Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/03/2024, 15:42
Static task
static1
Behavioral task
behavioral1
Sample
ccvLX6b6iG.exe
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
dpp.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
libcrypto-1_1-x64.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
libsodium.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
libssl-1_1-x64.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
opus.dll
Resource
win11-20240221-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
zlib1.dll
Resource
win11-20240221-en
windows11-21h2-x64
General
-
Target
ccvLX6b6iG.exe
-
Size
31.6MB
-
MD5
b207acf3639912c9e6cccc25ba6b374e
-
SHA1
3027cb0f0e17c1b79edd3d6a88ef4adbc08d267b
-
SHA256
83937419fa7f594e2c03bf473e6d7588581b2afad3c33c0f6798ce4e80fafd0c
-
SHA512
9dce4a3e1a316cea561040eb181c1a0ad0db49c1346654336412e54383a659f650ce627140e97b997b2bc23dda5ea6eb2977cad5e1c42ebfcb806142be12ff3f
-
SSDEEP
786432:K5anJ+Wyc5P2H2nm5MX7YnT4BHmNDdVv0YcDfzQMvV:K5aJ+T4PmQmOLYnMODr0nDflvV
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts ccvLX6b6iG.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 api.ipify.org 25 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ccvLX6b6iG.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 ccvLX6b6iG.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe 2172 ccvLX6b6iG.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2172 ccvLX6b6iG.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2436 2172 ccvLX6b6iG.exe 87 PID 2172 wrote to memory of 2436 2172 ccvLX6b6iG.exe 87 PID 2172 wrote to memory of 3196 2172 ccvLX6b6iG.exe 88 PID 2172 wrote to memory of 3196 2172 ccvLX6b6iG.exe 88 PID 3196 wrote to memory of 2852 3196 cmd.exe 89 PID 3196 wrote to memory of 2852 3196 cmd.exe 89 PID 3196 wrote to memory of 2096 3196 cmd.exe 90 PID 3196 wrote to memory of 2096 3196 cmd.exe 90 PID 3196 wrote to memory of 2268 3196 cmd.exe 91 PID 3196 wrote to memory of 2268 3196 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccvLX6b6iG.exe"C:\Users\Admin\AppData\Local\Temp\ccvLX6b6iG.exe"1⤵
- Drops file in Drivers directory
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Cls2⤵PID:2436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ccvLX6b6iG.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ccvLX6b6iG.exe" MD53⤵PID:2852
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2096
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2268
-
-