Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 22:08
Behavioral task
behavioral1
Sample
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
Resource
win10v2004-20220812-en
General
-
Target
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
-
Size
6.7MB
-
MD5
aaf88fa7958d3c7009c60ed43b89461e
-
SHA1
e0d4ba802143760e95e5352d57941af1d08ce1a4
-
SHA256
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547
-
SHA512
e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19
-
SSDEEP
98304:c+g32s2/z88sN8f01iuciNu2zPnj/7pxX6gxC9Y5lpuG85yVPKAd:cj32s27oNwnYBzzXaQIG8o
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4628 CCTV.exe -
resource yara_rule behavioral2/memory/4820-132-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/files/0x0006000000022e26-137.dat upx behavioral2/files/0x0006000000022e26-138.dat upx behavioral2/memory/4628-142-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/memory/4820-143-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/memory/4628-144-0x0000000000400000-0x0000000000424000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe CCTV.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe CCTV.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe CCTV.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe CCTV.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe CCTV.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE CCTV.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe CCTV.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\klist.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe CCTV.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe CCTV.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe CCTV.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE CCTV.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe CCTV.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe CCTV.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe CCTV.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe CCTV.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe CCTV.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe CCTV.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe CCTV.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe CCTV.exe File opened for modification C:\Program Files\7-Zip\7zG.exe CCTV.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\nacl_irt_x86_64.nexe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe CCTV.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe CCTV.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CCTV.exe ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe File opened for modification C:\Windows\CCTV.exe ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe File opened for modification C:\Windows\CCTV.exe CCTV.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4820 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 4628 CCTV.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4820 wrote to memory of 4712 4820 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 79 PID 4820 wrote to memory of 4712 4820 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 79 PID 4820 wrote to memory of 4712 4820 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 79 PID 4820 wrote to memory of 4628 4820 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 81 PID 4820 wrote to memory of 4628 4820 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 81 PID 4820 wrote to memory of 4628 4820 ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe"C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547kill.bat2⤵PID:4712
-
-
C:\Windows\CCTV.exeC:\Windows\CCTV.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4628
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547kill.bat
Filesize252B
MD594f342c213c909d1f22ba48b94999376
SHA13f7d1f2817c0f17cdd6cb1b13420d36a036484f0
SHA2565ffca8c722d57b39d27396faf9d946eaa84e06f2226a62bc89b5442a948afd44
SHA5129ebf163a71a3d8a3af157fa986ca9c0887145a6201def196494a53a4b109c55bbd18bf0bae5364ade1e23789992eee8be8a6c1c3c4a1c77d16984740780c0741
-
Filesize
6.7MB
MD5aaf88fa7958d3c7009c60ed43b89461e
SHA1e0d4ba802143760e95e5352d57941af1d08ce1a4
SHA256ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547
SHA512e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19
-
Filesize
6.7MB
MD5aaf88fa7958d3c7009c60ed43b89461e
SHA1e0d4ba802143760e95e5352d57941af1d08ce1a4
SHA256ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547
SHA512e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19