788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c

General

Target

788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe
Size

322KB
MD5

d59728258539e9384e12595e1d60d700
SHA1

fbcf27ce6ef7666e7b61418441ba39323c6ba0ef
SHA256

788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c
SHA512

7d7469490141888c81959b39dc33d172064b778f11e2878d2ee080f9f4eec655ba8895538e462a20bae3f7dd43f871038b88796fbcf6c96f4625ec9e919612ef
SSDEEP

6144:0ME1nmg1tDbJ5621YNA+APDCdRweVLjVqKkm7YQHyRV/1B31hvtGHSWtDUO:9gnJcdRweVLjV7YQI7lhvtGHtt

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1504	CCDDOS.exe

Loads dropped DLL 5 IoCs

pid	Process
1320	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe
1320	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe
1504	CCDDOS.exe
1504	CCDDOS.exe
1504	CCDDOS.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CCDDOS.exe	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe
File opened for modification	C:\Windows\SysWOW64\CCDDOS.exe	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe
File created	C:\Windows\SysWOW64\CCDDOS.INI	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe
File opened for modification	C:\Windows\SysWOW64\CCDDOS.INI	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1320	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe
Token: SeBackupPrivilege	1320	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1504	1320	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe	28
PID 1320 wrote to memory of 1504	1320	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe	28
PID 1320 wrote to memory of 1504	1320	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe	28
PID 1320 wrote to memory of 1504	1320	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe	28
PID 1320 wrote to memory of 1504	1320	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe	28
PID 1320 wrote to memory of 1504	1320	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe	28
PID 1320 wrote to memory of 1504	1320	788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe	28

C:\Users\Admin\AppData\Local\Temp\788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe
"C:\Users\Admin\AppData\Local\Temp\788aee2dad3b746782d1ff33fcdb6531cce3b6444dac830284f50be3bb57848c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\CCDDOS.exe
  "C:\Windows\system32\CCDDOS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CCDDOS.INI

Filesize
66B

MD5
f4214388e0d0e383d06afd3939ac4148

SHA1
afc0602887d13106189184330200f737031f22bd

SHA256
b9001a9f6f3dcf51e54102a4b04bb5b33c351fe5ed1007baf0a46ff8ba1bc540

SHA512
033a75928a92f7b675b7675ebe6ccbe70b11116b45ecde26fb50f940d64efd29e10bef589c24730e4c3781d642bd4784455ed0e8f7ced67316c027b021ed7dc0

Download Submit
C:\Windows\SysWOW64\CCDDOS.exe

Filesize
233KB

MD5
9186d0205c8e2a8dc5fbc7bd9bcb3450

SHA1
d45f4d666e268b11a511872bd424a216bc38b5b0

SHA256
17fbc68f895469f39c9d611ae4f3eff5c0777884f9ced04a5536a372cd6d90c9

SHA512
55bbd461e080277255d5615253b944067ca465bf9b931110241ffaed9ea3c27d1f326e4ba0e975300761f2fad2a526f77d540cb2cf0aa398849be43aedf99a68

Download Submit
C:\Windows\SysWOW64\CCDDOS.exe

Filesize
233KB

MD5
9186d0205c8e2a8dc5fbc7bd9bcb3450

SHA1
d45f4d666e268b11a511872bd424a216bc38b5b0

SHA256
17fbc68f895469f39c9d611ae4f3eff5c0777884f9ced04a5536a372cd6d90c9

SHA512
55bbd461e080277255d5615253b944067ca465bf9b931110241ffaed9ea3c27d1f326e4ba0e975300761f2fad2a526f77d540cb2cf0aa398849be43aedf99a68

Download Submit
\Windows\SysWOW64\CCDDOS.exe

Filesize
233KB

MD5
9186d0205c8e2a8dc5fbc7bd9bcb3450

SHA1
d45f4d666e268b11a511872bd424a216bc38b5b0

SHA256
17fbc68f895469f39c9d611ae4f3eff5c0777884f9ced04a5536a372cd6d90c9

SHA512
55bbd461e080277255d5615253b944067ca465bf9b931110241ffaed9ea3c27d1f326e4ba0e975300761f2fad2a526f77d540cb2cf0aa398849be43aedf99a68

Download Submit
\Windows\SysWOW64\CCDDOS.exe

Filesize
233KB

MD5
9186d0205c8e2a8dc5fbc7bd9bcb3450

SHA1
d45f4d666e268b11a511872bd424a216bc38b5b0

SHA256
17fbc68f895469f39c9d611ae4f3eff5c0777884f9ced04a5536a372cd6d90c9

SHA512
55bbd461e080277255d5615253b944067ca465bf9b931110241ffaed9ea3c27d1f326e4ba0e975300761f2fad2a526f77d540cb2cf0aa398849be43aedf99a68

Download Submit
\Windows\SysWOW64\CCDDOS.exe

Filesize
233KB

MD5
9186d0205c8e2a8dc5fbc7bd9bcb3450

SHA1
d45f4d666e268b11a511872bd424a216bc38b5b0

SHA256
17fbc68f895469f39c9d611ae4f3eff5c0777884f9ced04a5536a372cd6d90c9

SHA512
55bbd461e080277255d5615253b944067ca465bf9b931110241ffaed9ea3c27d1f326e4ba0e975300761f2fad2a526f77d540cb2cf0aa398849be43aedf99a68

Download Submit
\Windows\SysWOW64\CCDDOS.exe

Filesize
233KB

MD5
9186d0205c8e2a8dc5fbc7bd9bcb3450

SHA1
d45f4d666e268b11a511872bd424a216bc38b5b0

SHA256
17fbc68f895469f39c9d611ae4f3eff5c0777884f9ced04a5536a372cd6d90c9

SHA512
55bbd461e080277255d5615253b944067ca465bf9b931110241ffaed9ea3c27d1f326e4ba0e975300761f2fad2a526f77d540cb2cf0aa398849be43aedf99a68

Download Submit
\Windows\SysWOW64\CCDDOS.exe

Filesize
233KB

MD5
9186d0205c8e2a8dc5fbc7bd9bcb3450

SHA1
d45f4d666e268b11a511872bd424a216bc38b5b0

SHA256
17fbc68f895469f39c9d611ae4f3eff5c0777884f9ced04a5536a372cd6d90c9

SHA512
55bbd461e080277255d5615253b944067ca465bf9b931110241ffaed9ea3c27d1f326e4ba0e975300761f2fad2a526f77d540cb2cf0aa398849be43aedf99a68

Download Submit
memory/1320-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/1320-56-0x0000000002E30000-0x0000000002ECE000-memory.dmp

Filesize
632KB

Download
memory/1504-66-0x0000000000930000-0x00000000009CE000-memory.dmp

Filesize
632KB

Download
memory/1504-67-0x0000000000930000-0x00000000009CE000-memory.dmp

Filesize
632KB

Download
memory/1504-68-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1504-69-0x0000000000930000-0x00000000009CE000-memory.dmp

Filesize
632KB

Download
memory/1504-70-0x0000000000930000-0x00000000009CE000-memory.dmp

Filesize
632KB

Download
memory/1504-71-0x0000000000930000-0x00000000009CE000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing