c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 00:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe
Size

78KB
MD5

99f46b04c9b526fcadf08e25c8e719dd
SHA1

c91fe4bdac3b1239e5a1e29dead8769c8386be48
SHA256

c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1
SHA512

2002f3eda24f018727ea89381eedb83246e877285596daef47775684f40e6a78775c1a541fd9dea982af9e5e8db58c0bd1d27a74ccad5d66b65883ce59168f95
SSDEEP

1536:uBQYWznMCStqry8al4uvt616csVVz7wC1u07nT1DH:RznMCStqrkLF6ccsVVLd1DH

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	mycc080327.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\myccgj = "rundll32.exe C:\\Windows\\system32\\mycc080327.dll mymain"	mycc080327.exe

Executes dropped EXE 1 IoCs

pid	Process
968	mycc080327.exe

Deletes itself 1 IoCs

pid	Process
1644	cmd.exe

Loads dropped DLL 6 IoCs

pid	Process
612	rundll32.exe
612	rundll32.exe
612	rundll32.exe
612	rundll32.exe
1276	cmd.exe
1276	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mycc080327.exe	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe
File opened for modification	C:\Windows\SysWOW64\mycc080327.exe	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe
File created	C:\Windows\SysWOW64\mycc080327.dll	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe
File created	C:\Windows\SysWOW64\mycc32.dll	mycc080327.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cc16.ini	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe
File opened for modification	C:\Windows\cc16.ini	mycc080327.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1532	PING.EXE
1652	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe
1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe
968	mycc080327.exe
968	mycc080327.exe
968	mycc080327.exe
968	mycc080327.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe
Token: SeDebugPrivilege	968	mycc080327.exe
Token: SeDebugPrivilege	968	mycc080327.exe
Token: SeDebugPrivilege	968	mycc080327.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 612	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe	28
PID 1932 wrote to memory of 612	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe	28
PID 1932 wrote to memory of 612	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe	28
PID 1932 wrote to memory of 612	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe	28
PID 1932 wrote to memory of 612	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe	28
PID 1932 wrote to memory of 612	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe	28
PID 1932 wrote to memory of 612	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe	28
PID 612 wrote to memory of 1276	612	rundll32.exe	29
PID 612 wrote to memory of 1276	612	rundll32.exe	29
PID 612 wrote to memory of 1276	612	rundll32.exe	29
PID 612 wrote to memory of 1276	612	rundll32.exe	29
PID 1276 wrote to memory of 968	1276	cmd.exe	31
PID 1276 wrote to memory of 968	1276	cmd.exe	31
PID 1276 wrote to memory of 968	1276	cmd.exe	31
PID 1276 wrote to memory of 968	1276	cmd.exe	31
PID 1932 wrote to memory of 1644	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe	32
PID 1932 wrote to memory of 1644	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe	32
PID 1932 wrote to memory of 1644	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe	32
PID 1932 wrote to memory of 1644	1932	c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe	32
PID 1644 wrote to memory of 1532	1644	cmd.exe	34
PID 1644 wrote to memory of 1532	1644	cmd.exe	34
PID 1644 wrote to memory of 1532	1644	cmd.exe	34
PID 1644 wrote to memory of 1532	1644	cmd.exe	34
PID 968 wrote to memory of 1152	968	mycc080327.exe	35
PID 968 wrote to memory of 1152	968	mycc080327.exe	35
PID 968 wrote to memory of 1152	968	mycc080327.exe	35
PID 968 wrote to memory of 1152	968	mycc080327.exe	35
PID 968 wrote to memory of 1152	968	mycc080327.exe	35
PID 968 wrote to memory of 1736	968	mycc080327.exe	36
PID 968 wrote to memory of 1736	968	mycc080327.exe	36
PID 968 wrote to memory of 1736	968	mycc080327.exe	36
PID 968 wrote to memory of 1736	968	mycc080327.exe	36
PID 1736 wrote to memory of 1652	1736	cmd.exe	38
PID 1736 wrote to memory of 1652	1736	cmd.exe	38
PID 1736 wrote to memory of 1652	1736	cmd.exe	38
PID 1736 wrote to memory of 1652	1736	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe
"C:\Users\Admin\AppData\Local\Temp\c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\mycc080327.dll mymain
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\downf.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\SysWOW64\mycc080327.exe
      "C:\Windows\system32\mycc080327.exe" i
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\program files\internet explorer\iexplore.exe
        
        "C:\program files\internet explorer\iexplore.exe"
        5⤵
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mycc080327.dll

Filesize
27KB

MD5
a98975bb50e7023d786e41fa4c7f9f85

SHA1
cd3da8edb467e6591364e5adec5f43109d71ade1

SHA256
f46296df75ef953ee5ce94aaef44700cfae274b4427d53f6c97177688b5e8509

SHA512
a40b9a1886e2f8b1909cc72a134320940824900d0423bad121fd5a464ab8cfa67f1f1c23b580f09978560443adb6a5cf57c360e71b047264e64e70ffa6db3311

Download Submit
C:\Windows\SysWOW64\mycc080327.exe

Filesize
78KB

MD5
99f46b04c9b526fcadf08e25c8e719dd

SHA1
c91fe4bdac3b1239e5a1e29dead8769c8386be48

SHA256
c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1

SHA512
2002f3eda24f018727ea89381eedb83246e877285596daef47775684f40e6a78775c1a541fd9dea982af9e5e8db58c0bd1d27a74ccad5d66b65883ce59168f95

Download Submit
C:\Windows\SysWOW64\mycc080327.exe

Filesize
78KB

MD5
99f46b04c9b526fcadf08e25c8e719dd

SHA1
c91fe4bdac3b1239e5a1e29dead8769c8386be48

SHA256
c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1

SHA512
2002f3eda24f018727ea89381eedb83246e877285596daef47775684f40e6a78775c1a541fd9dea982af9e5e8db58c0bd1d27a74ccad5d66b65883ce59168f95

Download Submit
C:\Windows\cc16.ini

Filesize
146B

MD5
85c4c2355a80c72d6c783e8f578eab58

SHA1
1c455a30fcad499acbd253fc5b2edcd926ef3a65

SHA256
d547f762c0148ca779c2059ab5dc1411e367a7f0290a119c9991d78ad7f38afe

SHA512
7cf1c0b2261961e82a72a04a656d48614f20fe79d9419544656bee52e5fb061f831d5eb06e93df9b6c5cc2c5f16c96ee31ec5d04e3a5c063e620623a74345f18

Download Submit
C:\downf.bat

Filesize
48B

MD5
6d575d3f82069127c38e29e09efbd187

SHA1
2d95b11f367961356629c1beb19eb4007706c04c

SHA256
0f67c4c68a8f6546ff59d546fead97fbad77baeb44891674a882a2fd7a2333b4

SHA512
24e989fb000bd6d5761eb12f3af37215f81077eda1a687bc03d426ee7a1e58286f8e3fc93f666d08af46c1cb85eefcaea095746bca6e1d51bc24ee66ab9c3b4e

Download Submit
\??\c:\nmDelm.bat

Filesize
269B

MD5
c3a3163f41185a9a0bcd55ad5c3e80fd

SHA1
d47e4dbe3765e1cc3ff189a93cc0271392ca21f6

SHA256
d76e33061d2105981ea405765d7621e7bf912eabf7424ce13bbfdc0c8f01f889

SHA512
074319efb0f53526d2c6ba9d274383471e049e414b3262ecbab319044d9a9b21488a413f371d7e7de0a6960af187fb5885a50cf9ef261191a0841a6df20ef3ec

Download Submit
\??\c:\nmDelm.bat

Filesize
133B

MD5
47db02813e14a795b6612b32d90d8cb6

SHA1
299814216d4ebc4214d1a7d6d107c40b548d6656

SHA256
f2a0eba55dcdfe5d71fb550dedab31e47a73d62555adde85965cd7a8dfb12230

SHA512
153a45467ae593506aea6f445e230e76380f9d7db420444ba837bf98138b2b427e1d3fcdf12929bc48d06d7d7876fc37d2815ba42d3f5ecafe92e404810dca58

Download Submit
\Windows\SysWOW64\mycc080327.dll

Filesize
27KB

MD5
a98975bb50e7023d786e41fa4c7f9f85

SHA1
cd3da8edb467e6591364e5adec5f43109d71ade1

SHA256
f46296df75ef953ee5ce94aaef44700cfae274b4427d53f6c97177688b5e8509

SHA512
a40b9a1886e2f8b1909cc72a134320940824900d0423bad121fd5a464ab8cfa67f1f1c23b580f09978560443adb6a5cf57c360e71b047264e64e70ffa6db3311

Download Submit
\Windows\SysWOW64\mycc080327.dll

Filesize
27KB

MD5
a98975bb50e7023d786e41fa4c7f9f85

SHA1
cd3da8edb467e6591364e5adec5f43109d71ade1

SHA256
f46296df75ef953ee5ce94aaef44700cfae274b4427d53f6c97177688b5e8509

SHA512
a40b9a1886e2f8b1909cc72a134320940824900d0423bad121fd5a464ab8cfa67f1f1c23b580f09978560443adb6a5cf57c360e71b047264e64e70ffa6db3311

Download Submit
\Windows\SysWOW64\mycc080327.dll

Filesize
27KB

MD5
a98975bb50e7023d786e41fa4c7f9f85

SHA1
cd3da8edb467e6591364e5adec5f43109d71ade1

SHA256
f46296df75ef953ee5ce94aaef44700cfae274b4427d53f6c97177688b5e8509

SHA512
a40b9a1886e2f8b1909cc72a134320940824900d0423bad121fd5a464ab8cfa67f1f1c23b580f09978560443adb6a5cf57c360e71b047264e64e70ffa6db3311

Download Submit
\Windows\SysWOW64\mycc080327.dll

Filesize
27KB

MD5
a98975bb50e7023d786e41fa4c7f9f85

SHA1
cd3da8edb467e6591364e5adec5f43109d71ade1

SHA256
f46296df75ef953ee5ce94aaef44700cfae274b4427d53f6c97177688b5e8509

SHA512
a40b9a1886e2f8b1909cc72a134320940824900d0423bad121fd5a464ab8cfa67f1f1c23b580f09978560443adb6a5cf57c360e71b047264e64e70ffa6db3311

Download Submit
\Windows\SysWOW64\mycc080327.exe

Filesize
78KB

MD5
99f46b04c9b526fcadf08e25c8e719dd

SHA1
c91fe4bdac3b1239e5a1e29dead8769c8386be48

SHA256
c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1

SHA512
2002f3eda24f018727ea89381eedb83246e877285596daef47775684f40e6a78775c1a541fd9dea982af9e5e8db58c0bd1d27a74ccad5d66b65883ce59168f95

Download Submit
\Windows\SysWOW64\mycc080327.exe

Filesize
78KB

MD5
99f46b04c9b526fcadf08e25c8e719dd

SHA1
c91fe4bdac3b1239e5a1e29dead8769c8386be48

SHA256
c4fb85a81aabcabe491e1ddba367a9d474aff15a8127198b67bedf2e7f170be1

SHA512
2002f3eda24f018727ea89381eedb83246e877285596daef47775684f40e6a78775c1a541fd9dea982af9e5e8db58c0bd1d27a74ccad5d66b65883ce59168f95

Download Submit
memory/612-61-0x00000000001A0000-0x00000000001AD000-memory.dmp

Filesize
52KB

Download
memory/612-55-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download