2eea6ce78a42a5c07091a313cfdf13a083e46b493b6c2fb44bacf8626bf5d097

Resubmissions

18/01/2024, 10:46

240118-mt9wgaadd2 7

18/01/2024, 09:27

240118-le4v8shch2 7

18/01/2024, 09:17

240118-k9c6bshbh2 6

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccsetup620.exe
Size

75.1MB
MD5

2252f06e55902cc69216d7ca4ced72f1
SHA1

217c9c78833299d89a4b133328290987955552e6
SHA256

2eea6ce78a42a5c07091a313cfdf13a083e46b493b6c2fb44bacf8626bf5d097
SHA512

e77d8d17cd0a1cf44ed0e49f3d6f275849e9545ae20778958dce6b6c67d8278a46f4f63c4f8d315af64bec0259b61aa0919d63620d4e877f95bea801fc0fa8fd
SSDEEP

1572864:D/rhQ11XtcajK3jlUZyAWAAqpModeSmyeiRCH5IdBTrtZfeKeA5Mics:DUc+6JoyArAEModdmyen5IdprtBeKe92

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ccsetup620.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Loads dropped DLL 9 IoCs

pid	Process
2220	ccsetup620.exe
2220	ccsetup620.exe
2220	ccsetup620.exe
2220	ccsetup620.exe
2220	ccsetup620.exe
2220	ccsetup620.exe
2220	ccsetup620.exe
2220	ccsetup620.exe
2220	ccsetup620.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup620.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup620.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup620.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	ccsetup620.exe
2220	ccsetup620.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2220	ccsetup620.exe
Token: SeShutdownPrivilege	2220	ccsetup620.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2220	ccsetup620.exe
2220	ccsetup620.exe

C:\Users\Admin\AppData\Local\Temp\ccsetup620.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup620.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\p\pfBL.dll

Filesize
270KB

MD5
0258252a0ac714bf7911e098b02d28b5

SHA1
7d1f3c7db75c39165a4af4ed586ce49055c6e92c

SHA256
d857a6d2d19eed7603a0f72db9ad168f573e5c06174ef968b66657673550627b

SHA512
ced3540c73429b516ea61c2c30bcf433afabff90c5ed946808ba1b11d449e815034e5ea33b3198f42ebb5273e5574d45977c4638c194073156f6b3eafd616077

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ui\pfUI.dll

Filesize
944KB

MD5
2a88e40a9616d67715a2da56adde740d

SHA1
c166e75ad489c008a5cfd3d0e55394488a72657e

SHA256
dae785894cbf39145779dfba02ae335593f8d2091ed62257f7e26fc9eaf67333

SHA512
f5d908ecbfc7074a9c2b0e29d0820ba0523645dd38c5d1608abec44d2a83f588562f776b2931340e0e257585ebfd4012763ebb3d98680af5edcdb3dcbe3cca0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ui\res\CC_Logo_40x96.png

Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\a\asdk.dll

Filesize
1.0MB

MD5
e3f60a2cf6b1d155f5f7d17615907013

SHA1
8191871854dcbcc4fe34218040215581b0fccf43

SHA256
74fcd2367fb1d9c0084547ebaf1c6db081946453a5d0a2d668d83d3c489a60a9

SHA512
20a57a1d2ce3d081958b4b3b48f1c902039f26dd28abcac94fad6f20e8e5d630bbfd2365eb7200f7c8d676c593cb3dc465a406e8536abdf63bd7ef76bb86df2b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\g\gcapi_dll.dll

Filesize
326KB

MD5
233cf3c754c694d9ab235021650b3b0a

SHA1
4fb2d49b81254a881410a7b8e1fad50ab15ab5a3

SHA256
f09495b74271bdb8ea28c30609894f0cabca9519b86332518ddf2c42428f7217

SHA512
99949206f9123e0617252bd98bd950b130432553d58caf52a86370c1adfd86e6799308ba59f9eb153359be22e3e34fb49ff8024f9867bba911f35e188a7f4732

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\p\pfBL.dll

Filesize
640KB

MD5
e48bc1c5eb956bf64aa1bcc949c3c6c2

SHA1
260853305c64e087d8e0b5d8c480003025323086

SHA256
e1873b4c8de30ce79cf94f04667be1b3926fb16752c4c279afc05a5f8ba95b62

SHA512
0ffe8c882d0dea2f9b6a8109552c3c2e4b57aa258fae99531b5aaa716669e4eb631bb319ffc33797bd37f0f893c10ab87b9224e132471c0512777897d4d0e1cb

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ui\pfUI.dll

Filesize
341KB

MD5
0f6f672cb94f177d166f9711d86aebfd

SHA1
ff8c647c5b4798fbecc0e63c2d22f3436765667b

SHA256
3a5f21fa09df6a70f1e4e001296ae07baeecf07133004725e8fcf14b6f937672

SHA512
8fd1f4e57f8c006abd3e3495c10632e21421ae807b418ea1986b164daba4a6ee37c857e074c70c012b2e85f6397d5dc9660906c0788c3e5ec0949092c48d11e7

Download Submit
memory/2220-111-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2220-129-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download