bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b

Analysis

max time kernel
150s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
Size

917KB
MD5

cc0cb143bcde7947f5ddae1e143e11e9
SHA1

01e3d934a6b61a9127a9ed6ced39d958cd961a28
SHA256

bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b
SHA512

c3d9a0bc900329aa2fb05c78abe0010a5b0567fe8bfc1b016fa8c6519015e7965c758f34bfc1bdb63f8294ff346944f040d8bd4539eadc42925e223b749e8cec
SSDEEP

24576:yYyrBDDP7agE0sftUdzxh2jm/g3at18wYxCSYRo1OJFmplxis6+0u7XVWAJigyy:7y1Tagtsftuzxh2jmo3at18E17Jsgs6q

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

49 3216 rundll32.exe
71 3216 rundll32.exe
Executes dropped EXE 3 IoCs

Processes:

CCG0.exeCCG1.exeCCG2.exe

pid process

4544 CCG0.exe
2836 CCG1.exe
4024 CCG2.exe
Sets DLL path for service in the registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

CCG2.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ServiceName\Parameters\ServiceDll = "C:\\server.dll" CCG2.exe
Loads dropped DLL 2 IoCs

Processes:

svchost.exerundll32.exe

pid process

2944 svchost.exe
3216 rundll32.exe

flow	pid	process
49	3216	rundll32.exe
71	3216	rundll32.exe

pid	process
4544	CCG0.exe
2836	CCG1.exe
4024	CCG2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ServiceName\Parameters\ServiceDll = "C:\\server.dll"	CCG2.exe

pid	process
2944	svchost.exe
3216	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe

pid	process
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe

Drops file in Windows directory 1 IoCs

Processes:

CCG2.exe

description ioc process

File opened for modification C:\Windows\win.ini CCG2.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	CCG2.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CCG0.exe

pid process

4544 CCG0.exe
4544 CCG0.exe

pid	process
4544	CCG0.exe
4544	CCG0.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exesvchost.exe

description	pid	process	target process
PID 2888 wrote to memory of 4544	2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe	CCG0.exe
PID 2888 wrote to memory of 4544	2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe	CCG0.exe
PID 2888 wrote to memory of 4544	2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe	CCG0.exe
PID 2888 wrote to memory of 2836	2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe	CCG1.exe
PID 2888 wrote to memory of 2836	2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe	CCG1.exe
PID 2888 wrote to memory of 2836	2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe	CCG1.exe
PID 2888 wrote to memory of 4024	2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe	CCG2.exe
PID 2888 wrote to memory of 4024	2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe	CCG2.exe
PID 2888 wrote to memory of 4024	2888	bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe	CCG2.exe
PID 2944 wrote to memory of 3216	2944	svchost.exe	rundll32.exe
PID 2944 wrote to memory of 3216	2944	svchost.exe	rundll32.exe
PID 2944 wrote to memory of 3216	2944	svchost.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe
"C:\Users\Admin\AppData\Local\Temp\bff364aa72c67151be73f37a180da1ba94cf3b3b2023cf5924c2e53fd4c4500b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Local\Temp\CCG0.exe
C:\Users\Admin\AppData\Local\Temp\CCG0.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Users\Admin\AppData\Local\Temp\CCG1.exe
C:\Users\Admin\AppData\Local\Temp\CCG1.exe
2⤵
- Executes dropped EXE
PID:2836

C:\Users\Admin\AppData\Local\Temp\CCG2.exe
C:\Users\Admin\AppData\Local\Temp\CCG2.exe
2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in Windows directory
PID:4024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netserver
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\server.dll,_ProcVersion
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CCG0.exe
Filesize
56KB

MD5
4d8fe44f0a77e059f4a8f7dfb81fd852

SHA1
a308ee5cd889e248cfbd91badefabcfe35264cb0

SHA256
ca65e05426dae6ddf80cb4286e11043f16d7968e963d616f7b41819b32def52d

SHA512
3ab475fead05166044978c4cdd6667a55562fd31c6c063f9e5d8e3c03787b22c80435d1d4e1b9a5632aa010778278c2542a56b24156c0b655105f8dbec866e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG0.exe
Filesize
56KB

MD5
4d8fe44f0a77e059f4a8f7dfb81fd852

SHA1
a308ee5cd889e248cfbd91badefabcfe35264cb0

SHA256
ca65e05426dae6ddf80cb4286e11043f16d7968e963d616f7b41819b32def52d

SHA512
3ab475fead05166044978c4cdd6667a55562fd31c6c063f9e5d8e3c03787b22c80435d1d4e1b9a5632aa010778278c2542a56b24156c0b655105f8dbec866e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG1.exe
Filesize
40KB

MD5
beca7a8ce34fc043b10a70f92a6eef7d

SHA1
4cd040e2a5835628670e736081e81105e4029925

SHA256
723a835e043cc2ba17c00b4b65279e05d278912dfb4b60a31216dea50a3cd612

SHA512
6097c2896dc65b147f9a824aec1d2b6dfad974aeac0db2df61f96202c414079187c56a5ba5cb95d1f1a541d352f9f89f6129b3d049ffa3cbde429e64cabe748e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG1.exe
Filesize
40KB

MD5
beca7a8ce34fc043b10a70f92a6eef7d

SHA1
4cd040e2a5835628670e736081e81105e4029925

SHA256
723a835e043cc2ba17c00b4b65279e05d278912dfb4b60a31216dea50a3cd612

SHA512
6097c2896dc65b147f9a824aec1d2b6dfad974aeac0db2df61f96202c414079187c56a5ba5cb95d1f1a541d352f9f89f6129b3d049ffa3cbde429e64cabe748e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG2.exe
Filesize
26KB

MD5
fea7f9c75c18881f9ff14a77918af497

SHA1
8289394cc1523c7e8c42b1f9820d8ffb1a390db0

SHA256
f4d9739927d52b4ad35481d5bb3a81d0fb443408d9871516f49ac14a7e294bb0

SHA512
fb42e18054dead5c44518f8bbd50c16094ee610ac84a2f4cb881befd842181f22976bb06e3598c358f4c3e112ffd10ecc8d6bcc5484462622cb387bce0920661

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG2.exe
Filesize
26KB

MD5
fea7f9c75c18881f9ff14a77918af497

SHA1
8289394cc1523c7e8c42b1f9820d8ffb1a390db0

SHA256
f4d9739927d52b4ad35481d5bb3a81d0fb443408d9871516f49ac14a7e294bb0

SHA512
fb42e18054dead5c44518f8bbd50c16094ee610ac84a2f4cb881befd842181f22976bb06e3598c358f4c3e112ffd10ecc8d6bcc5484462622cb387bce0920661

Download Submit
C:\server.dll
Filesize
40KB

MD5
a80334015d98afa8fee03a090a4b4a0e

SHA1
ac1b8afeb55eea2a059bfb7d8fe55b5f48109eef

SHA256
4c4f4487c83d4a8233fcf2a2b58184ce2a6ebeaa8d55f98d0c0b980229767ca2

SHA512
339cdc1636e6efc2b6110af8b81af6d4e6777855f8a0653cc73e5e6620a5e876eae3d19d7089a65c8aa006be6ba420a7c0b3b39ee9c48a69c3c349f0e03ab30f

Download Submit
C:\server.dll
Filesize
40KB

MD5
a80334015d98afa8fee03a090a4b4a0e

SHA1
ac1b8afeb55eea2a059bfb7d8fe55b5f48109eef

SHA256
4c4f4487c83d4a8233fcf2a2b58184ce2a6ebeaa8d55f98d0c0b980229767ca2

SHA512
339cdc1636e6efc2b6110af8b81af6d4e6777855f8a0653cc73e5e6620a5e876eae3d19d7089a65c8aa006be6ba420a7c0b3b39ee9c48a69c3c349f0e03ab30f

Download Submit
\??\c:\server.dll
Filesize
40KB

MD5
a80334015d98afa8fee03a090a4b4a0e

SHA1
ac1b8afeb55eea2a059bfb7d8fe55b5f48109eef

SHA256
4c4f4487c83d4a8233fcf2a2b58184ce2a6ebeaa8d55f98d0c0b980229767ca2

SHA512
339cdc1636e6efc2b6110af8b81af6d4e6777855f8a0653cc73e5e6620a5e876eae3d19d7089a65c8aa006be6ba420a7c0b3b39ee9c48a69c3c349f0e03ab30f

Download Submit
memory/2836-1484-0x0000000000000000-mapping.dmp

Download
memory/2888-1479-0x00000000026C0000-0x00000000027C0000-memory.dmp

Filesize
1024KB

Download
memory/2888-1483-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-1487-0x00000000026C0000-0x00000000027C0000-memory.dmp

Filesize
1024KB

Download
memory/2888-132-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-137-0x0000000076A20000-0x0000000076A9A000-memory.dmp

Filesize
488KB

Download
memory/2888-136-0x00000000758A0000-0x0000000075A40000-memory.dmp

Filesize
1.6MB

Download
memory/2888-134-0x00000000774F0000-0x0000000077705000-memory.dmp

Filesize
2.1MB

Download
memory/2888-1493-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2888-133-0x0000000077870000-0x0000000077A13000-memory.dmp

Filesize
1.6MB

Download
memory/3216-1494-0x0000000000000000-mapping.dmp

Download
memory/4024-1488-0x0000000000000000-mapping.dmp

Download
memory/4544-1480-0x0000000000000000-mapping.dmp

Download