708c3a754f66c7ea424f1853f6076fd19434f729efff1c7ca5f68c76648f9ca3

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-03-2023 14:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Crack_HK/CCDisk.exe
Size

8.3MB
MD5

65880a8f779eb94c081ce381ed83310b
SHA1

c3209593839b20370c7f85d5f428f705d9b808dd
SHA256

219dbfa799298bd99183d1a8674f6bd835174bcd8cfbe60de18f898c3b0e6183
SHA512

e3099d4af8e68a9cc63f5f0ce86507b91c2227130df6738380f335806b9771efd7901a38e7585069ba65456cfa24c397e2977e70a85bb22ef306f1709a0b14fa
SSDEEP

196608:qlsyv38jNWpeCcykc+ZiQ/ZGzf84hSuRSYpnsNeWy:ssyQWpeRyoZZx4f84k1YseW

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\CCacheX.sys	CCDisk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\CCDisk = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Crack_HK\\CCDisk.exe\" -mini"	CCDisk.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1516	CCDisk.exe
1516	CCDisk.exe
1204	CCDisk.exe
1204	CCDisk.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1516	CCDisk.exe
1204	CCDisk.exe
824	powershell.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1008	wmic.exe
Token: SeSecurityPrivilege	1008	wmic.exe
Token: SeTakeOwnershipPrivilege	1008	wmic.exe
Token: SeLoadDriverPrivilege	1008	wmic.exe
Token: SeSystemProfilePrivilege	1008	wmic.exe
Token: SeSystemtimePrivilege	1008	wmic.exe
Token: SeProfSingleProcessPrivilege	1008	wmic.exe
Token: SeIncBasePriorityPrivilege	1008	wmic.exe
Token: SeCreatePagefilePrivilege	1008	wmic.exe
Token: SeBackupPrivilege	1008	wmic.exe
Token: SeRestorePrivilege	1008	wmic.exe
Token: SeShutdownPrivilege	1008	wmic.exe
Token: SeDebugPrivilege	1008	wmic.exe
Token: SeSystemEnvironmentPrivilege	1008	wmic.exe
Token: SeRemoteShutdownPrivilege	1008	wmic.exe
Token: SeUndockPrivilege	1008	wmic.exe
Token: SeManageVolumePrivilege	1008	wmic.exe
Token: 33	1008	wmic.exe
Token: 34	1008	wmic.exe
Token: 35	1008	wmic.exe
Token: SeIncreaseQuotaPrivilege	1008	wmic.exe
Token: SeSecurityPrivilege	1008	wmic.exe
Token: SeTakeOwnershipPrivilege	1008	wmic.exe
Token: SeLoadDriverPrivilege	1008	wmic.exe
Token: SeSystemProfilePrivilege	1008	wmic.exe
Token: SeSystemtimePrivilege	1008	wmic.exe
Token: SeProfSingleProcessPrivilege	1008	wmic.exe
Token: SeIncBasePriorityPrivilege	1008	wmic.exe
Token: SeCreatePagefilePrivilege	1008	wmic.exe
Token: SeBackupPrivilege	1008	wmic.exe
Token: SeRestorePrivilege	1008	wmic.exe
Token: SeShutdownPrivilege	1008	wmic.exe
Token: SeDebugPrivilege	1008	wmic.exe
Token: SeSystemEnvironmentPrivilege	1008	wmic.exe
Token: SeRemoteShutdownPrivilege	1008	wmic.exe
Token: SeUndockPrivilege	1008	wmic.exe
Token: SeManageVolumePrivilege	1008	wmic.exe
Token: 33	1008	wmic.exe
Token: 34	1008	wmic.exe
Token: 35	1008	wmic.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeShutdownPrivilege	1516	CCDisk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1516	CCDisk.exe
1204	CCDisk.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1008	1516	CCDisk.exe	29
PID 1516 wrote to memory of 1008	1516	CCDisk.exe	29
PID 1516 wrote to memory of 1008	1516	CCDisk.exe	29
PID 1516 wrote to memory of 824	1516	CCDisk.exe	32
PID 1516 wrote to memory of 824	1516	CCDisk.exe	32
PID 1516 wrote to memory of 824	1516	CCDisk.exe	32
PID 1516 wrote to memory of 1196	1516	CCDisk.exe	34
PID 1516 wrote to memory of 1196	1516	CCDisk.exe	34
PID 1516 wrote to memory of 1196	1516	CCDisk.exe	34
PID 1196 wrote to memory of 1576	1196	net.exe	36
PID 1196 wrote to memory of 1576	1196	net.exe	36
PID 1196 wrote to memory of 1576	1196	net.exe	36
PID 1516 wrote to memory of 1696	1516	CCDisk.exe	37
PID 1516 wrote to memory of 1696	1516	CCDisk.exe	37
PID 1516 wrote to memory of 1696	1516	CCDisk.exe	37
PID 1516 wrote to memory of 1932	1516	CCDisk.exe	39
PID 1516 wrote to memory of 1932	1516	CCDisk.exe	39
PID 1516 wrote to memory of 1932	1516	CCDisk.exe	39
PID 1516 wrote to memory of 1980	1516	CCDisk.exe	41
PID 1516 wrote to memory of 1980	1516	CCDisk.exe	41
PID 1516 wrote to memory of 1980	1516	CCDisk.exe	41

C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe
"C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\System32\Wbem\wmic.exe
  wmic computersystem set AutomaticManagedPagefile=False
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "disable-computerrestore -drive C:\"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\system32\net.exe
  net stop vss
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vss
    3⤵
    PID:1576
- C:\Windows\system32\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f
  2⤵
  PID:1696
- C:\Windows\system32\REG.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f
  2⤵
  PID:1932
- C:\Windows\system32\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f
  2⤵
  PID:1980

C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe
"C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe" -service
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.ini

Filesize
235B

MD5
d2c7a87b00d24f0a9848d373fe275aa7

SHA1
929cbb9eb5e46d0ffa29a961eaf642bc6dfad791

SHA256
edf37ac17df0fe3f23b0b292d00e74c71598e79d52953a2e728a1e3c53b8440d

SHA512
60893e963ac092c8fd1087c9071724825680d686be87e48274433eaf8ab51053be17fcd4f51db30444c2ee7c5089fb51e7bb1f0a0f8446541d4648ec093a2c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.ini

Filesize
235B

MD5
d2c7a87b00d24f0a9848d373fe275aa7

SHA1
929cbb9eb5e46d0ffa29a961eaf642bc6dfad791

SHA256
edf37ac17df0fe3f23b0b292d00e74c71598e79d52953a2e728a1e3c53b8440d

SHA512
60893e963ac092c8fd1087c9071724825680d686be87e48274433eaf8ab51053be17fcd4f51db30444c2ee7c5089fb51e7bb1f0a0f8446541d4648ec093a2c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crack_HK\Log\Log-2023-03-11.txt

Filesize
637B

MD5
00e90c486168f93bc75842b450b4e670

SHA1
14c84634467b593d2eb2c3a11c77c5635b0e6567

SHA256
bcd0a094586f30336cb952e582aff8fbd45ad8bf3ce3a3ac16ca153edaf62ba1

SHA512
f9277c10c0d079cc357fd09700e3cb26bcb910c1660cc3cc1428b6e615dfc24ae1ee99bc0d4c4970c5e0e8ab760a24d00d0d8d1884a045669d3b9d156a069a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crack_HK\Log\Log-2023-03-11.txt

Filesize
320B

MD5
52b0efc457255fa363f9a9fe270eb865

SHA1
b119a94a66dd5e96ac424a17c0488023bd135021

SHA256
0cc60f0df8e318a1e104caadd9c71a48ded84a56b07ce8c8b271283775787793

SHA512
c98cf3e14a1b2a980176758e3f7057b01b5d71fa2d5346cc52bbfbfb0e3fae9aa19c9ab3e603985437a9591a06d3a07c6e2c2b4a9329ff72acd840c229a61497

Download Submit
memory/824-101-0x00000000024AB000-0x00000000024E2000-memory.dmp

Filesize
220KB

Download
memory/824-97-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/824-98-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/824-96-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/824-99-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/824-100-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/988-103-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1204-62-0x000000013F8E0000-0x000000014033A000-memory.dmp

Filesize
10.4MB

Download
memory/1516-57-0x000000013F8E0000-0x000000014033A000-memory.dmp

Filesize
10.4MB

Download
memory/1516-56-0x00000000772D0000-0x00000000772D2000-memory.dmp

Filesize
8KB

Download
memory/1516-54-0x00000000772D0000-0x00000000772D2000-memory.dmp

Filesize
8KB

Download
memory/1516-55-0x00000000772D0000-0x00000000772D2000-memory.dmp

Filesize
8KB

Download
memory/1992-104-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download