ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547

Analysis

max time kernel
152s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
Size

6.7MB
MD5

aaf88fa7958d3c7009c60ed43b89461e
SHA1

e0d4ba802143760e95e5352d57941af1d08ce1a4
SHA256

ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547
SHA512

e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19
SSDEEP

98304:c+g32s2/z88sN8f01iuciNu2zPnj/7pxX6gxC9Y5lpuG85yVPKAd:cj32s27oNwnYBzzXaQIG8o

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1976	CCTV.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1512-56-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x000b0000000122f1-60.dat	upx
behavioral1/files/0x000b0000000122f1-63.dat	upx
behavioral1/memory/1976-66-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1512-67-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1932	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	CCTV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	CCTV.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	CCTV.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1356F306-EAE0-4B1A-B71F-5790065C0F0D}\chrome_installer.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	CCTV.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	CCTV.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	CCTV.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpenc.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	CCTV.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	CCTV.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	CCTV.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CCTV.exe	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
File opened for modification	C:\Windows\CCTV.exe	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
File opened for modification	C:\Windows\CCTV.exe	CCTV.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1512	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
1976	CCTV.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1932	1512	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	27
PID 1512 wrote to memory of 1932	1512	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	27
PID 1512 wrote to memory of 1932	1512	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	27
PID 1512 wrote to memory of 1932	1512	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	27
PID 1512 wrote to memory of 1976	1512	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	29
PID 1512 wrote to memory of 1976	1512	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	29
PID 1512 wrote to memory of 1976	1512	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	29
PID 1512 wrote to memory of 1976	1512	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	29

C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
"C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547kill.bat
  2⤵
  - Deletes itself
  PID:1932
- C:\Windows\CCTV.exe
  C:\Windows\CCTV.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547kill.bat

Filesize
252B

MD5
94f342c213c909d1f22ba48b94999376

SHA1
3f7d1f2817c0f17cdd6cb1b13420d36a036484f0

SHA256
5ffca8c722d57b39d27396faf9d946eaa84e06f2226a62bc89b5442a948afd44

SHA512
9ebf163a71a3d8a3af157fa986ca9c0887145a6201def196494a53a4b109c55bbd18bf0bae5364ade1e23789992eee8be8a6c1c3c4a1c77d16984740780c0741

Download Submit
C:\Windows\CCTV.exe

Filesize
6.7MB

MD5
aaf88fa7958d3c7009c60ed43b89461e

SHA1
e0d4ba802143760e95e5352d57941af1d08ce1a4

SHA256
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547

SHA512
e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19

Download Submit
C:\Windows\CCTV.exe

Filesize
6.7MB

MD5
aaf88fa7958d3c7009c60ed43b89461e

SHA1
e0d4ba802143760e95e5352d57941af1d08ce1a4

SHA256
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547

SHA512
e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19

Download Submit
memory/1512-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1512-64-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/1512-65-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/1512-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1976-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download