cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:56

Target

cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe
Size

2.6MB
MD5

96e239c85b8f12bce6901d73ee8c00f1
SHA1

bd2566ccd1c8317c0ce341259a7e3ceb07c8b118
SHA256

cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f
SHA512

624d3c7748ceab148a081ceacfca42b595d08d302fbfed441e391bbacf118563a8402a0f43f4837c3933e8eb0e3596f053fd188d44ceaf49e5e73f8fc7f9158b
SSDEEP

49152:2toK3MJgWJfjRiFqpfSdXYjy0n4w1Ou8HG3WE/OWwcBEP2KHgDfcg+QVX1mEsMFE:qMisiFq4XYm091OufGPLclKHUcgnVQc6

Score

8^/10

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe
File opened for modification	C:\Windows\system32\drivers\etc	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe
File created	C:\Windows\system32\drivers\etc\hosts	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe
File created	C:\Windows\system32\drivers\42C2LEQ.sys	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
752	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
752	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe
752	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1072	752	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe	27
PID 752 wrote to memory of 1072	752	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe	27
PID 752 wrote to memory of 1072	752	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe	27
PID 752 wrote to memory of 1072	752	cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe	27

C:\Users\Admin\AppData\Local\Temp\cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe
"C:\Users\Admin\AppData\Local\Temp\cc40ef1abd1bcf08676f53290e4374dba4e265cdc37097df9b57d8d4e96b846f.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd /c rd "C:\Windows\system32\drivers\etcdjqGL" /S /Q
  2⤵
  PID:1072

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/752-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/752-55-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/752-57-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/1072-56-0x0000000000000000-mapping.dmp

Download