1669960ca2b8edf2435c9ff9430f22ccded66769ae4928c88bf1c879e67b6eed

General

Target

CCC_KeyGen.exe
Size

2.8MB
MD5

22fec0b0e8e92de0306c8bca7775914b
SHA1

704d7e62c7fd43bbb2dd735d145db9b2596879d3
SHA256

1669960ca2b8edf2435c9ff9430f22ccded66769ae4928c88bf1c879e67b6eed
SHA512

9fdfff7b9ff3206cfb395d4230e32539694ffd45370de79f6f959de2de3b00741c29c2375cfe386590f5c720f9ae9a163bdc409dc46c3ab00dbac107b1a3844b
SSDEEP

49152:UAY4KjyWlEdzf9++YquBanEpq3sIjHNYU3Tvhp9OH1zhVQ0NAPJ:nY4IblYf9vYqukEQsIjfzYmqQJ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3380	keygen.exe

Loads dropped DLL 3 IoCs

pid	Process
3380	keygen.exe
3380	keygen.exe
3380	keygen.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000231e9-139.dat	upx
behavioral2/files/0x00070000000231e9-138.dat	upx
behavioral2/memory/3380-145-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3380-149-0x0000000000400000-0x000000000043C000-memory.dmp	upx
behavioral2/memory/3380-181-0x0000000000400000-0x000000000043C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4948	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4948	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 3380	588	CCC_KeyGen.exe	84
PID 588 wrote to memory of 3380	588	CCC_KeyGen.exe	84
PID 588 wrote to memory of 3380	588	CCC_KeyGen.exe	84

C:\Users\Admin\AppData\Local\Temp\CCC_KeyGen.exe
"C:\Users\Admin\AppData\Local\Temp\CCC_KeyGen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:588
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  C:\Users\Admin\AppData\Local\Temp\keygen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x338
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BASSMOD.DLL

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
C:\Users\Admin\AppData\Local\Temp\R2RCWKG.dll

Filesize
47KB

MD5
9432424343be9af4f5cfc219aed10f7f

SHA1
088e48aa523f6959d0979ba7e372dfcc01b878df

SHA256
288bc3eddccd088a2edf6d028269ac4a742d60839443694bc9910dc7bca10783

SHA512
33a2fe21a02e93d79275e90967e4a847e7ddca7fa69d3975157fd1fdeef08c1f077ac08a48c1fdb688c948af9fa591a701923989f7538b532266cadc53d77d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\R2RCWKG.dll

Filesize
47KB

MD5
9432424343be9af4f5cfc219aed10f7f

SHA1
088e48aa523f6959d0979ba7e372dfcc01b878df

SHA256
288bc3eddccd088a2edf6d028269ac4a742d60839443694bc9910dc7bca10783

SHA512
33a2fe21a02e93d79275e90967e4a847e7ddca7fa69d3975157fd1fdeef08c1f077ac08a48c1fdb688c948af9fa591a701923989f7538b532266cadc53d77d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgm.xm

Filesize
2.8MB

MD5
8674a72f3028386bc4fcc2df3e6812fd

SHA1
2e298d6dcd1b143b52a0aeef6b944d2f0a247640

SHA256
7ebcdd4a4e0ed325d87e49012be9836edc5f29c252384f5302ac8a947e634228

SHA512
e6a62b967578248c3554e9bf0019dac7d0442f7778cc1f17f0c637051964900ad5f4929fc5404fe6212c750a73a44a23f3c9a266195425b4a23d1869c00e0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
415KB

MD5
00228c746e2c6e5e4238cb05a0dee1d8

SHA1
709742c64ac163afab9a4c2386c7122ef62f9887

SHA256
85ed4efa357c527859d6308a92b30ffa3d71901a45ebf4d7ee4045128f2046fa

SHA512
227ee09f02e18267813b19ac42edc390db01a09a1491bb08f546e82282ca17813b3d2e39b7172d7f31780c862e9c913c07366c2ed9812e8e35f1f22e32e5d59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
415KB

MD5
00228c746e2c6e5e4238cb05a0dee1d8

SHA1
709742c64ac163afab9a4c2386c7122ef62f9887

SHA256
85ed4efa357c527859d6308a92b30ffa3d71901a45ebf4d7ee4045128f2046fa

SHA512
227ee09f02e18267813b19ac42edc390db01a09a1491bb08f546e82282ca17813b3d2e39b7172d7f31780c862e9c913c07366c2ed9812e8e35f1f22e32e5d59c

Download Submit
memory/3380-157-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3380-164-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-146-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3380-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3380-150-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3380-152-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-151-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-155-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3380-158-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-161-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-147-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-167-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-170-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-173-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-176-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-179-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3380-182-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3380-183-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-186-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-189-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download
memory/3380-191-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3380-192-0x0000000000A20000-0x0000000000A33000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing