Overview

overview

8

Static

static

1

3efd5b2aaf...82.exe

windows7-x64

8

3efd5b2aaf...82.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30/03/2023, 10:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe

  • Size

    2.5MB

  • MD5

    09aaef8fc9fed4efbaed71c8bbb7d3ee

  • SHA1

    5d2fa14d16fdb807d2af9edf46ea87be4ccaf9ca

  • SHA256

    3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082

  • SHA512

    c5163d5bd7b7dadf199c4320a8c2bd252102bc028146eab45485c0dcbced583828a220346f9726e0a914282bed0e857d1f0fc4d055d33aee317dac8f5d70313e

  • SSDEEP

    49152:JLctt63SykpdtBqrot5FyNK0g7jccGujPeDNmW5i+OP:JLSqS5tBqra2KV7wcGMKNMP

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe
    "C:\Users\Admin\AppData\Local\Temp\3efd5b2aaf7a127ad06aa4435e6380489ba9b3edb1c768587b6f0b731f23d082.exe"
    1⤵
    • Sets service image path in registry
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\SysWOW64\sc.exe
        C:\Windows\system32\sc.exe STOP "HDZB_DeviceService_For_CCB_2G"
        3⤵
        • Launches sc.exe
        PID:976
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\sc.exe
        C:\Windows\system32\sc.exe delete "HDZB_DeviceService_For_CCB_2G"
        3⤵
        • Launches sc.exe
        PID:280
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C C:\Windows\system32\sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own type= interact start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\SysWOW64\sc.exe
        C:\Windows\system32\sc.exe create HDZB_DeviceService_For_CCB_2G binPath= "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe" type= own type= interact start= auto DisplayName= "HDZB Comm Service For CCB 2G MASS"
        3⤵
        • Launches sc.exe
        PID:556
    • C:\Windows\SysWOW64\cmd.exe
      cmd /C C:\Windows\system32\sc.exe start "HDZB_DeviceService_For_CCB_2G"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\sc.exe
        C:\Windows\system32\sc.exe start "HDZB_DeviceService_For_CCB_2G"
        3⤵
        • Launches sc.exe
        PID:1508
  • C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe
    "C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe"
    1⤵
    • Executes dropped EXE
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe
    Filesize

    258KB

    MD5

    edcfb5991d68d6b5d2a4caeaacbf0915

    SHA1

    21dd3bd5156d3b92e1d427f077b98949626d8898

    SHA256

    02bec26c7b54545002d360a39b9fbe4d88366dd72c6f0a299e0d0a73a7dc4ed5

    SHA512

    56a46ac19c45921fe7209507223f5909afa30e43953ae507df515b078438aa9b6e7f1f792a0dae293d3509238c2c7e96e668b16c3980430e9321e2764d0c644d

    Download Submit

  • C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log
    Filesize

    3KB

    MD5

    d253c1791e79a54a1b7f52e8e834de37

    SHA1

    0a06591f3f39749dbf47e750fa5e4c9782efb0e6

    SHA256

    b6218403a331ea2034220a99661cd19818ab1f6be59d00be422b7c6eb3884490

    SHA512

    d62303e1c0ed00d3abf65a2a975e7aa878b5a47b9b2f11dddf9e78359749f2f68632766d8ffc487a81b6e540278f2843d079c44c4fcb08e6a00a7f963801ec5f

    Download Submit

  • C:\Program Files (x86)\CCBComponents\HDZB\log\20230330.log
    Filesize

    3KB

    MD5

    d253c1791e79a54a1b7f52e8e834de37

    SHA1

    0a06591f3f39749dbf47e750fa5e4c9782efb0e6

    SHA256

    b6218403a331ea2034220a99661cd19818ab1f6be59d00be422b7c6eb3884490

    SHA512

    d62303e1c0ed00d3abf65a2a975e7aa878b5a47b9b2f11dddf9e78359749f2f68632766d8ffc487a81b6e540278f2843d079c44c4fcb08e6a00a7f963801ec5f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\KillProcDLL.dll
    Filesize

    48KB

    MD5

    daf77c6e38734936c2f2c08a78f9505d

    SHA1

    3aefb2cf5e66ff1c4e3111a74c11963bcd1a2418

    SHA256

    e19a3ac82e2b18f6dd763ec7875c8eb1e2fb0500ec3a699f46dee4cb21bd4ec4

    SHA512

    6ad8fd922a1ce7b9bd6f0981546b490c2fb12379407a813ba38855e692d8dcdfb964f876b5420dc9694e1a14105d65b2256f880facbfbf739de9f6d74728f41c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\System.dll
    Filesize

    11KB

    MD5

    959ea64598b9a3e494c00e8fa793be7e

    SHA1

    40f284a3b92c2f04b1038def79579d4b3d066ee0

    SHA256

    03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

    SHA512

    5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsExec.dll
    Filesize

    12KB

    MD5

    8531a2fcc1c2ba1873f1f0de960bac47

    SHA1

    93e7843b46c02d3852ed1dac2b56a9bc9dc83553

    SHA256

    f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

    SHA512

    597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsProcess.dll
    Filesize

    11KB

    MD5

    0535e5fb0b9a06e37a12d9205b15603b

    SHA1

    af2806329a2a024a54460c80e842f90cb9b51818

    SHA256

    1386cb9371adf1f8b1454efd2a1e6ab10751a367bf3199d4b5509070136b8834

    SHA512

    bbdcbd41e3484f81adea848fa243e24d17df873dcde4becba439da96d62c28a0b32f105d233e301dc916e045b10a4f2712bc11f82b2b9d2866747a0a8f7b9856

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstFE4E.tmp\KillProcDLL.dll
    Filesize

    48KB

    MD5

    daf77c6e38734936c2f2c08a78f9505d

    SHA1

    3aefb2cf5e66ff1c4e3111a74c11963bcd1a2418

    SHA256

    e19a3ac82e2b18f6dd763ec7875c8eb1e2fb0500ec3a699f46dee4cb21bd4ec4

    SHA512

    6ad8fd922a1ce7b9bd6f0981546b490c2fb12379407a813ba38855e692d8dcdfb964f876b5420dc9694e1a14105d65b2256f880facbfbf739de9f6d74728f41c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstFE4E.tmp\System.dll
    Filesize

    11KB

    MD5

    959ea64598b9a3e494c00e8fa793be7e

    SHA1

    40f284a3b92c2f04b1038def79579d4b3d066ee0

    SHA256

    03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

    SHA512

    5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsExec.dll
    Filesize

    12KB

    MD5

    8531a2fcc1c2ba1873f1f0de960bac47

    SHA1

    93e7843b46c02d3852ed1dac2b56a9bc9dc83553

    SHA256

    f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

    SHA512

    597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsExec.dll
    Filesize

    12KB

    MD5

    8531a2fcc1c2ba1873f1f0de960bac47

    SHA1

    93e7843b46c02d3852ed1dac2b56a9bc9dc83553

    SHA256

    f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

    SHA512

    597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsExec.dll
    Filesize

    12KB

    MD5

    8531a2fcc1c2ba1873f1f0de960bac47

    SHA1

    93e7843b46c02d3852ed1dac2b56a9bc9dc83553

    SHA256

    f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

    SHA512

    597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsExec.dll
    Filesize

    12KB

    MD5

    8531a2fcc1c2ba1873f1f0de960bac47

    SHA1

    93e7843b46c02d3852ed1dac2b56a9bc9dc83553

    SHA256

    f2df6aed3a5a4291e92268ec7c0edaa549d885690b945f8bb208a9ea228b66c0

    SHA512

    597cbe8d30d2e6d98b0fd1a128386b9377141fb0860d5493a46d2b4ed2898f81632a3321e106f565f52b9260b1f1574107fa55b280c56a63da8a0cb05ef00c2f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nstFE4E.tmp\nsProcess.dll
    Filesize

    11KB

    MD5

    0535e5fb0b9a06e37a12d9205b15603b

    SHA1

    af2806329a2a024a54460c80e842f90cb9b51818

    SHA256

    1386cb9371adf1f8b1454efd2a1e6ab10751a367bf3199d4b5509070136b8834

    SHA512

    bbdcbd41e3484f81adea848fa243e24d17df873dcde4becba439da96d62c28a0b32f105d233e301dc916e045b10a4f2712bc11f82b2b9d2866747a0a8f7b9856

    Download Submit

  • \Windows\SysWOW64\CCBHDSNCtrl.dll
    Filesize

    182KB

    MD5

    5d3719734f3d9c2e4ad47482e5051893

    SHA1

    e515fe68efa9afe6be8b694305556dacca1bcd30

    SHA256

    39c29baaba12a3a018a8ff2fcd91de322ba51ab5536ba852d214af5e2c678e2c

    SHA512

    6299458e041de4bc6eaca35ed7950d6cacae64ee6bd3a0cfe3f7e040677e12e43337ff1c5eb889f0f2ab29b52c09db718357b14fe8e3a5cbfb96e97d63fabcdb

    Download Submit

  • \Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll
    Filesize

    574KB

    MD5

    964fa6b0d17fb2511ad77f6ef6d099e8

    SHA1

    babd54bbbd634c903604c5585a4bee98849955e6

    SHA256

    bd06b09a1fba74213699e2fb4a669886d8c560f8708a4df29fbebe1be6d47bac

    SHA512

    e31298167233001c3fcbbbffd9a976006604372b828e805838bd6d57b49f876fc60abf57cbe09d0fab57b0e07cea187cb918abf4d05449190e584a687a65ecce

    Download Submit

  • memory/1408-146-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1408-64-0x00000000002F0000-0x00000000002FA000-memory.dmp

    Filesize

    40KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.