Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
1CCDisk (v2...HK.rar
windows7-x64
3CCDisk (v2...HK.rar
windows10-2004-x64
3Crack_HK.zip
windows7-x64
1Crack_HK.zip
windows10-2004-x64
1Crack_HK/CCDisk.exe
windows7-x64
Crack_HK/CCDisk.exe
windows10-2004-x64
Crack_HK/CCDisk.ini
windows7-x64
1Crack_HK/CCDisk.ini
windows10-2004-x64
1Crack_HK/CCacheX.dll
windows7-x64
1Crack_HK/CCacheX.dll
windows10-2004-x64
3Crack_HK/db.xml
windows7-x64
1Crack_HK/db.xml
windows10-2004-x64
1CCDisk (v2...LL.bat
windows7-x64
1CCDisk (v2...LL.bat
windows10-2004-x64
1CCDisk (v2...up.exe
windows7-x64
7CCDisk (v2...up.exe
windows10-2004-x64
7Analysis
-
max time kernel
22s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2023, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
CCDisk (v2021.02.19)/Crack_HK.rar
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
CCDisk (v2021.02.19)/Crack_HK.rar
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
Crack_HK.zip
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Crack_HK.zip
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Crack_HK/CCDisk.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Crack_HK/CCDisk.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
Crack_HK/CCDisk.ini
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Crack_HK/CCDisk.ini
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Crack_HK/CCacheX.dll
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Crack_HK/CCacheX.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Crack_HK/db.xml
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
Crack_HK/db.xml
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
CCDisk (v2021.02.19)/STOP_ALL.bat
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
CCDisk (v2021.02.19)/STOP_ALL.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
CCDisk (v2021.02.19)/ccdisksetup.exe
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
CCDisk (v2021.02.19)/ccdisksetup.exe
Resource
win10v2004-20230220-en
Errors
General
-
Target
Crack_HK/CCDisk.exe
-
Size
8.3MB
-
MD5
65880a8f779eb94c081ce381ed83310b
-
SHA1
c3209593839b20370c7f85d5f428f705d9b808dd
-
SHA256
219dbfa799298bd99183d1a8674f6bd835174bcd8cfbe60de18f898c3b0e6183
-
SHA512
e3099d4af8e68a9cc63f5f0ce86507b91c2227130df6738380f335806b9771efd7901a38e7585069ba65456cfa24c397e2977e70a85bb22ef306f1709a0b14fa
-
SSDEEP
196608:qlsyv38jNWpeCcykc+ZiQ/ZGzf84hSuRSYpnsNeWy:ssyQWpeRyoZZx4f84k1YseW
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\CCacheX.sys CCDisk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCDisk = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Crack_HK\\CCDisk.exe\" -mini" CCDisk.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4620 CCDisk.exe 4620 CCDisk.exe 3464 CCDisk.exe 3464 CCDisk.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4620 CCDisk.exe 4620 CCDisk.exe 3464 CCDisk.exe 3464 CCDisk.exe 3920 powershell.exe 3920 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4316 wmic.exe Token: SeSecurityPrivilege 4316 wmic.exe Token: SeTakeOwnershipPrivilege 4316 wmic.exe Token: SeLoadDriverPrivilege 4316 wmic.exe Token: SeSystemProfilePrivilege 4316 wmic.exe Token: SeSystemtimePrivilege 4316 wmic.exe Token: SeProfSingleProcessPrivilege 4316 wmic.exe Token: SeIncBasePriorityPrivilege 4316 wmic.exe Token: SeCreatePagefilePrivilege 4316 wmic.exe Token: SeBackupPrivilege 4316 wmic.exe Token: SeRestorePrivilege 4316 wmic.exe Token: SeShutdownPrivilege 4316 wmic.exe Token: SeDebugPrivilege 4316 wmic.exe Token: SeSystemEnvironmentPrivilege 4316 wmic.exe Token: SeRemoteShutdownPrivilege 4316 wmic.exe Token: SeUndockPrivilege 4316 wmic.exe Token: SeManageVolumePrivilege 4316 wmic.exe Token: 33 4316 wmic.exe Token: 34 4316 wmic.exe Token: 35 4316 wmic.exe Token: 36 4316 wmic.exe Token: SeIncreaseQuotaPrivilege 4316 wmic.exe Token: SeSecurityPrivilege 4316 wmic.exe Token: SeTakeOwnershipPrivilege 4316 wmic.exe Token: SeLoadDriverPrivilege 4316 wmic.exe Token: SeSystemProfilePrivilege 4316 wmic.exe Token: SeSystemtimePrivilege 4316 wmic.exe Token: SeProfSingleProcessPrivilege 4316 wmic.exe Token: SeIncBasePriorityPrivilege 4316 wmic.exe Token: SeCreatePagefilePrivilege 4316 wmic.exe Token: SeBackupPrivilege 4316 wmic.exe Token: SeRestorePrivilege 4316 wmic.exe Token: SeShutdownPrivilege 4316 wmic.exe Token: SeDebugPrivilege 4316 wmic.exe Token: SeSystemEnvironmentPrivilege 4316 wmic.exe Token: SeRemoteShutdownPrivilege 4316 wmic.exe Token: SeUndockPrivilege 4316 wmic.exe Token: SeManageVolumePrivilege 4316 wmic.exe Token: 33 4316 wmic.exe Token: 34 4316 wmic.exe Token: 35 4316 wmic.exe Token: 36 4316 wmic.exe Token: SeDebugPrivilege 3920 powershell.exe Token: SeShutdownPrivilege 4620 CCDisk.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4620 CCDisk.exe 3464 CCDisk.exe 3316 LogonUI.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4620 wrote to memory of 4316 4620 CCDisk.exe 86 PID 4620 wrote to memory of 4316 4620 CCDisk.exe 86 PID 4620 wrote to memory of 3920 4620 CCDisk.exe 88 PID 4620 wrote to memory of 3920 4620 CCDisk.exe 88 PID 4620 wrote to memory of 1720 4620 CCDisk.exe 90 PID 4620 wrote to memory of 1720 4620 CCDisk.exe 90 PID 1720 wrote to memory of 1152 1720 net.exe 92 PID 1720 wrote to memory of 1152 1720 net.exe 92 PID 4620 wrote to memory of 1016 4620 CCDisk.exe 93 PID 4620 wrote to memory of 1016 4620 CCDisk.exe 93 PID 4620 wrote to memory of 3860 4620 CCDisk.exe 95 PID 4620 wrote to memory of 3860 4620 CCDisk.exe 95 PID 4620 wrote to memory of 3176 4620 CCDisk.exe 97 PID 4620 wrote to memory of 3176 4620 CCDisk.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe"C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\System32\Wbem\wmic.exewmic computersystem set AutomaticManagedPagefile=False2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "disable-computerrestore -drive C:\"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
C:\Windows\SYSTEM32\net.exenet stop vss2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vss3⤵PID:1152
-
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f2⤵PID:1016
-
-
C:\Windows\SYSTEM32\REG.exeREG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f2⤵PID:3860
-
-
C:\Windows\SYSTEM32\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f2⤵PID:3176
-
-
C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe"C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe" -service1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3464
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa399d855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3316
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235B
MD50bde49b1eff23cdbfdd77b85c14188ff
SHA139442e24dcbb477be24b233a2744abffa68482c3
SHA256da1f13650fc42d43502ff21fb91ab365f86b9ccf606ca1f94deca54a5426b35d
SHA512c1c0564fc07f4e10dbf2eae675490b459b79b6eb9956a835cede5570e02971f5366f3edcfeaddf7289f8000bc33e9aea376e4f0405fb919e373cca7f0e31544e
-
Filesize
235B
MD50bde49b1eff23cdbfdd77b85c14188ff
SHA139442e24dcbb477be24b233a2744abffa68482c3
SHA256da1f13650fc42d43502ff21fb91ab365f86b9ccf606ca1f94deca54a5426b35d
SHA512c1c0564fc07f4e10dbf2eae675490b459b79b6eb9956a835cede5570e02971f5366f3edcfeaddf7289f8000bc33e9aea376e4f0405fb919e373cca7f0e31544e
-
Filesize
204B
MD53cb80de62a82ceea209a84ed4452e6a1
SHA11dc83872cb0335cd24f4d08246151b8c849aa941
SHA25620a49bc9d15fab35e10724baa7cefbbf73881e80d6ec60f3ce06a1e929cdafdb
SHA512f97601ded93cb8e855d28ca756c9c63d99ec2727a2dafa58e66d42bb9ab0a59527e5eb1e35f0adaadc6f1632afd3a32e094a67c3ffad916ca232cc24ad0f80c1
-
Filesize
343B
MD5dd080e203f4e9967207e08d78143df70
SHA173f3afb82cb1c2b46f405ad7897b422ebaec54b4
SHA256caa475e209f050276af3fed270aa0097e426722e78d61d6dcff5a20b600a27a2
SHA5120101b7e3aa40a7f495caefe47c6604a72beb9b1620cb1e2a0a07dff6e9b9aca70f022069e8af5e38aaa21de7454a1e3c6c1a2ba9df0e7e56f90528b9ae19b84d
-
Filesize
757B
MD563fcf0f17f90fe5201c2ca687bc2751f
SHA1841c2ec2f95af89bc08de73cdf3db3400a43639f
SHA256761103d036b951d60636505a9c9bca057fa38689cc6c5190893fae4f8e17cb0f
SHA512c25f5caa266ed0ce262a4b0e63203e0661bc231f72b2ae347db171dbf51751335a7544966bbc4c02eb607f6e240405b41ec4b5dd08017bc2d29e16b06016a9e0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82