2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/04/2023, 10:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Size

2.1MB
MD5

bf45579bca065d3d4b9782ec9361805d
SHA1

8320a9238fd73ac41424637f4b16052a1867f047
SHA256

2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae
SHA512

b947fb3ad4bca916c4ab268c6d8a4c1cdc470c3415f3b8984b169f7bdd71641b7f54ab6240539bfdadb0ec1765334f927062c028300d3f22292199029ac8f521
SSDEEP

49152:HqRBZpvfSoxIdiJwc+Gm+lLG5vhJdpJ8UNpWIVSQENBTyxdKBOog:HIPEZUwIGvJdZF0QEmSBxg

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 11 IoCs

pid	Process
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK151.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_LibUI.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.mac	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HD_TokenV2.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK33.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayKeyA18.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_DetectCertGM.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_DetectCertGM.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.ini	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK54K100.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK151.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.mac	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK33.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_CCB_GM_SSL.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCBHDSNCtrl.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_DetectCert2G.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_CCB_GM_SSL.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\DisplayK43.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCBHDSNCtrl.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HDZB_CCID_USBKey2G\HD_LibUI.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\system32\CCB_HD_TokenV2.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HDZB_CSP_Imp.ini	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK43.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayK54K100.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\DisplayKeyA18.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\ccbcert.cer	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\ca_sm2_root.cer	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\ChineseSimple.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\ChineseTraditional.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\ChineseSimple.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\ChineseTraditional.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\x64\English.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\uninst_2g.exe	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\rsa2048ca.cer	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File opened for modification	C:\Program Files (x86)\CCBComponents\HDZB\log\20230403.log	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK33.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK43.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK151.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\lang\English.dll	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayK54K100.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\DisplayKeyA18.gif	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\CCB_HDZB_2G_DeviceService.exe	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
File created	C:\Program Files (x86)\CCBComponents\HDZB\cert\ca_sm2_child.cer	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID\ = "GDCCBCtrl.SNCtrl"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ = "C:\\Windows\\SysWow64\\CCBHDSNCtrl.dll"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Control	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Version\ = "1.0"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\FLAGS	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ = "ISNCtrl"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\Version = "1.0"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\Version = "1.0"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Version	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\CLSID	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ = "SNCtrl Class"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Insertable	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\TypeLib	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32\ThreadingModel = "Apartment"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Version	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\CCBHDSNCtrl.dll"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\ = "SNCtrl Class"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ToolboxBitmap32	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\CCBHDSNCtrl.dll, 101"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib\ = "{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\InprocServer32	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\ = "SNCtrl Class"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\ = "0"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\FLAGS\ = "0"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ProgID	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ = "ISNCtrl"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ToolboxBitmap32	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CurVer\ = "GDCCBCtrl.SNCtrl.1"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0\win32	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Programmable	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl\CLSID	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\TypeLib	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ProgID	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\VersionIndependentProgID	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\MiscStatus\1\ = "131473"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\ = "GDCCBCtrl 1.0 Type Library"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\CCBHDSNCtrl.dll"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2C5FBF90-96CD-4AF6-AC97-452E0E493C2B}\1.0\HELPDIR\ = "C:\\Windows\\system32"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\TypeLib	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GDCCBCtrl.SNCtrl.1\CLSID\ = "{391E41FF-1CE1-493F-9B34-8BC53FB7914C}"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\ProgID\ = "GDCCBCtrl.SNCtrl.1"	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Insertable	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3553CC5B-F8B3-46C1-937A-BD87ACF36A86}\ProxyStubClsid32	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{391E41FF-1CE1-493F-9B34-8BC53FB7914C}\Programmable	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
1384	2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe

C:\Users\Admin\AppData\Local\Temp\2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe
"C:\Users\Admin\AppData\Local\Temp\2ab3d01176963e430bb489fd16653cfdee698b3cbd30bce52e748fd44c2c45ae.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CCBComponents\HDZB\log\20230403.log

Filesize
4KB

MD5
072cd39b2bea234b2d7040abe9c7fe99

SHA1
ffc04213c886e5f1eea98179caaaabd00f7d4b37

SHA256
81bf480ecc9e680059a8b32a7a06aa34f88fc2c2e6c255191311fca3a0879dc3

SHA512
63ae3b28e878db2fb041bb0ecd73c0d2193c01d9e4ed99b704d6cb39228f6c8a00d56b07c90bd9cbd2205701266cf8de5cbb224b0cb2f3a6e90d43af09dce29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9E3.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
4de0a00dcda7dc4e5a5fa7c868fe3ecb

SHA1
fc5f1cf5a2d35ec23165509ae266f2c3109bc756

SHA256
2747632176b56645300c508066d52ccadd9fd46bb6e0bb06ec8db0c02d2789a7

SHA512
13b94f9db479332fc6828d5f6da8efa38406eb1c685e0e63fe2c9118c342cd0b83e94d21134675bfef4c0a559fce4eb1202e625128323ba7f8f8b48fd93b70d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9E3.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9E3.tmp\hzSrv.dll

Filesize
78KB

MD5
bdc56cb6d1b523ffa23d5ed85c91f66e

SHA1
895781b220dc6c30c39820d1b76a8b9c4b8d9134

SHA256
7b8133235c552cf051abe03f7a882c8335fbaf4b644cb9fdc8443bbcfc6bdc7e

SHA512
747983d2f9960dd28e1878e3eb613f18a42f0bd595087df591f15ed796e730c4affacbf60384e5908e1b877e2668d206bc61b5d4b097dd70035f767d2b405399

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9E3.tmp\nsProcess.dll

Filesize
11KB

MD5
0535e5fb0b9a06e37a12d9205b15603b

SHA1
af2806329a2a024a54460c80e842f90cb9b51818

SHA256
1386cb9371adf1f8b1454efd2a1e6ab10751a367bf3199d4b5509070136b8834

SHA512
bbdcbd41e3484f81adea848fa243e24d17df873dcde4becba439da96d62c28a0b32f105d233e301dc916e045b10a4f2712bc11f82b2b9d2866747a0a8f7b9856

Download Submit
C:\Windows\SysWOW64\CCBHDSNCtrl.dll

Filesize
182KB

MD5
5d3719734f3d9c2e4ad47482e5051893

SHA1
e515fe68efa9afe6be8b694305556dacca1bcd30

SHA256
39c29baaba12a3a018a8ff2fcd91de322ba51ab5536ba852d214af5e2c678e2c

SHA512
6299458e041de4bc6eaca35ed7950d6cacae64ee6bd3a0cfe3f7e040677e12e43337ff1c5eb889f0f2ab29b52c09db718357b14fe8e3a5cbfb96e97d63fabcdb

Download Submit
\Users\Admin\AppData\Local\Temp\nst9E3.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
4de0a00dcda7dc4e5a5fa7c868fe3ecb

SHA1
fc5f1cf5a2d35ec23165509ae266f2c3109bc756

SHA256
2747632176b56645300c508066d52ccadd9fd46bb6e0bb06ec8db0c02d2789a7

SHA512
13b94f9db479332fc6828d5f6da8efa38406eb1c685e0e63fe2c9118c342cd0b83e94d21134675bfef4c0a559fce4eb1202e625128323ba7f8f8b48fd93b70d9

Download Submit
\Users\Admin\AppData\Local\Temp\nst9E3.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nst9E3.tmp\hzSrv.dll

Filesize
78KB

MD5
bdc56cb6d1b523ffa23d5ed85c91f66e

SHA1
895781b220dc6c30c39820d1b76a8b9c4b8d9134

SHA256
7b8133235c552cf051abe03f7a882c8335fbaf4b644cb9fdc8443bbcfc6bdc7e

SHA512
747983d2f9960dd28e1878e3eb613f18a42f0bd595087df591f15ed796e730c4affacbf60384e5908e1b877e2668d206bc61b5d4b097dd70035f767d2b405399

Download Submit
\Users\Admin\AppData\Local\Temp\nst9E3.tmp\hzSrv.dll

Filesize
78KB

MD5
bdc56cb6d1b523ffa23d5ed85c91f66e

SHA1
895781b220dc6c30c39820d1b76a8b9c4b8d9134

SHA256
7b8133235c552cf051abe03f7a882c8335fbaf4b644cb9fdc8443bbcfc6bdc7e

SHA512
747983d2f9960dd28e1878e3eb613f18a42f0bd595087df591f15ed796e730c4affacbf60384e5908e1b877e2668d206bc61b5d4b097dd70035f767d2b405399

Download Submit
\Users\Admin\AppData\Local\Temp\nst9E3.tmp\hzSrv.dll

Filesize
78KB

MD5
bdc56cb6d1b523ffa23d5ed85c91f66e

SHA1
895781b220dc6c30c39820d1b76a8b9c4b8d9134

SHA256
7b8133235c552cf051abe03f7a882c8335fbaf4b644cb9fdc8443bbcfc6bdc7e

SHA512
747983d2f9960dd28e1878e3eb613f18a42f0bd595087df591f15ed796e730c4affacbf60384e5908e1b877e2668d206bc61b5d4b097dd70035f767d2b405399

Download Submit
\Users\Admin\AppData\Local\Temp\nst9E3.tmp\hzSrv.dll

Filesize
78KB

MD5
bdc56cb6d1b523ffa23d5ed85c91f66e

SHA1
895781b220dc6c30c39820d1b76a8b9c4b8d9134

SHA256
7b8133235c552cf051abe03f7a882c8335fbaf4b644cb9fdc8443bbcfc6bdc7e

SHA512
747983d2f9960dd28e1878e3eb613f18a42f0bd595087df591f15ed796e730c4affacbf60384e5908e1b877e2668d206bc61b5d4b097dd70035f767d2b405399

Download Submit
\Users\Admin\AppData\Local\Temp\nst9E3.tmp\nsProcess.dll

Filesize
11KB

MD5
0535e5fb0b9a06e37a12d9205b15603b

SHA1
af2806329a2a024a54460c80e842f90cb9b51818

SHA256
1386cb9371adf1f8b1454efd2a1e6ab10751a367bf3199d4b5509070136b8834

SHA512
bbdcbd41e3484f81adea848fa243e24d17df873dcde4becba439da96d62c28a0b32f105d233e301dc916e045b10a4f2712bc11f82b2b9d2866747a0a8f7b9856

Download Submit
\Users\Admin\AppData\Local\Temp\nst9E3.tmp\nsProcess.dll

Filesize
11KB

MD5
0535e5fb0b9a06e37a12d9205b15603b

SHA1
af2806329a2a024a54460c80e842f90cb9b51818

SHA256
1386cb9371adf1f8b1454efd2a1e6ab10751a367bf3199d4b5509070136b8834

SHA512
bbdcbd41e3484f81adea848fa243e24d17df873dcde4becba439da96d62c28a0b32f105d233e301dc916e045b10a4f2712bc11f82b2b9d2866747a0a8f7b9856

Download Submit
\Windows\SysWOW64\CCBHDSNCtrl.dll

Filesize
182KB

MD5
5d3719734f3d9c2e4ad47482e5051893

SHA1
e515fe68efa9afe6be8b694305556dacca1bcd30

SHA256
39c29baaba12a3a018a8ff2fcd91de322ba51ab5536ba852d214af5e2c678e2c

SHA512
6299458e041de4bc6eaca35ed7950d6cacae64ee6bd3a0cfe3f7e040677e12e43337ff1c5eb889f0f2ab29b52c09db718357b14fe8e3a5cbfb96e97d63fabcdb

Download Submit
\Windows\SysWOW64\CCBHDSNCtrl.dll

Filesize
182KB

MD5
5d3719734f3d9c2e4ad47482e5051893

SHA1
e515fe68efa9afe6be8b694305556dacca1bcd30

SHA256
39c29baaba12a3a018a8ff2fcd91de322ba51ab5536ba852d214af5e2c678e2c

SHA512
6299458e041de4bc6eaca35ed7950d6cacae64ee6bd3a0cfe3f7e040677e12e43337ff1c5eb889f0f2ab29b52c09db718357b14fe8e3a5cbfb96e97d63fabcdb

Download Submit
\Windows\SysWOW64\CCB_HDZB_CCID_USBKey2G\HD_TokenV2.dll

Filesize
574KB

MD5
964fa6b0d17fb2511ad77f6ef6d099e8

SHA1
babd54bbbd634c903604c5585a4bee98849955e6

SHA256
bd06b09a1fba74213699e2fb4a669886d8c560f8708a4df29fbebe1be6d47bac

SHA512
e31298167233001c3fcbbbffd9a976006604372b828e805838bd6d57b49f876fc60abf57cbe09d0fab57b0e07cea187cb918abf4d05449190e584a687a65ecce

Download Submit
memory/1384-75-0x00000000045E0000-0x00000000046FC000-memory.dmp

Filesize
1.1MB

Download
memory/1384-145-0x0000000001F80000-0x0000000001F98000-memory.dmp

Filesize
96KB

Download
memory/1384-127-0x0000000001F80000-0x0000000001FAF000-memory.dmp

Filesize
188KB

Download