3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30/03/2023, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Size

2.5MB
MD5

09aaef8fc9fed4efbaed71c8bbb7d3ee
SHA1

5d2fa14d16fdb807d2af9edf46ea87be4ccaf9ca
SHA256

3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082
SHA512

c5163d5bd7b7dadf199c4320a8c2bd252102bc028146eab45485c0dcbced583828a220346f9726e0a914282bed0e857d1f0fc4d055d33aee317dac8f5d70313e
SSDEEP

49152:JLctt63SykpdtBqrot5FyNK0g7jccGujPeDNmW5i+OP:JLSqS5tBqra2KV7wcGMKNMP

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\HDZB_DeviceService_For_CCB_2G\ImagePath = "\"C:\\Program Files (x86)\\CCBComponents\\HDZB\\CCB_HDZB_2G_DeviceService.exe\""	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1748	CCB_HDZB_2G_DeviceService.exe

Loads dropped DLL 9 IoCs

pid	Process
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_DetectCertGM.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayKeyA18.gif	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_CCB_GM_SSL.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_LibUI.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.mac	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.ini	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK33.gif	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK54K100.gif	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_DetectCert2G.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK43.gif	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HD_TokenV2.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCBHDSNCtrl.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\system32\CCB_HDZB_2G_P11.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK151.gif	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_2G_P11.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK43.gif	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK54K100.gif	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gCertCtrl.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\Plugins\npHDZB2gSNCtrl.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK151.gif	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\CCIDDriverInstall64.exe	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\usbccid.cat	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\usbccid.inf	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File opened for modification	C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK33.gif	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\FileOccupiedProcess.exe	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\Plugins\CARoot\Cert_HDZB_2G_Firefox.exe	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayKeyA18.gif	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\ChineseSimple.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\ChineseTraditional.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\English.dll	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\usbccid.sys	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
976	sc.exe
280	sc.exe
556	sc.exe
1508	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 56 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\ = "0"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\TypeLib	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\Version = "1.0"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\CLSID	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\ = "SNCtrl Class"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Control	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Version\ = "1.0"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ = "SNCtrl Class"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ = "C:\\Windows\\SysWow64\\CCBHDSNCtrl.dll"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CLSID	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ProgID\ = "GDCCBCtrl.SNCtrl.1"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CurVer	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\HELPDIR	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CurVer\ = "GDCCBCtrl.SNCtrl.1"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\ = "GDCCBCtrl 1.0 Type Library"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0\win32	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Programmable	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\HELPDIR\ = "C:\\Windows\\system32"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\FLAGS	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\CCBHDSNCtrl.dll"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ = "ISNCtrl"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\Version = "1.0"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CCBHDSNCtrl.dll, 101"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Version	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\FLAGS\ = "0"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ = "ISNCtrl"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ProgID	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ToolboxBitmap32	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\ = "SNCtrl Class"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1\ = "131473"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID\ = "GDCCBCtrl.SNCtrl"	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Insertable	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 432	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	28
PID 1408 wrote to memory of 432	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	28
PID 1408 wrote to memory of 432	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	28
PID 1408 wrote to memory of 432	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	28
PID 432 wrote to memory of 976	432	cmd.exe	30
PID 432 wrote to memory of 976	432	cmd.exe	30
PID 432 wrote to memory of 976	432	cmd.exe	30
PID 432 wrote to memory of 976	432	cmd.exe	30
PID 1408 wrote to memory of 1764	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	31
PID 1408 wrote to memory of 1764	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	31
PID 1408 wrote to memory of 1764	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	31
PID 1408 wrote to memory of 1764	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	31
PID 1764 wrote to memory of 280	1764	cmd.exe	33
PID 1764 wrote to memory of 280	1764	cmd.exe	33
PID 1764 wrote to memory of 280	1764	cmd.exe	33
PID 1764 wrote to memory of 280	1764	cmd.exe	33
PID 1408 wrote to memory of 1756	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	34
PID 1408 wrote to memory of 1756	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	34
PID 1408 wrote to memory of 1756	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	34
PID 1408 wrote to memory of 1756	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	34
PID 1756 wrote to memory of 556	1756	cmd.exe	36
PID 1756 wrote to memory of 556	1756	cmd.exe	36
PID 1756 wrote to memory of 556	1756	cmd.exe	36
PID 1756 wrote to memory of 556	1756	cmd.exe	36
PID 1408 wrote to memory of 1320	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	37
PID 1408 wrote to memory of 1320	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	37
PID 1408 wrote to memory of 1320	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	37
PID 1408 wrote to memory of 1320	1408	3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe	37
PID 1320 wrote to memory of 1508	1320	cmd.exe	39
PID 1320 wrote to memory of 1508	1320	cmd.exe	39
PID 1320 wrote to memory of 1508	1320	cmd.exe	39
PID 1320 wrote to memory of 1508	1320	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
"C:\Users\Admin\AppData\Local\Temp\3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Launches sc.exe
    PID:976
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Launches sc.exe
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own type= interact start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own type= interact start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
    3⤵
    - Launches sc.exe
    PID:556
- C:\Windows\SysWOW64\cmd.exe
  cmd /C C:\Windows\system32\sc.exe start "HDZB_DeviceService_For_CCB_2G"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\sc.exe
    C:\Windows\system32\sc.exe start "HDZB_DeviceService_For_CCB_2G"
    3⤵
    - Launches sc.exe
    PID:1508

C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe
"C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe"
1⤵
- Executes dropped EXE
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe

Filesize
258KB

MD5
edcfb5991d68d6b5d2a4caeaacbf0915

SHA1
21dd3bd5156d3b92e1d427f077b98949626d8898

SHA256
02bec26c7b54545002d360a39b9fbe4d88366dd72c6f0a299e0d0a73a7dc4ed5

SHA512
56a46ac19c45921fe7209507223f5909afa30e43953ae507df515b078438aa9b6e7f1f792a0dae293d3509238c2c7e96e668b16c3980430e9321e2764d0c644d

Download Submit
C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log

Filesize
3KB

MD5
d253c1791e79a54a1b7f52e8e834de37

SHA1
0a06591f3f39749dbf47e750fa5e4c9782efb0e6

SHA256
b6218403a331ea2034220a99661cd19818ab1f6be59d00be422b7c6eb3884490

SHA512
d62303e1c0ed00d3abf65a2a975e7aa878b5a47b9b2f11dddf9e78359749f2f68632766d8ffc487a81b6e540278f2843d079c44c4fcb08e6a00a7f963801ec5f

Download Submit
C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log

Filesize
3KB

MD5
d253c1791e79a54a1b7f52e8e834de37

SHA1
0a06591f3f39749dbf47e750fa5e4c9782efb0e6

SHA256
b6218403a331ea2034220a99661cd19818ab1f6be59d00be422b7c6eb3884490

SHA512
d62303e1c0ed00d3abf65a2a975e7aa878b5a47b9b2f11dddf9e78359749f2f68632766d8ffc487a81b6e540278f2843d079c44c4fcb08e6a00a7f963801ec5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\KillProcDLL.dll

Filesize
48KB

MD5
daf77c6e38734936c2f2c08a78f9505d

SHA1
3aefb2cf5e66ff1c4e3111a74c11963bcd1a2418

SHA256
e19a3ac82e2b18f6dd763ec7875c8eb1e2fb0500ec3a699f46dee4cb21bd4ec4

SHA512
6ad8fd922a1ce7b9bd6f0981546b490c2fb12379407a813ba38855e692d8dcdfb964f876b5420dc9694e1a14105d65b2256f880facbfbf739de9f6d74728f41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsExec.dll

Filesize
12KB

MD5
8531a2fcc1c2ba1873f1f0de960bac47

SHA1
93e7843b46c02d3852ed1dac2b56a9bc9dc83553

SHA256
f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

SHA512
597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsProcess.dll

Filesize
11KB

MD5
0535e5fb0b9a06e37a12d9205b15603b

SHA1
af2806329a2a024a54460c80e842f90cb9b51818

SHA256
1386cb9371adf1f8b1454efd2a1e6ab10751a367bf3199d4b5509070136b8834

SHA512
bbdcbd41e3484f81adea848fa243e24d17df873dcde4becba439da96d62c28a0b32f105d233e301dc916e045b10a4f2712bc11f82b2b9d2866747a0a8f7b9856

Download Submit
\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\KillProcDLL.dll

Filesize
48KB

MD5
daf77c6e38734936c2f2c08a78f9505d

SHA1
3aefb2cf5e66ff1c4e3111a74c11963bcd1a2418

SHA256
e19a3ac82e2b18f6dd763ec7875c8eb1e2fb0500ec3a699f46dee4cb21bd4ec4

SHA512
6ad8fd922a1ce7b9bd6f0981546b490c2fb12379407a813ba38855e692d8dcdfb964f876b5420dc9694e1a14105d65b2256f880facbfbf739de9f6d74728f41c

Download Submit
\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsExec.dll

Filesize
12KB

MD5
8531a2fcc1c2ba1873f1f0de960bac47

SHA1
93e7843b46c02d3852ed1dac2b56a9bc9dc83553

SHA256
f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

SHA512
597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

Download Submit
\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsExec.dll

Filesize
12KB

MD5
8531a2fcc1c2ba1873f1f0de960bac47

SHA1
93e7843b46c02d3852ed1dac2b56a9bc9dc83553

SHA256
f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

SHA512
597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

Download Submit
\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsExec.dll

Filesize
12KB

MD5
8531a2fcc1c2ba1873f1f0de960bac47

SHA1
93e7843b46c02d3852ed1dac2b56a9bc9dc83553

SHA256
f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

SHA512
597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

Download Submit
\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsExec.dll

Filesize
12KB

MD5
8531a2fcc1c2ba1873f1f0de960bac47

SHA1
93e7843b46c02d3852ed1dac2b56a9bc9dc83553

SHA256
f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

SHA512
597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

Download Submit
\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsProcess.dll

Filesize
11KB

MD5
0535e5fb0b9a06e37a12d9205b15603b

SHA1
af2806329a2a024a54460c80e842f90cb9b51818

SHA256
1386cb9371adf1f8b1454efd2a1e6ab10751a367bf3199d4b5509070136b8834

SHA512
bbdcbd41e3484f81adea848fa243e24d17df873dcde4becba439da96d62c28a0b32f105d233e301dc916e045b10a4f2712bc11f82b2b9d2866747a0a8f7b9856

Download Submit
\Windows\SysWOW64\CCBHDSNCtrl.dll

Filesize
182KB

MD5
5d3719734f3d9c2e4ad47482e5051893

SHA1
e515fe68efa9afe6be8b694305556dacca1bcd30

SHA256
39c29baaba12a3a018a8ff2fcd91de322ba51ab5536ba852d214af5e2c678e2c

SHA512
6299458e041de4bc6eaca35ed7950d6cacae64ee6bd3a0cfe3f7e040677e12e43337ff1c5eb889f0f2ab29b52c09db718357b14fe8e3a5cbfb96e97d63fabcdb

Download Submit
\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll

Filesize
574KB

MD5
964fa6b0d17fb2511ad77f6ef6d099e8

SHA1
babd54bbbd634c903604c5585a4bee98849955e6

SHA256
bd06b09a1fba74213699e2fb4a669886d8c560f8708a4df29fbebe1be6d47bac

SHA512
e31298167233001c3fcbbbffd9a976006604372b828e805838bd6d57b49f876fc60abf57cbe09d0fab57b0e07cea187cb918abf4d05449190e584a687a65ecce

Download Submit
memory/1408-146-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/1408-64-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download