31c5c9de9fa8af8f0389c81073792c2d83593da92fa71ee23a119b2d3441f2ff

Analysis

max time kernel
39s
max time network
45s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
24-03-2023 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccsetup609pro.exe
Size

50.7MB
MD5

d54e3f8343b8080c9dcaebcac1223c8d
SHA1

34c2a6e3b9e9e8af547e1b4690f9438c2136d927
SHA256

31c5c9de9fa8af8f0389c81073792c2d83593da92fa71ee23a119b2d3441f2ff
SHA512

10422d7805eb85d24656d247a248a33c30ec12824d5ec6e90c2433a7d62db7825ab8708ec352bbf96c300ed2299e374b689aab0dc217e39f34f559d125390434
SSDEEP

786432:/gdvr/D9oTblmYTv98cbxXUFvXIfo1XuQ5ogTsyB3jNYqvuOK1g2szehRXWg:/gdvv9slmYj98YUFv6kAKsk5DK0zeLP

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 6 IoCs

Processes:

ccsetup609pro.exe

pid process

1240 ccsetup609pro.exe
1240 ccsetup609pro.exe
1240 ccsetup609pro.exe
1240 ccsetup609pro.exe
1240 ccsetup609pro.exe
1240 ccsetup609pro.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

ccsetup609pro.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ccsetup609pro.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ccsetup609pro.exe

description pid process

Token: SeManageVolumePrivilege 1240 ccsetup609pro.exe
Token: SeManageVolumePrivilege 1240 ccsetup609pro.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ccsetup609pro.exe

pid process

1240 ccsetup609pro.exe
1240 ccsetup609pro.exe

pid	process
1240	ccsetup609pro.exe
1240	ccsetup609pro.exe
1240	ccsetup609pro.exe
1240	ccsetup609pro.exe
1240	ccsetup609pro.exe
1240	ccsetup609pro.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ccsetup609pro.exe

description	pid	process
Token: SeManageVolumePrivilege	1240	ccsetup609pro.exe
Token: SeManageVolumePrivilege	1240	ccsetup609pro.exe

pid	process
1240	ccsetup609pro.exe
1240	ccsetup609pro.exe

C:\Users\Admin\AppData\Local\Temp\ccsetup609pro.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup609pro.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
eeacc914400b3bad848bc01fbfbe2ea9

SHA1
5c71b602e8b9a379d6c46116c7c309db2cccd89e

SHA256
fac1688fab53ae1100ad27e453029d27d282be498b25d0ac31d850cb588c8bb5

SHA512
fb3ab503d93bb6959905d81c8ea606f771b9d7c226783a90adba70c242dbf0701ddeb95e1cb4d0c3155ead1466ba1635267bdd2317cd4a84537494d5dad423b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
32.1MB

MD5
e433cae8657699f16d5ff659e1b8883c

SHA1
37b8fd0f4dcba82de6bfdb3d73fd2e8e03d71fad

SHA256
9d20ec25f66978d7955c4604f2c46c5b4270c85304cd6145006a27312198662d

SHA512
3eb5e1561b14b8f911eedfcf4f81465ea8ecbf1595a6e6bc382d1b364099985d5268e9b0d8ec822618e988f26b79ca6217c36a4721358b6baf45462b930d2f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst26D5.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst26D5.tmp\p\pfBL.dll
Filesize
11.3MB

MD5
f8d1c110600144a9310723c011eeb9c8

SHA1
304e211607eb14e079956531e149e53db2930762

SHA256
d2b8a9d801e5c823be4c8eb9d721a8181d12f3b435d9c80b858d5e6074530bd2

SHA512
7656c865420724b8a77c5a4180b6a410c4c54e9f71f5938fb2d3549bfbd0b05e10f0deb90e532b9b0699e480133c410074ed58ae8f2f1dcd547af725e802eac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst26D5.tmp\ui\pfUI.dll
Filesize
15.7MB

MD5
8189d2d01f801ac406434b28e7df4743

SHA1
caa140b9c2aaea611168850f2259b574982e1b13

SHA256
7cb4c428ba38a8bc41fec4ed658e9bcfbf9a9f680cbb897f09ec31ddbbb013e6

SHA512
661ffd3a4a3fa121e5acafb56405944ceccb4d09d9c1a5e57bcbe67609854279eead610f28d0242879eca3afeb102b764920014d596ffb50306f21926fca3378

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst26D5.tmp\ui\res\CC_Logo_40x96.png
Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst26D5.tmp\ui\res\CC_logo_72x66.png
Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst26D5.tmp\ui\res\PF_computer.png
Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
\Users\Admin\AppData\Local\Temp\nst26D5.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nst26D5.tmp\UserInfo.dll
Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
\Users\Admin\AppData\Local\Temp\nst26D5.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nst26D5.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nst26D5.tmp\p\pfBL.dll
Filesize
11.3MB

MD5
f8d1c110600144a9310723c011eeb9c8

SHA1
304e211607eb14e079956531e149e53db2930762

SHA256
d2b8a9d801e5c823be4c8eb9d721a8181d12f3b435d9c80b858d5e6074530bd2

SHA512
7656c865420724b8a77c5a4180b6a410c4c54e9f71f5938fb2d3549bfbd0b05e10f0deb90e532b9b0699e480133c410074ed58ae8f2f1dcd547af725e802eac5

Download Submit
\Users\Admin\AppData\Local\Temp\nst26D5.tmp\ui\pfUI.dll
Filesize
15.7MB

MD5
8189d2d01f801ac406434b28e7df4743

SHA1
caa140b9c2aaea611168850f2259b574982e1b13

SHA256
7cb4c428ba38a8bc41fec4ed658e9bcfbf9a9f680cbb897f09ec31ddbbb013e6

SHA512
661ffd3a4a3fa121e5acafb56405944ceccb4d09d9c1a5e57bcbe67609854279eead610f28d0242879eca3afeb102b764920014d596ffb50306f21926fca3378

Download Submit
memory/1240-166-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/1240-172-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1240-195-0x0000000007220000-0x0000000007228000-memory.dmp

Filesize
32KB

Download
memory/1240-198-0x00000000073A0000-0x00000000073A8000-memory.dmp

Filesize
32KB

Download
memory/1240-200-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/1240-205-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/1240-165-0x0000000003B40000-0x0000000003B41000-memory.dmp

Filesize
4KB

Download