2eea6ce78a42a5c07091a313cfdf13a083e46b493b6c2fb44bacf8626bf5d097

Resubmissions

18/01/2024, 10:46

240118-mt9wgaadd2 7

18/01/2024, 09:27

240118-le4v8shch2 7

18/01/2024, 09:17

240118-k9c6bshbh2 6

Analysis

max time kernel
146s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccsetup620.exe
Size

75.1MB
MD5

2252f06e55902cc69216d7ca4ced72f1
SHA1

217c9c78833299d89a4b133328290987955552e6
SHA256

2eea6ce78a42a5c07091a313cfdf13a083e46b493b6c2fb44bacf8626bf5d097
SHA512

e77d8d17cd0a1cf44ed0e49f3d6f275849e9545ae20778958dce6b6c67d8278a46f4f63c4f8d315af64bec0259b61aa0919d63620d4e877f95bea801fc0fa8fd
SSDEEP

1572864:D/rhQ11XtcajK3jlUZyAWAAqpModeSmyeiRCH5IdBTrtZfeKeA5Mics:DUc+6JoyArAEModdmyen5IdprtBeKe92

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ccsetup620.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Loads dropped DLL 9 IoCs

pid	Process
1536	ccsetup620.exe
1536	ccsetup620.exe
1536	ccsetup620.exe
1536	ccsetup620.exe
1536	ccsetup620.exe
1536	ccsetup620.exe
1536	ccsetup620.exe
1536	ccsetup620.exe
1536	ccsetup620.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup620.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup620.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup620.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1536	ccsetup620.exe
1536	ccsetup620.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1536	ccsetup620.exe
Token: SeCreatePagefilePrivilege	1536	ccsetup620.exe
Token: SeShutdownPrivilege	1536	ccsetup620.exe
Token: SeCreatePagefilePrivilege	1536	ccsetup620.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1536	ccsetup620.exe
1536	ccsetup620.exe

C:\Users\Admin\AppData\Local\Temp\ccsetup620.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup620.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\a\asdk.dll

Filesize
1.0MB

MD5
e3f60a2cf6b1d155f5f7d17615907013

SHA1
8191871854dcbcc4fe34218040215581b0fccf43

SHA256
74fcd2367fb1d9c0084547ebaf1c6db081946453a5d0a2d668d83d3c489a60a9

SHA512
20a57a1d2ce3d081958b4b3b48f1c902039f26dd28abcac94fad6f20e8e5d630bbfd2365eb7200f7c8d676c593cb3dc465a406e8536abdf63bd7ef76bb86df2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\g\gcapi_dll.dll

Filesize
33KB

MD5
b2814e8535969ed9713367f541d8da84

SHA1
1079733a8d29b3461c1e589cb19add21a5fd4d5a

SHA256
8e03d174ebcb303e0d6b56da4ae27c815638e0aced086fd500d1fb12dcb6a0d2

SHA512
1527059149c4611451cef1625357e26e86e0e043be88102c095f272f13a65e1394d24c4d69b08b0fd8fa9433ae194b8c0f19094e8da201c3d0253baa1f00cdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\g\gcapi_dll.dll

Filesize
1KB

MD5
3b3f861548e977a1750e45065d61ab9b

SHA1
493b0bd48754ecdabe820f6016c82a5049716205

SHA256
85111d1773d9f5dc6c66cd7d1c415ac89c49d4769795be665ce6468206a12915

SHA512
396c80a03e813753b5444c1c1087e8eda2c8f3d978b9ebac087a220ec2b5b60c823ba0a405326b6f921ff7710c0168f8b374e630d76aa6958afed5c0ac64c072

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\p\pfBL.dll

Filesize
2.8MB

MD5
dabfb9e916678440283b7423ff3bdf4d

SHA1
a7d6c0358a81e0773116a337fe9b3e8403e14d93

SHA256
148f95ffacdacd2829f07cbcf6fc9da194dae986fefb3cffb8970eececcd1735

SHA512
62b98971722101aed7061f9fd54703449216a03e07e4ef9c761dc850e3734c8b910bd6638fa25e78d3bb924cb4c59113b44591d1d5539803fb098d5b28bb4c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\ui\pfUI.dll

Filesize
6.9MB

MD5
b3d8324dfa4b964ddd66a9ac5f5ba192

SHA1
987f3ce162e5228331471a44cf21a2cd412af7bd

SHA256
8e221cd0cdc61f3e05fcfb489e4ff7faa5d3201512f3256488904585409902de

SHA512
0a6cd7aedd2b8f61bda277b88cd71044cc4686e184299a8aa0af38a0de015dbb8a4f5725a940e837322b949a0153049ad0f35849cdb90803739d2672219d0f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\ui\pfUI.dll

Filesize
89KB

MD5
b40f8d5a3822d50af4f617fc347a5159

SHA1
c33c44b8d1b9ab22b008c98521b38b2f7425f858

SHA256
0071740e6b5a14cec31a583eb78a06c517b31c82e2ee7bd5db7e534818aa3076

SHA512
cb2e6e400fd715e30d3a33d38addd61a630fd8a4b405f9a89408430fbc01b377e8b0db7804e4d836843e1d4b3be28c97bb92e942716680be7796f59fe9d8a12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\ui\res\CC_Logo_40x96.png

Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl95D9.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit