Analysis
-
max time kernel
147s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 16:50
Static task
static1
Behavioral task
behavioral1
Sample
658910d38d06cf4392afedf75ae1b5c9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
658910d38d06cf4392afedf75ae1b5c9.exe
Resource
win10v2004-20231222-en
General
-
Target
658910d38d06cf4392afedf75ae1b5c9.exe
-
Size
2.0MB
-
MD5
658910d38d06cf4392afedf75ae1b5c9
-
SHA1
363cc30332255003ee038f4d81386d11fb8fe9dd
-
SHA256
96e901289c7f0d5427e980cbff581ae655fc9639e9cbd1c598596e0e84a11f2e
-
SHA512
2453043dacbcd42fa5963c0d6ba24847e729da6c75c926b94164f430be609c13de457d23afbf51085178987c3ad9107d94dda1bfe47086f0b3cb69e6fe211c4f
-
SSDEEP
24576:z4tU5NRDeBKra/ADaTJi8gTPO1RhlgP4eCdmo/oLK+ef7nmvwQPgb9iEg0ij8OLX:Tr8Ku4OF0Pyx/4Pg7nhb9Pa1I8cr/k
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 658910d38d06cf4392afedf75ae1b5c9.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation CCUpdate.exe -
Executes dropped EXE 1 IoCs
pid Process 4012 CCUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1084 schtasks.exe 4540 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 656 658910d38d06cf4392afedf75ae1b5c9.exe 656 658910d38d06cf4392afedf75ae1b5c9.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 656 658910d38d06cf4392afedf75ae1b5c9.exe Token: SeDebugPrivilege 4012 CCUpdate.exe Token: SeManageVolumePrivilege 3880 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 656 wrote to memory of 3700 656 658910d38d06cf4392afedf75ae1b5c9.exe 99 PID 656 wrote to memory of 3700 656 658910d38d06cf4392afedf75ae1b5c9.exe 99 PID 3700 wrote to memory of 1084 3700 cmd.exe 101 PID 3700 wrote to memory of 1084 3700 cmd.exe 101 PID 656 wrote to memory of 4012 656 658910d38d06cf4392afedf75ae1b5c9.exe 102 PID 656 wrote to memory of 4012 656 658910d38d06cf4392afedf75ae1b5c9.exe 102 PID 4012 wrote to memory of 3216 4012 CCUpdate.exe 106 PID 4012 wrote to memory of 3216 4012 CCUpdate.exe 106 PID 3216 wrote to memory of 4540 3216 cmd.exe 108 PID 3216 wrote to memory of 4540 3216 cmd.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\658910d38d06cf4392afedf75ae1b5c9.exe"C:\Users\Admin\AppData\Local\Temp\658910d38d06cf4392afedf75ae1b5c9.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "CCUpdate" /tr '"C:\Users\Admin\AppData\Roaming\CCUpdate.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "CCUpdate" /tr '"C:\Users\Admin\AppData\Roaming\CCUpdate.exe"'3⤵
- Creates scheduled task(s)
PID:1084
-
-
-
C:\Users\Admin\AppData\Roaming\CCUpdate.exe"C:\Users\Admin\AppData\Roaming\CCUpdate.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "CCUpdate" /tr '"C:\Users\Admin\AppData\Roaming\CCUpdate.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "CCUpdate" /tr '"C:\Users\Admin\AppData\Roaming\CCUpdate.exe"'4⤵
- Creates scheduled task(s)
PID:4540
-
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550KB
MD52b9f908bb5e0decd52e3e35d0882c515
SHA1fd6152b2238fd9abaffc05dc7bab4136c2f4912e
SHA256e07102bbf0a7e481456e404a0e7033b332bf7157ba3ad9b41094a8c34c2be540
SHA512b20199b44361e9061497ae0f37f9b0030109b2642162509cb100c1a0aec72c484e16a4bc4337b0beff8e785d3d8739db41eb22b4c1256a89a28ed494f088b19b
-
Filesize
293KB
MD5bf49f3388c8fc553b8e2c59b47f08dea
SHA1161834703c676feebae5e9b370abdea6e2b94c06
SHA2563efbda2bf9956f983b533caa6521f6b648f7388e0ce5d4e9cad8ee6e7368dde5
SHA512d733e0a9c3013f60ef301d2eaf90d2c188b8e4d18227452cbd9919db7ced41f1276c0830c25a0d9a8419e5741ad7a85d947ede589080e824b125763e56d843ba
-
Filesize
1007KB
MD5a88769031ef56327505d045fffe3fea9
SHA1043f3321fc1a64cbf19db47f24f6672fecca8313
SHA2560effd87b78b11319de288ace359da6d00a64bf72959b775a3223aec335c71e10
SHA51286e0239b1893f219526827ad38286c6bee63ac10e9ba66731f5ff831e925b08323d6fe9d4e8728308421104acc57caabce78a585d154c3c1a868734ab7dbb100