7c94dd6ac48c238b1f1f606eec6d3455d9190d33e7864ae0df4316f8e7f96876

Analysis

max time kernel
91s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20221111-es
resource tags

arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
30-12-2022 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccsetup602.exe
Size

47.6MB
MD5

8da8d2ac0b009ac03e6b67e3d81f37a8
SHA1

4dcd7954fe08f746505d2ead9f85f10325b9b7b2
SHA256

7c94dd6ac48c238b1f1f606eec6d3455d9190d33e7864ae0df4316f8e7f96876
SHA512

6eb16849b3e39c9f55520b3564aecd6581bfb6fa04fcf29990e7bdcab121647a43f4dd5505c1abe1eb3282e6040a53c4d3b2c9e610bf12aa30341ac603f9fb6a
SSDEEP

786432:yRzBlSAqeNvuwHZoXX3Azl0+sgTgu2fqDWL8t04fNG2zyG2J6DT3AO:yRzBlqex1H2XAz27qDCY0iwQnE6DTQO

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Loads dropped DLL 13 IoCs

Processes:

ccsetup602.exe

pid	process
2832	ccsetup602.exe
2832	ccsetup602.exe
2832	ccsetup602.exe
2832	ccsetup602.exe
2832	ccsetup602.exe
2832	ccsetup602.exe
2832	ccsetup602.exe
2832	ccsetup602.exe
2832	ccsetup602.exe
2832	ccsetup602.exe
2832	ccsetup602.exe
2832	ccsetup602.exe
2832	ccsetup602.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

ccsetup602.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ccsetup602.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ccsetup602.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccsetup602.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup602.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup602.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup602.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ccsetup602.exe

pid process

2832 ccsetup602.exe
2832 ccsetup602.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ccsetup602.exe

description	pid	process
Token: SeShutdownPrivilege	2832	ccsetup602.exe
Token: SeCreatePagefilePrivilege	2832	ccsetup602.exe
Token: SeShutdownPrivilege	2832	ccsetup602.exe
Token: SeCreatePagefilePrivilege	2832	ccsetup602.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ccsetup602.exe

pid process

2832 ccsetup602.exe
2832 ccsetup602.exe

C:\Users\Admin\AppData\Local\Temp\ccsetup602.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup602.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\a\asdk.dll

Filesize
965KB

MD5
f43ac06539d4816763506b17b1968812

SHA1
b1ecb3c88034983447cc08d14fb6a6a240f1bc0f

SHA256
b221c0442530cbb635caf3f4780edd292aa9f1d9da52c5ae39c7bb085be25dfc

SHA512
07a3f209e26abc05c176786680982177c61af8f32566d83f72f5f7983df6ed697022e764c832a0cc0f06a2e38b9f50d237e8f72476e9d5304295127dc08aaadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\nsDialogs.dll

Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\nsDialogs.dll

Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\nsDialogs.dll

Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\nsDialogs.dll

Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\p\pfBL.dll

Filesize
10.4MB

MD5
6ddffba31fda380b0a1a71e2c5918624

SHA1
4bae4d95e8be8d6f1a73f6760791785302b5e4ab

SHA256
ee033fdbd7bd82848426fce765c13eaccb0c0211eb1d586ef8e5288aee25aea0

SHA512
fc6b9e0c1b752bb5068c76e048663fd1492a6d3c3b99c42c4db57009fd111ad6cf94fd37438acd5ed3f5d6f5e50888d6dab4e909e3c796b8d308ae5d513e73cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh73DF.tmp\ui\pfUI.dll

Filesize
14.8MB

MD5
60c35f3523c9d22e1b502508ff757a96

SHA1
b124d2ad2c9b09181d9ee983ddf7a5d39b6b70cb

SHA256
eb929d174316e6ac2c0a109694f856f348c3c02208b40b34386406f7f572763c

SHA512
5ede92756cfb2da5114e78cf6f539d3015099ebfbb04951d967bfccc73c10cf9a457f218cf6ca0889a13131c651d58ab49d44e8fd1f19e91da65784c9908a3f2

Download Submit
memory/2832-143-0x0000000005DB1000-0x0000000005DB3000-memory.dmp

Filesize
8KB

Download