Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    22s
  • max time network
    26s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2023, 14:09

Errors

Reason
Machine shutdown

General

  • Target

    Crack_HK/CCDisk.exe

  • Size

    8.3MB

  • MD5

    65880a8f779eb94c081ce381ed83310b

  • SHA1

    c3209593839b20370c7f85d5f428f705d9b808dd

  • SHA256

    219dbfa799298bd99183d1a8674f6bd835174bcd8cfbe60de18f898c3b0e6183

  • SHA512

    e3099d4af8e68a9cc63f5f0ce86507b91c2227130df6738380f335806b9771efd7901a38e7585069ba65456cfa24c397e2977e70a85bb22ef306f1709a0b14fa

  • SSDEEP

    196608:qlsyv38jNWpeCcykc+ZiQ/ZGzf84hSuRSYpnsNeWy:ssyQWpeRyoZZx4f84k1YseW

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe
    "C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe"
    1⤵
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Windows\System32\Wbem\wmic.exe
      wmic computersystem set AutomaticManagedPagefile=False
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4316
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "disable-computerrestore -drive C:\"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3920
    • C:\Windows\SYSTEM32\net.exe
      net stop vss
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop vss
        3⤵
          PID:1152
      • C:\Windows\SYSTEM32\REG.exe
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f
        2⤵
          PID:1016
        • C:\Windows\SYSTEM32\REG.exe
          REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f
          2⤵
            PID:3860
          • C:\Windows\SYSTEM32\REG.exe
            REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f
            2⤵
              PID:3176
          • C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe
            "C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe" -service
            1⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:3464
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x4 /state0:0xa399d855 /state1:0x41c64e6d
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of SetWindowsHookEx
            PID:3316

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.ini

            Filesize

            235B

            MD5

            0bde49b1eff23cdbfdd77b85c14188ff

            SHA1

            39442e24dcbb477be24b233a2744abffa68482c3

            SHA256

            da1f13650fc42d43502ff21fb91ab365f86b9ccf606ca1f94deca54a5426b35d

            SHA512

            c1c0564fc07f4e10dbf2eae675490b459b79b6eb9956a835cede5570e02971f5366f3edcfeaddf7289f8000bc33e9aea376e4f0405fb919e373cca7f0e31544e

          • C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.ini

            Filesize

            235B

            MD5

            0bde49b1eff23cdbfdd77b85c14188ff

            SHA1

            39442e24dcbb477be24b233a2744abffa68482c3

            SHA256

            da1f13650fc42d43502ff21fb91ab365f86b9ccf606ca1f94deca54a5426b35d

            SHA512

            c1c0564fc07f4e10dbf2eae675490b459b79b6eb9956a835cede5570e02971f5366f3edcfeaddf7289f8000bc33e9aea376e4f0405fb919e373cca7f0e31544e

          • C:\Users\Admin\AppData\Local\Temp\Crack_HK\Log\Log-2023-03-11.txt

            Filesize

            204B

            MD5

            3cb80de62a82ceea209a84ed4452e6a1

            SHA1

            1dc83872cb0335cd24f4d08246151b8c849aa941

            SHA256

            20a49bc9d15fab35e10724baa7cefbbf73881e80d6ec60f3ce06a1e929cdafdb

            SHA512

            f97601ded93cb8e855d28ca756c9c63d99ec2727a2dafa58e66d42bb9ab0a59527e5eb1e35f0adaadc6f1632afd3a32e094a67c3ffad916ca232cc24ad0f80c1

          • C:\Users\Admin\AppData\Local\Temp\Crack_HK\Log\Log-2023-03-11.txt

            Filesize

            343B

            MD5

            dd080e203f4e9967207e08d78143df70

            SHA1

            73f3afb82cb1c2b46f405ad7897b422ebaec54b4

            SHA256

            caa475e209f050276af3fed270aa0097e426722e78d61d6dcff5a20b600a27a2

            SHA512

            0101b7e3aa40a7f495caefe47c6604a72beb9b1620cb1e2a0a07dff6e9b9aca70f022069e8af5e38aaa21de7454a1e3c6c1a2ba9df0e7e56f90528b9ae19b84d

          • C:\Users\Admin\AppData\Local\Temp\Crack_HK\Log\Log-2023-03-11.txt

            Filesize

            757B

            MD5

            63fcf0f17f90fe5201c2ca687bc2751f

            SHA1

            841c2ec2f95af89bc08de73cdf3db3400a43639f

            SHA256

            761103d036b951d60636505a9c9bca057fa38689cc6c5190893fae4f8e17cb0f

            SHA512

            c25f5caa266ed0ce262a4b0e63203e0661bc231f72b2ae347db171dbf51751335a7544966bbc4c02eb607f6e240405b41ec4b5dd08017bc2d29e16b06016a9e0

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xmvixcx.52f.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/3464-137-0x00007FF7589C0000-0x00007FF75941A000-memory.dmp

            Filesize

            10.4MB

          • memory/3920-167-0x0000020AA5D90000-0x0000020AA5DA0000-memory.dmp

            Filesize

            64KB

          • memory/3920-174-0x0000020AA7470000-0x0000020AA7492000-memory.dmp

            Filesize

            136KB

          • memory/4620-133-0x00007FF9D3490000-0x00007FF9D3492000-memory.dmp

            Filesize

            8KB

          • memory/4620-134-0x00007FF7589C0000-0x00007FF75941A000-memory.dmp

            Filesize

            10.4MB