b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08

Analysis

max time kernel
163s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe
Size

8.7MB
MD5

ad3473dc1cf1f81aac303a30f0e1ab33
SHA1

8f94ae51d7454da0494babc28a1534fbc62c33d3
SHA256

b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08
SHA512

327fa4aadba83548c5286e3252f1e08820ffcd68cca1f4543dcd075b0599906c4474f95fb467c6ee5f401ebb562baf10f9edb8a8aea711139271d933f972bf1a
SSDEEP

98304:mtRaMMMMM2MMMMMa+RYNAKvkTgXuquveY+W2o8oT3ezMrl9cekcHhXh9HJUiWUXC:QmAIuQ3KvUY+

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5112	CCTV.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1560-132-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1560-134-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0007000000022f67-140.dat	upx
behavioral2/files/0x0007000000022f67-139.dat	upx
behavioral2/memory/5112-142-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1560-144-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/5112-145-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	CCTV.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	CCTV.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	CCTV.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	CCTV.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	CCTV.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	CCTV.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\nacl_irt_x86_64.nexe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	CCTV.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	CCTV.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	CCTV.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	CCTV.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	CCTV.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CCTV.exe	b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe
File opened for modification	C:\Windows\CCTV.exe	CCTV.exe
File created	C:\Windows\CCTV.exe	b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1560	b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe
5112	CCTV.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1196	1560	b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe	80
PID 1560 wrote to memory of 1196	1560	b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe	80
PID 1560 wrote to memory of 1196	1560	b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe	80
PID 1560 wrote to memory of 5112	1560	b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe	82
PID 1560 wrote to memory of 5112	1560	b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe	82
PID 1560 wrote to memory of 5112	1560	b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe	82

C:\Users\Admin\AppData\Local\Temp\b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe
"C:\Users\Admin\AppData\Local\Temp\b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08kill.bat
  2⤵
  PID:1196
- C:\Windows\CCTV.exe
  C:\Windows\CCTV.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:5112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08kill.bat

Filesize
252B

MD5
3c9465ad07497a25a77dc797df31fc0f

SHA1
7ba3370e77d2dbe7ddfd4804ead9b64b9b2c9c24

SHA256
f313ec6874e85729b765f3d1165a857334b61e869355438c9b3d5f4a65d7cd07

SHA512
6b152d48660463845cbfc9ca6c0026dde2792b5a97e1b1d1c2c76f9e5f2080f8f1daa65179ebd7ee58d28ab27f9162eb50cc3ed839a9ff7f91c857987b228963

Download Submit
C:\Windows\CCTV.exe

Filesize
8.7MB

MD5
ad3473dc1cf1f81aac303a30f0e1ab33

SHA1
8f94ae51d7454da0494babc28a1534fbc62c33d3

SHA256
b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08

SHA512
327fa4aadba83548c5286e3252f1e08820ffcd68cca1f4543dcd075b0599906c4474f95fb467c6ee5f401ebb562baf10f9edb8a8aea711139271d933f972bf1a

Download Submit
C:\Windows\CCTV.exe

Filesize
8.7MB

MD5
ad3473dc1cf1f81aac303a30f0e1ab33

SHA1
8f94ae51d7454da0494babc28a1534fbc62c33d3

SHA256
b97d87f02d2e67768000764315e0f87ab01235caf934a395512c25abff90bf08

SHA512
327fa4aadba83548c5286e3252f1e08820ffcd68cca1f4543dcd075b0599906c4474f95fb467c6ee5f401ebb562baf10f9edb8a8aea711139271d933f972bf1a

Download Submit
memory/1560-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1560-134-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1560-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5112-142-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5112-145-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download