3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d

Analysis

max time kernel
109s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2023 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
Size

1.0MB
MD5

bdf9ce98f93ab89108e81c4ed95cbe10
SHA1

916029393630be5642e8d28735eef66ab9a98184
SHA256

3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d
SHA512

9751ed0b15a99a6cd25007db86e74ac8076ed3467c6fa8cbc1a2486e2c70c718af8f6ce0bc24b9abff8cd421001bfd38c6ba51b15848d73644b591a23a4e8398
SSDEEP

24576:l0a5zWc7x4TyjheHod9XxeDNmRJLduNtjKaDaxSEFJ0:lucGujPeDN4pu/2XxSEFy

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CCB_HDZB_2G_P11.dll	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
File created	C:\Windows\system32\CCB_HDZB_2G_P11.dll	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CCBComponents\Plugins\CARoot\Cert_HDZB_2G_Firefox.exe	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
File opened for modification	C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
File created	C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gCertCtrl.dll	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
File created	C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gSNCtrl.dll	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4956	4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe	85
PID 4280 wrote to memory of 4956	4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe	85
PID 4280 wrote to memory of 4956	4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe	85
PID 4956 wrote to memory of 392	4956	cmd.exe	87
PID 4956 wrote to memory of 392	4956	cmd.exe	87
PID 4956 wrote to memory of 392	4956	cmd.exe	87
PID 392 wrote to memory of 4240	392	net.exe	88
PID 392 wrote to memory of 4240	392	net.exe	88
PID 392 wrote to memory of 4240	392	net.exe	88
PID 4280 wrote to memory of 212	4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe	89
PID 4280 wrote to memory of 212	4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe	89
PID 4280 wrote to memory of 212	4280	3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe	89

C:\Users\Admin\AppData\Local\Temp\3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe
"C:\Users\Admin\AppData\Local\Temp\3230f4c7ebc1bd924e850aa022e4a356afed8a315311b0f6db0e8d51fa82ff9d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\net.exe STOP "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\net.exe
    C:\Windows\system32\net.exe STOP "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP "HDZB_DeviceService_For_CCB_2G"
      4⤵
      PID:4240
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" /uninstall
  2⤵
  PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log

Filesize
387B

MD5
5d50075d69fdbb9545b29af05459fde6

SHA1
8baa7df409e401bbbdad4067211f7ab06e3638a0

SHA256
ab30dc267de5b27b2d1e9ebbbebe39bac754e960bd08989792b08737507d0598

SHA512
d20261dccb351cbbb470b42f178840bd1e88fd96143760db9678c6bb28991cee2aa16ad1f0285bfd277ecdae8de922517c709ce4f62f2763973597c9a2fd2156

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss833F.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss833F.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss833F.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss833F.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss833F.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss833F.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss833F.tmp\nsExec.dll

Filesize
6KB

MD5
08e9796ca20c5fc5076e3ac05fb5709a

SHA1
07971d52dcbaa1054060073571ced046347177f7

SHA256
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

SHA512
02618317d6ab0302324aae4d3c5fca56b21e68c899e211cfa9412cf73820a1f931e56753c904fd7e510c638b4463aedbfe9536790279e096ea0387b67013e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss833F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss833F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss833F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit