ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d

Analysis

max time kernel
99s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2023, 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
Size

1.0MB
MD5

7522139b87058f6fb9eb0633470f46f4
SHA1

b8b041fe6f62f8cc0aadafb275a3ec0bb08c8a88
SHA256

ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d
SHA512

17e9a22010a3994dff90ac93981d8e019b1a7bba8e16de2b4eab7dfc5b3dfe4b2733c38f95a6fd46eff4bc9d2f345fc94d5666e24b33000ac79935a2d38e0b8c
SSDEEP

24576:l0a5exWc7x4TyjheHod9XxeDNmRJLduNtjKaDaxSEFJd:lyUcGujPeDN4pu/2XxSEFb

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 9 IoCs

pid	Process
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CCB_HDZB_2G_P11.dll	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
File created	C:\Windows\system32\CCB_HDZB_2G_P11.dll	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
File created	C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gCertCtrl.dll	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
File created	C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gSNCtrl.dll	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
File created	C:\Program Files (x86)\CCBComponents\Plugins\CARoot\Cert_HDZB_2G_Firefox.exe	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
348	sc.exe
452	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 1368	4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe	83
PID 4852 wrote to memory of 1368	4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe	83
PID 4852 wrote to memory of 1368	4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe	83
PID 1368 wrote to memory of 452	1368	cmd.exe	85
PID 1368 wrote to memory of 452	1368	cmd.exe	85
PID 1368 wrote to memory of 452	1368	cmd.exe	85
PID 4852 wrote to memory of 1124	4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe	86
PID 4852 wrote to memory of 1124	4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe	86
PID 4852 wrote to memory of 1124	4852	ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe	86
PID 1124 wrote to memory of 348	1124	cmd.exe	88
PID 1124 wrote to memory of 348	1124	cmd.exe	88
PID 1124 wrote to memory of 348	1124	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe
"C:\Users\Admin\AppData\Local\Temp\ab8f59fbee6491ee718c28a155d55d2a093e9f29f08754d2e1255a8c8028aa7d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Launches sc.exe
    PID:452
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Launches sc.exe
    PID:348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log

Filesize
903B

MD5
1ea79f2010fb522ab53b275ad00bb907

SHA1
a4a773f12a0c95f22807d3788cbc7d86c22c99da

SHA256
ae2547d6742f993e8659b7498553e1b842da5daa0b16b02195438ebc57efa1fb

SHA512
804bee0fcf5064b8f48092b568020e3ab904eeeadcc938d8d8e11c20b7134a74c4d770e73d9c4153179fb0da58b5ed24d8e4b5c2fb226908a1227cec5082cef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\KillProcDLL.dll

Filesize
41KB

MD5
ec95edf0ce02afd9511b14ad87bd9844

SHA1
83b99d5652df23f4ed42603604f9f8108eec4072

SHA256
062bb420e8a0b7d8fd34dfc345148c925681ad483d137884f4fdffb1d394ff01

SHA512
dc1e0e6e45342232b513d53cde4fcc8845dd55e216430bca7e76bb7eacbc0a06c90ddf7b4f250afc7fbf750c9ea3241ff0bbd8c36d9521a76348288e96b829b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\KillProcDLL.dll

Filesize
41KB

MD5
ec95edf0ce02afd9511b14ad87bd9844

SHA1
83b99d5652df23f4ed42603604f9f8108eec4072

SHA256
062bb420e8a0b7d8fd34dfc345148c925681ad483d137884f4fdffb1d394ff01

SHA512
dc1e0e6e45342232b513d53cde4fcc8845dd55e216430bca7e76bb7eacbc0a06c90ddf7b4f250afc7fbf750c9ea3241ff0bbd8c36d9521a76348288e96b829b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\KillProcDLL.dll

Filesize
41KB

MD5
ec95edf0ce02afd9511b14ad87bd9844

SHA1
83b99d5652df23f4ed42603604f9f8108eec4072

SHA256
062bb420e8a0b7d8fd34dfc345148c925681ad483d137884f4fdffb1d394ff01

SHA512
dc1e0e6e45342232b513d53cde4fcc8845dd55e216430bca7e76bb7eacbc0a06c90ddf7b4f250afc7fbf750c9ea3241ff0bbd8c36d9521a76348288e96b829b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi77D5.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
memory/4852-144-0x00000000024A0000-0x00000000024AA000-memory.dmp

Filesize
40KB

Download