708c3a754f66c7ea424f1853f6076fd19434f729efff1c7ca5f68c76648f9ca3

Analysis

max time kernel
22s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2023, 14:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Crack_HK/CCDisk.exe
Size

8.3MB
MD5

65880a8f779eb94c081ce381ed83310b
SHA1

c3209593839b20370c7f85d5f428f705d9b808dd
SHA256

219dbfa799298bd99183d1a8674f6bd835174bcd8cfbe60de18f898c3b0e6183
SHA512

e3099d4af8e68a9cc63f5f0ce86507b91c2227130df6738380f335806b9771efd7901a38e7585069ba65456cfa24c397e2977e70a85bb22ef306f1709a0b14fa
SSDEEP

196608:qlsyv38jNWpeCcykc+ZiQ/ZGzf84hSuRSYpnsNeWy:ssyQWpeRyoZZx4f84k1YseW

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\CCacheX.sys	CCDisk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCDisk = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Crack_HK\\CCDisk.exe\" -mini"	CCDisk.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4620	CCDisk.exe
4620	CCDisk.exe
3464	CCDisk.exe
3464	CCDisk.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4620	CCDisk.exe
4620	CCDisk.exe
3464	CCDisk.exe
3464	CCDisk.exe
3920	powershell.exe
3920	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4316	wmic.exe
Token: SeSecurityPrivilege	4316	wmic.exe
Token: SeTakeOwnershipPrivilege	4316	wmic.exe
Token: SeLoadDriverPrivilege	4316	wmic.exe
Token: SeSystemProfilePrivilege	4316	wmic.exe
Token: SeSystemtimePrivilege	4316	wmic.exe
Token: SeProfSingleProcessPrivilege	4316	wmic.exe
Token: SeIncBasePriorityPrivilege	4316	wmic.exe
Token: SeCreatePagefilePrivilege	4316	wmic.exe
Token: SeBackupPrivilege	4316	wmic.exe
Token: SeRestorePrivilege	4316	wmic.exe
Token: SeShutdownPrivilege	4316	wmic.exe
Token: SeDebugPrivilege	4316	wmic.exe
Token: SeSystemEnvironmentPrivilege	4316	wmic.exe
Token: SeRemoteShutdownPrivilege	4316	wmic.exe
Token: SeUndockPrivilege	4316	wmic.exe
Token: SeManageVolumePrivilege	4316	wmic.exe
Token: 33	4316	wmic.exe
Token: 34	4316	wmic.exe
Token: 35	4316	wmic.exe
Token: 36	4316	wmic.exe
Token: SeIncreaseQuotaPrivilege	4316	wmic.exe
Token: SeSecurityPrivilege	4316	wmic.exe
Token: SeTakeOwnershipPrivilege	4316	wmic.exe
Token: SeLoadDriverPrivilege	4316	wmic.exe
Token: SeSystemProfilePrivilege	4316	wmic.exe
Token: SeSystemtimePrivilege	4316	wmic.exe
Token: SeProfSingleProcessPrivilege	4316	wmic.exe
Token: SeIncBasePriorityPrivilege	4316	wmic.exe
Token: SeCreatePagefilePrivilege	4316	wmic.exe
Token: SeBackupPrivilege	4316	wmic.exe
Token: SeRestorePrivilege	4316	wmic.exe
Token: SeShutdownPrivilege	4316	wmic.exe
Token: SeDebugPrivilege	4316	wmic.exe
Token: SeSystemEnvironmentPrivilege	4316	wmic.exe
Token: SeRemoteShutdownPrivilege	4316	wmic.exe
Token: SeUndockPrivilege	4316	wmic.exe
Token: SeManageVolumePrivilege	4316	wmic.exe
Token: 33	4316	wmic.exe
Token: 34	4316	wmic.exe
Token: 35	4316	wmic.exe
Token: 36	4316	wmic.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeShutdownPrivilege	4620	CCDisk.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4620	CCDisk.exe
3464	CCDisk.exe
3316	LogonUI.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 4316	4620	CCDisk.exe	86
PID 4620 wrote to memory of 4316	4620	CCDisk.exe	86
PID 4620 wrote to memory of 3920	4620	CCDisk.exe	88
PID 4620 wrote to memory of 3920	4620	CCDisk.exe	88
PID 4620 wrote to memory of 1720	4620	CCDisk.exe	90
PID 4620 wrote to memory of 1720	4620	CCDisk.exe	90
PID 1720 wrote to memory of 1152	1720	net.exe	92
PID 1720 wrote to memory of 1152	1720	net.exe	92
PID 4620 wrote to memory of 1016	4620	CCDisk.exe	93
PID 4620 wrote to memory of 1016	4620	CCDisk.exe	93
PID 4620 wrote to memory of 3860	4620	CCDisk.exe	95
PID 4620 wrote to memory of 3860	4620	CCDisk.exe	95
PID 4620 wrote to memory of 3176	4620	CCDisk.exe	97
PID 4620 wrote to memory of 3176	4620	CCDisk.exe	97

C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe
"C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\System32\Wbem\wmic.exe
  wmic computersystem set AutomaticManagedPagefile=False
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "disable-computerrestore -drive C:\"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\SYSTEM32\net.exe
  net stop vss
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vss
    3⤵
    PID:1152
- C:\Windows\SYSTEM32\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f
  2⤵
  PID:1016
- C:\Windows\SYSTEM32\REG.exe
  REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f
  2⤵
  PID:3860
- C:\Windows\SYSTEM32\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /f
  2⤵
  PID:3176

C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe
"C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.exe" -service
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399d855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.ini

Filesize
235B

MD5
0bde49b1eff23cdbfdd77b85c14188ff

SHA1
39442e24dcbb477be24b233a2744abffa68482c3

SHA256
da1f13650fc42d43502ff21fb91ab365f86b9ccf606ca1f94deca54a5426b35d

SHA512
c1c0564fc07f4e10dbf2eae675490b459b79b6eb9956a835cede5570e02971f5366f3edcfeaddf7289f8000bc33e9aea376e4f0405fb919e373cca7f0e31544e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crack_HK\CCDisk.ini

Filesize
235B

MD5
0bde49b1eff23cdbfdd77b85c14188ff

SHA1
39442e24dcbb477be24b233a2744abffa68482c3

SHA256
da1f13650fc42d43502ff21fb91ab365f86b9ccf606ca1f94deca54a5426b35d

SHA512
c1c0564fc07f4e10dbf2eae675490b459b79b6eb9956a835cede5570e02971f5366f3edcfeaddf7289f8000bc33e9aea376e4f0405fb919e373cca7f0e31544e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crack_HK\Log\Log-2023-03-11.txt

Filesize
204B

MD5
3cb80de62a82ceea209a84ed4452e6a1

SHA1
1dc83872cb0335cd24f4d08246151b8c849aa941

SHA256
20a49bc9d15fab35e10724baa7cefbbf73881e80d6ec60f3ce06a1e929cdafdb

SHA512
f97601ded93cb8e855d28ca756c9c63d99ec2727a2dafa58e66d42bb9ab0a59527e5eb1e35f0adaadc6f1632afd3a32e094a67c3ffad916ca232cc24ad0f80c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crack_HK\Log\Log-2023-03-11.txt

Filesize
343B

MD5
dd080e203f4e9967207e08d78143df70

SHA1
73f3afb82cb1c2b46f405ad7897b422ebaec54b4

SHA256
caa475e209f050276af3fed270aa0097e426722e78d61d6dcff5a20b600a27a2

SHA512
0101b7e3aa40a7f495caefe47c6604a72beb9b1620cb1e2a0a07dff6e9b9aca70f022069e8af5e38aaa21de7454a1e3c6c1a2ba9df0e7e56f90528b9ae19b84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crack_HK\Log\Log-2023-03-11.txt

Filesize
757B

MD5
63fcf0f17f90fe5201c2ca687bc2751f

SHA1
841c2ec2f95af89bc08de73cdf3db3400a43639f

SHA256
761103d036b951d60636505a9c9bca057fa38689cc6c5190893fae4f8e17cb0f

SHA512
c25f5caa266ed0ce262a4b0e63203e0661bc231f72b2ae347db171dbf51751335a7544966bbc4c02eb607f6e240405b41ec4b5dd08017bc2d29e16b06016a9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xmvixcx.52f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3464-137-0x00007FF7589C0000-0x00007FF75941A000-memory.dmp

Filesize
10.4MB

Download
memory/3920-167-0x0000020AA5D90000-0x0000020AA5DA0000-memory.dmp

Filesize
64KB

Download
memory/3920-174-0x0000020AA7470000-0x0000020AA7492000-memory.dmp

Filesize
136KB

Download
memory/4620-133-0x00007FF9D3490000-0x00007FF9D3492000-memory.dmp

Filesize
8KB

Download
memory/4620-134-0x00007FF7589C0000-0x00007FF75941A000-memory.dmp

Filesize
10.4MB

Download