ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547

Analysis

max time kernel
153s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
Size

6.7MB
MD5

aaf88fa7958d3c7009c60ed43b89461e
SHA1

e0d4ba802143760e95e5352d57941af1d08ce1a4
SHA256

ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547
SHA512

e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19
SSDEEP

98304:c+g32s2/z88sN8f01iuciNu2zPnj/7pxX6gxC9Y5lpuG85yVPKAd:cj32s27oNwnYBzzXaQIG8o

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4628	CCTV.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-132-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0006000000022e26-137.dat	upx
behavioral2/files/0x0006000000022e26-138.dat	upx
behavioral2/memory/4628-142-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4820-143-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4628-144-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	CCTV.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	CCTV.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	CCTV.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	CCTV.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	CCTV.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\nacl_irt_x86_64.nexe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	CCTV.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CCTV.exe	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
File opened for modification	C:\Windows\CCTV.exe	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
File opened for modification	C:\Windows\CCTV.exe	CCTV.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4820	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
4628	CCTV.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4712	4820	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	79
PID 4820 wrote to memory of 4712	4820	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	79
PID 4820 wrote to memory of 4712	4820	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	79
PID 4820 wrote to memory of 4628	4820	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	81
PID 4820 wrote to memory of 4628	4820	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	81
PID 4820 wrote to memory of 4628	4820	ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe	81

C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe
"C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547kill.bat
  2⤵
  PID:4712
- C:\Windows\CCTV.exe
  C:\Windows\CCTV.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547kill.bat

Filesize
252B

MD5
94f342c213c909d1f22ba48b94999376

SHA1
3f7d1f2817c0f17cdd6cb1b13420d36a036484f0

SHA256
5ffca8c722d57b39d27396faf9d946eaa84e06f2226a62bc89b5442a948afd44

SHA512
9ebf163a71a3d8a3af157fa986ca9c0887145a6201def196494a53a4b109c55bbd18bf0bae5364ade1e23789992eee8be8a6c1c3c4a1c77d16984740780c0741

Download Submit
C:\Windows\CCTV.exe

Filesize
6.7MB

MD5
aaf88fa7958d3c7009c60ed43b89461e

SHA1
e0d4ba802143760e95e5352d57941af1d08ce1a4

SHA256
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547

SHA512
e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19

Download Submit
C:\Windows\CCTV.exe

Filesize
6.7MB

MD5
aaf88fa7958d3c7009c60ed43b89461e

SHA1
e0d4ba802143760e95e5352d57941af1d08ce1a4

SHA256
ab71c3c806b6f2a70e732f9c8787959e24eb2398e95fa43bef70713378f46547

SHA512
e0cf91c65444bcfab6309ed36d86fed85fb9567b5c86530aeeaa5b348dcadae8192cfad29fc3f26f4ce0bb49153db1b5ff1d147f98b4b8f5035c5afe43e82d19

Download Submit
memory/4628-142-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4628-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4820-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4820-143-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download