96e901289c7f0d5427e980cbff581ae655fc9639e9cbd1c598596e0e84a11f2e

General

Target

658910d38d06cf4392afedf75ae1b5c9.exe
Size

2.0MB
MD5

658910d38d06cf4392afedf75ae1b5c9
SHA1

363cc30332255003ee038f4d81386d11fb8fe9dd
SHA256

96e901289c7f0d5427e980cbff581ae655fc9639e9cbd1c598596e0e84a11f2e
SHA512

2453043dacbcd42fa5963c0d6ba24847e729da6c75c926b94164f430be609c13de457d23afbf51085178987c3ad9107d94dda1bfe47086f0b3cb69e6fe211c4f
SSDEEP

24576:z4tU5NRDeBKra/ADaTJi8gTPO1RhlgP4eCdmo/oLK+ef7nmvwQPgb9iEg0ij8OLX:Tr8Ku4OF0Pyx/4Pg7nhb9Pa1I8cr/k

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	658910d38d06cf4392afedf75ae1b5c9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	CCUpdate.exe

Executes dropped EXE 1 IoCs

pid	Process
4012	CCUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1084	schtasks.exe
4540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
656	658910d38d06cf4392afedf75ae1b5c9.exe
656	658910d38d06cf4392afedf75ae1b5c9.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	658910d38d06cf4392afedf75ae1b5c9.exe
Token: SeDebugPrivilege	4012	CCUpdate.exe
Token: SeManageVolumePrivilege	3880	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 3700	656	658910d38d06cf4392afedf75ae1b5c9.exe	99
PID 656 wrote to memory of 3700	656	658910d38d06cf4392afedf75ae1b5c9.exe	99
PID 3700 wrote to memory of 1084	3700	cmd.exe	101
PID 3700 wrote to memory of 1084	3700	cmd.exe	101
PID 656 wrote to memory of 4012	656	658910d38d06cf4392afedf75ae1b5c9.exe	102
PID 656 wrote to memory of 4012	656	658910d38d06cf4392afedf75ae1b5c9.exe	102
PID 4012 wrote to memory of 3216	4012	CCUpdate.exe	106
PID 4012 wrote to memory of 3216	4012	CCUpdate.exe	106
PID 3216 wrote to memory of 4540	3216	cmd.exe	108
PID 3216 wrote to memory of 4540	3216	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\658910d38d06cf4392afedf75ae1b5c9.exe
"C:\Users\Admin\AppData\Local\Temp\658910d38d06cf4392afedf75ae1b5c9.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "CCUpdate" /tr '"C:\Users\Admin\AppData\Roaming\CCUpdate.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "CCUpdate" /tr '"C:\Users\Admin\AppData\Roaming\CCUpdate.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1084
- C:\Users\Admin\AppData\Roaming\CCUpdate.exe
  "C:\Users\Admin\AppData\Roaming\CCUpdate.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "CCUpdate" /tr '"C:\Users\Admin\AppData\Roaming\CCUpdate.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "CCUpdate" /tr '"C:\Users\Admin\AppData\Roaming\CCUpdate.exe"'
      4⤵
      Creates scheduled task(s)
      PID:4540

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CCUpdate.exe

Filesize
550KB

MD5
2b9f908bb5e0decd52e3e35d0882c515

SHA1
fd6152b2238fd9abaffc05dc7bab4136c2f4912e

SHA256
e07102bbf0a7e481456e404a0e7033b332bf7157ba3ad9b41094a8c34c2be540

SHA512
b20199b44361e9061497ae0f37f9b0030109b2642162509cb100c1a0aec72c484e16a4bc4337b0beff8e785d3d8739db41eb22b4c1256a89a28ed494f088b19b

Download Submit
C:\Users\Admin\AppData\Roaming\CCUpdate.exe

Filesize
293KB

MD5
bf49f3388c8fc553b8e2c59b47f08dea

SHA1
161834703c676feebae5e9b370abdea6e2b94c06

SHA256
3efbda2bf9956f983b533caa6521f6b648f7388e0ce5d4e9cad8ee6e7368dde5

SHA512
d733e0a9c3013f60ef301d2eaf90d2c188b8e4d18227452cbd9919db7ced41f1276c0830c25a0d9a8419e5741ad7a85d947ede589080e824b125763e56d843ba

Download Submit
C:\Users\Admin\AppData\Roaming\CCUpdate.exe

Filesize
1007KB

MD5
a88769031ef56327505d045fffe3fea9

SHA1
043f3321fc1a64cbf19db47f24f6672fecca8313

SHA256
0effd87b78b11319de288ace359da6d00a64bf72959b775a3223aec335c71e10

SHA512
86e0239b1893f219526827ad38286c6bee63ac10e9ba66731f5ff831e925b08323d6fe9d4e8728308421104acc57caabce78a585d154c3c1a868734ab7dbb100

Download Submit
memory/656-17-0x00007FFFFB600000-0x00007FFFFC0C1000-memory.dmp

Filesize
10.8MB

Download
memory/656-4-0x0000000003660000-0x0000000003672000-memory.dmp

Filesize
72KB

Download
memory/656-3-0x000000001C5E0000-0x000000001C7C8000-memory.dmp

Filesize
1.9MB

Download
memory/656-2-0x0000000003700000-0x0000000003710000-memory.dmp

Filesize
64KB

Download
memory/656-1-0x00007FFFFB600000-0x00007FFFFC0C1000-memory.dmp

Filesize
10.8MB

Download
memory/656-0-0x0000000000940000-0x0000000000B4C000-memory.dmp

Filesize
2.0MB

Download
memory/3880-54-0x000001E9089D0000-0x000001E9089D1000-memory.dmp

Filesize
4KB

Download
memory/3880-38-0x000001E900660000-0x000001E900670000-memory.dmp

Filesize
64KB

Download
memory/3880-56-0x000001E908A00000-0x000001E908A01000-memory.dmp

Filesize
4KB

Download
memory/3880-57-0x000001E908A00000-0x000001E908A01000-memory.dmp

Filesize
4KB

Download
memory/3880-58-0x000001E908B10000-0x000001E908B11000-memory.dmp

Filesize
4KB

Download
memory/4012-18-0x00007FFFFB600000-0x00007FFFFC0C1000-memory.dmp

Filesize
10.8MB

Download
memory/4012-21-0x00007FFFFB600000-0x00007FFFFC0C1000-memory.dmp

Filesize
10.8MB

Download
memory/4012-19-0x0000000001560000-0x0000000001570000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads