f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb

General

Target

f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
Size

1.2MB
MD5

694ca266aaa0bcb3d75348e259346de6
SHA1

9a8b50699d67f6fe56efad1da7b990c380782a7b
SHA256

f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb
SHA512

77a9f2ae86d3e4876a3c165d960580863f77b1f324519ae8200e4a9985faec138cafdcae4d30c874b64ec5a63c486cb5dcb93bd942a87886c3230b4e174c1952
SSDEEP

24576:8mtOGTYtxBLLMBLvVJ3zzs337HOek5ThTYcxkGML5DVEVuPVMDP:8mvTYtxBynMO9Zh9kfFPeb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

CCG0.exeCCG1.exe

pid process

2004 CCG0.exe
1968 CCG1.exe
Drops file in System32 directory 1 IoCs

Processes:

CCG1.exe

description ioc process

File created C:\Windows\SysWOW64\black.txt CCG1.exe

pid	process
2004	CCG0.exe
1968	CCG1.exe

description	ioc	process
File created	C:\Windows\SysWOW64\black.txt	CCG1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe

pid	process
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

CCG0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com	CCG0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com\NumberOfSubdomains = "1"	CCG0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CCG0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CCG0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	CCG0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	CCG0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com	CCG0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	CCG0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CCG1.exe

description pid process

Token: SeDebugPrivilege 1968 CCG1.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

CCG0.exe

pid process

2004 CCG0.exe
2004 CCG0.exe
2004 CCG0.exe
2004 CCG0.exe

description	pid	process
Token: SeDebugPrivilege	1968	CCG1.exe

pid	process
2004	CCG0.exe
2004	CCG0.exe
2004	CCG0.exe
2004	CCG0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe

description	pid	process	target process
PID 1628 wrote to memory of 2004	1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe	CCG0.exe
PID 1628 wrote to memory of 2004	1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe	CCG0.exe
PID 1628 wrote to memory of 2004	1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe	CCG0.exe
PID 1628 wrote to memory of 1968	1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe	CCG1.exe
PID 1628 wrote to memory of 1968	1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe	CCG1.exe
PID 1628 wrote to memory of 1968	1628	f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe	CCG1.exe

C:\Users\Admin\AppData\Local\Temp\f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe
"C:\Users\Admin\AppData\Local\Temp\f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\CCG0.exe
C:\Users\Admin\AppData\Local\Temp\CCG0.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2004

C:\Users\Admin\AppData\Local\Temp\CCG1.exe
C:\Users\Admin\AppData\Local\Temp\CCG1.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CCG0.exe

Filesize
644KB

MD5
607b068b6455737865aed2871d19bc5c

SHA1
82fb760b3852988dbb8b31a198bcbfec9d4eb5f8

SHA256
83dfabff856f954323c12a4d4fa974b9e4fbd21547d6cd78bd1aca080ca10095

SHA512
6f65ab430f817a4a66a17ea5b996e1123c3df024db11ed4351a30d4282d64a4901d879ca12d187e6eabfdffe4fe6f5063adb98a0c77061314959038c8b3edeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG0.exe

Filesize
644KB

MD5
607b068b6455737865aed2871d19bc5c

SHA1
82fb760b3852988dbb8b31a198bcbfec9d4eb5f8

SHA256
83dfabff856f954323c12a4d4fa974b9e4fbd21547d6cd78bd1aca080ca10095

SHA512
6f65ab430f817a4a66a17ea5b996e1123c3df024db11ed4351a30d4282d64a4901d879ca12d187e6eabfdffe4fe6f5063adb98a0c77061314959038c8b3edeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG1.exe

Filesize
16KB

MD5
1152bed8083e823b20c6500eb0d9adeb

SHA1
9a8fe6524878f3b454e86a12e8991a164b9bdff6

SHA256
69c4107f9a5b88799df07062cd3c863016d32512d7793506404a28a73da09792

SHA512
5bf8a330bdb1789ffeed2858d1055439ff1f8c88b9711123fc08549871f18c69c71fa655f2c79fb6c27b68b86f9694d9fc4418156c454eae2201713e7e8eb1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG1.exe

Filesize
16KB

MD5
1152bed8083e823b20c6500eb0d9adeb

SHA1
9a8fe6524878f3b454e86a12e8991a164b9bdff6

SHA256
69c4107f9a5b88799df07062cd3c863016d32512d7793506404a28a73da09792

SHA512
5bf8a330bdb1789ffeed2858d1055439ff1f8c88b9711123fc08549871f18c69c71fa655f2c79fb6c27b68b86f9694d9fc4418156c454eae2201713e7e8eb1db

Download Submit
memory/1628-1483-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1628-1479-0x0000000002630000-0x0000000002730000-memory.dmp

Filesize
1024KB

Download
memory/1628-137-0x0000000077360000-0x00000000773DA000-memory.dmp

Filesize
488KB

Download
memory/1628-136-0x0000000076F20000-0x00000000770C0000-memory.dmp

Filesize
1.6MB

Download
memory/1628-132-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1628-1484-0x0000000002630000-0x0000000002730000-memory.dmp

Filesize
1024KB

Download
memory/1628-134-0x0000000076100000-0x0000000076315000-memory.dmp

Filesize
2.1MB

Download
memory/1628-133-0x0000000077510000-0x00000000776B3000-memory.dmp

Filesize
1.6MB

Download
memory/1628-1488-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1968-1485-0x0000000000000000-mapping.dmp

Download
memory/2004-1480-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads