784	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	28
PID 1780 wrote to memory of 1784	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	28
PID 1780 wrote to memory of 1784	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	28
PID 1780 wrote to memory of 1744	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	29
PID 1780 wrote to memory of 1744	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	29
PID 1780 wrote to memory of 1744	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	29
PID 1780 wrote to memory of 1744	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	29
PID 1780 wrote to memory of 2040	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	30
PID 1780 wrote to memory of 2040	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	30
PID 1780 wrote to memory of 2040	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	30
PID 1780 wrote to memory of 2040	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	30
PID 1780 wrote to memory of 956	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	32
PID 1780 wrote to memory of 956	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	32
PID 1780 wrote to memory of 956	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	32
PID 1780 wrote to memory of 956	1780	c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe	32
PID 1744 wrote to memory of 1348	1744	1.exe	33
PID 1744 wrote to memory of 1348	1744	1.exe	33
PID 1744 wrote to memory of 1348	1744	1.exe	33
PID 1744 wrote to memory of 1348	1744	1.exe	33
PID 1784 wrote to memory of 764	1784	xUvo706504cexCvmaMo7l9.exe	35
PID 1784 wrote to memory of 764	1784	xUvo706504cexCvmaMo7l9.exe	35
PID 1784 wrote to memory of 764	1784	xUvo706504cexCvmaMo7l9.exe	35
PID 1784 wrote to memory of 764	1784	xUvo706504cexCvmaMo7l9.exe	35
PID 1784 wrote to memory of 568	1784	xUvo706504cexCvmaMo7l9.exe	36
PID 1784 wrote to memory of 568	1784	xUvo706504cexCvmaMo7l9.exe	36
PID 1784 wrote to memory of 568	1784	xUvo706504cexCvmaMo7l9.exe	36
PID 1784 wrote to memory of 568	1784	xUvo706504cexCvmaMo7l9.exe	36
PID 568 wrote to memory of 1808	568	cmd.exe	38
PID 568 wrote to memory of 1808	568	cmd.exe	38
PID 568 wrote to memory of 1808	568	cmd.exe	38
PID 568 wrote to memory of 1808	568	cmd.exe	38
PID 764 wrote to memory of 1808	764	cpciix.exe	38
PID 764 wrote to memory of 1808	764	cpciix.exe	38
PID 764 wrote to memory of 1808	764	cpciix.exe	38
PID 764 wrote to memory of 1808	764	cpciix.exe	38
PID 764 wrote to memory of 1808	764	cpciix.exe	38
PID 764 wrote to memory of 1808	764	cpciix.exe	38

C:\Users\Admin\AppData\Local\Temp\c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe
"C:\Users\Admin\AppData\Local\Temp\c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\xUvo706504cexCvmaMo7l9.exe
  xUvo706504cexCvmaMo7l9.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\cpciix.exe
    "C:\Users\Admin\cpciix.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del xUvo706504cexCvmaMo7l9.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1808
- C:\Users\Admin\AppData\Local\Temp\1.exe
  1.exe
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Wcb..bat" > nul 2> nul
    3⤵
    PID:1348
- C:\Users\Admin\AppData\Local\Temp\2.exe
  2.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del c50b41fdd4dfcf08e78196515844cde963483d438b956624c5cba918dc95c8fb.exe
  2⤵
  - Deletes itself
  PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
78KB

MD5
888b6528d094d671b73f2787b9ddabe9

SHA1
ae5016fedc9971b58b43c0eb046cd75869c95ae7

SHA256
0644ae81d70e2992f3dcd97efa6a45530be2b5b7ab431c6079f3404f46be886c

SHA512
a4d9a530a62ebe6b1874d9f104cccb55ee30700950a47eb1b45804b22bf28e4a391808a16c318268efad380f61e7e6612c6297cf6c2c2c17b0097a79355ed37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
78KB

MD5
888b6528d094d671b73f2787b9ddabe9

SHA1
ae5016fedc9971b58b43c0eb046cd75869c95ae7

SHA256
0644ae81d70e2992f3dcd97efa6a45530be2b5b7ab431c6079f3404f46be886c

SHA512
a4d9a530a62ebe6b1874d9f104cccb55ee30700950a47eb1b45804b22bf28e4a391808a16c318268efad380f61e7e6612c6297cf6c2c2c17b0097a79355ed37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
129KB

MD5
d840041c4dd856a2356c408ab2bce518

SHA1
52b40b11b06a8acceec394e16d14061669ba2891

SHA256
d360d0808c76fb16678d3dc0f88aff080fdb0dcc5c170f5c136f6bc521d4d706

SHA512
36e6ff9671c7528a3754a2f7e4ff4b324b8421ef84c5527f4ed2f574d3bd2f58667f8d1849bd794285de6fc46e8f3b3293478dab8897eaf5b149b11f5f2f1356

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
129KB

MD5
d840041c4dd856a2356c408ab2bce518

SHA1
52b40b11b06a8acceec394e16d14061669ba2891

SHA256
d360d0808c76fb16678d3dc0f88aff080fdb0dcc5c170f5c136f6bc521d4d706

SHA512
36e6ff9671c7528a3754a2f7e4ff4b324b8421ef84c5527f4ed2f574d3bd2f58667f8d1849bd794285de6fc46e8f3b3293478dab8897eaf5b149b11f5f2f1356

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wcb..bat

Filesize
148B

MD5
0f050794aed555cd6bdfc5be9a88f9d4

SHA1
42988b616cabcf0a80f7d1c55af6b106954cf9ed

SHA256
27916d00173f21b013221cc367984bd762edd17e6021b5ac72bd64e01c54c891

SHA512
1925551e2606cbfc612680ec855ed63d6325bed6f4c7288409f80a3f099faa026a8a3cd39dd9f7cc4d680461a2888e28f6be7019a48b9a1781414408b14ca547

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUvo706504cexCvmaMo7l9.exe

Filesize
172KB

MD5
950e0595cdf2f4a381673f1b5f248a40

SHA1
58cccf7b68559c375f4d054d1d3e497675f89f26

SHA256
5c7047785cee1902ddeb947f40a14364638e7e31a16196c3bfb0d428f00422b2

SHA512
9b29ed32b3b163e652f96331642aa547ecede71029e677bd5bcf96b21c478e90d380c2f55cb3a995c5d172d99693fb8297d448f75f031755ac2294e9f925c41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xUvo706504cexCvmaMo7l9.exe

Filesize
172KB

MD5
950e0595cdf2f4a381673f1b5f248a40

SHA1
58cccf7b68559c375f4d054d1d3e497675f89f26

SHA256
5c7047785cee1902ddeb947f40a14364638e7e31a16196c3bfb0d428f00422b2

SHA512
9b29ed32b3b163e652f96331642aa547ecede71029e677bd5bcf96b21c478e90d380c2f55cb3a995c5d172d99693fb8297d448f75f031755ac2294e9f925c41e

Download Submit
C:\Users\Admin\cpciix.exe

Filesize
172KB

MD5
b34e133c5b1f5796d7c5ada56668d0ce

SHA1
d5fc6ee9fb4ca6632bc5d0be74b13c4311572bf6

SHA256
48d75047e982f399871e2195deacf80e84053940254883c59041a92593bba226

SHA512
4ba7b3e0d85732adbcfed47f2f27a383f4d9990574cafb153c4e7c2be55555e32bdcd5feaeb4c4dfe673b830cb702b960a7cbaecebdb67a1f601c468a02876a0

Download Submit
C:\Users\Admin\cpciix.exe

Filesize
172KB

MD5
b34e133c5b1f5796d7c5ada56668d0ce

SHA1
d5fc6ee9fb4ca6632bc5d0be74b13c4311572bf6

SHA256
48d75047e982f399871e2195deacf80e84053940254883c59041a92593bba226

SHA512
4ba7b3e0d85732adbcfed47f2f27a383f4d9990574cafb153c4e7c2be55555e32bdcd5feaeb4c4dfe673b830cb702b960a7cbaecebdb67a1f601c468a02876a0

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
78KB

MD5
888b6528d094d671b73f2787b9ddabe9

SHA1
ae5016fedc9971b58b43c0eb046cd75869c95ae7

SHA256
0644ae81d70e2992f3dcd97efa6a45530be2b5b7ab431c6079f3404f46be886c

SHA512
a4d9a530a62ebe6b1874d9f104cccb55ee30700950a47eb1b45804b22bf28e4a391808a16c318268efad380f61e7e6612c6297cf6c2c2c17b0097a79355ed37f

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
129KB

MD5
d840041c4dd856a2356c408ab2bce518

SHA1
52b40b11b06a8acceec394e16d14061669ba2891

SHA256
d360d0808c76fb16678d3dc0f88aff080fdb0dcc5c170f5c136f6bc521d4d706

SHA512
36e6ff9671c7528a3754a2f7e4ff4b324b8421ef84c5527f4ed2f574d3bd2f58667f8d1849bd794285de6fc46e8f3b3293478dab8897eaf5b149b11f5f2f1356

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe

Filesize
129KB

MD5
d840041c4dd856a2356c408ab2bce518

SHA1
52b40b11b06a8acceec394e16d14061669ba2891

SHA256
d360d0808c76fb16678d3dc0f88aff080fdb0dcc5c170f5c136f6bc521d4d706

SHA512
36e6ff9671c7528a3754a2f7e4ff4b324b8421ef84c5527f4ed2f574d3bd2f58667f8d1849bd794285de6fc46e8f3b3293478dab8897eaf5b149b11f5f2f1356

Download Submit
\Users\Admin\AppData\Local\Temp\xUvo706504cexCvmaMo7l9.exe

Filesize
172KB

MD5
950e0595cdf2f4a381673f1b5f248a40

SHA1
58cccf7b68559c375f4d054d1d3e497675f89f26

SHA256
5c7047785cee1902ddeb947f40a14364638e7e31a16196c3bfb0d428f00422b2

SHA512
9b29ed32b3b163e652f96331642aa547ecede71029e677bd5bcf96b21c478e90d380c2f55cb3a995c5d172d99693fb8297d448f75f031755ac2294e9f925c41e

Download Submit
\Users\Admin\AppData\Local\Temp\xUvo706504cexCvmaMo7l9.exe

Filesize
172KB

MD5
950e0595cdf2f4a381673f1b5f248a40

SHA1
58cccf7b68559c375f4d054d1d3e497675f89f26

SHA256
5c7047785cee1902ddeb947f40a14364638e7e31a16196c3bfb0d428f00422b2

SHA512
9b29ed32b3b163e652f96331642aa547ecede71029e677bd5bcf96b21c478e90d380c2f55cb3a995c5d172d99693fb8297d448f75f031755ac2294e9f925c41e

Download Submit
\Users\Admin\cpciix.exe

Filesize
172KB

MD5
b34e133c5b1f5796d7c5ada56668d0ce

SHA1
d5fc6ee9fb4ca6632bc5d0be74b13c4311572bf6

SHA256
48d75047e982f399871e2195deacf80e84053940254883c59041a92593bba226

SHA512
4ba7b3e0d85732adbcfed47f2f27a383f4d9990574cafb153c4e7c2be55555e32bdcd5feaeb4c4dfe673b830cb702b960a7cbaecebdb67a1f601c468a02876a0

Download Submit
\Users\Admin\cpciix.exe

Filesize
172KB

MD5
b34e133c5b1f5796d7c5ada56668d0ce

SHA1
d5fc6ee9fb4ca6632bc5d0be74b13c4311572bf6

SHA256
48d75047e982f399871e2195deacf80e84053940254883c59041a92593bba226

SHA512
4ba7b3e0d85732adbcfed47f2f27a383f4d9990574cafb153c4e7c2be55555e32bdcd5feaeb4c4dfe673b830cb702b960a7cbaecebdb67a1f601c468a02876a0

Download Submit
memory/1744-79-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1744-77-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1744-73-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1780-72-0x0000000000070000-0x0000000000089000-memory.dmp

Filesize
100KB

Download
memory/1780-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/2040-75-0x0000000001B80000-0x0000000001C80000-memory.dmp

Filesize
1024KB

Download
memory/2040-74-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download