Overview

overview

8

Static

static

7

ccbb5355b5...8b.exe

windows7-x64

8

ccbb5355b5...8b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    158s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2024 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccbb5355b566c47ea3cc7acfd4b9fc8b.exe

  • Size

    276KB

  • MD5

    ccbb5355b566c47ea3cc7acfd4b9fc8b

  • SHA1

    0490fc88853a15155b599e4d38c96bc25c57f92d

  • SHA256

    cb3557a20c6c5dd7bd87a2e4082b8d9c409ab11d22b13fcc3d20684fef6f3e19

  • SHA512

    fc227b1a7868a4e141c5af8dc5943e28103f7b22bd42dc7e40f092e10e203aae87e5077a9fc4756a56f13842a10df3db38edc85300a00a62b3134c0342cefaa0

  • SSDEEP

    3072:v15YY60+0cJB/JO08G/u15G15S15S15YY60+0cJB/JO08G/M:t5G5BHM5U54545G5BHM

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Manipulates Digital Signatures 1 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccbb5355b566c47ea3cc7acfd4b9fc8b.exe
    "C:\Users\Admin\AppData\Local\Temp\ccbb5355b566c47ea3cc7acfd4b9fc8b.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:792
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe82d846f8,0x7ffe82d84708,0x7ffe82d84718
        3⤵
          PID:2752
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
          3⤵
            PID:3764
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3744
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
            3⤵
              PID:2312
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              3⤵
                PID:3284
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
                3⤵
                  PID:2876
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
                  3⤵
                    PID:5032
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
                    3⤵
                      PID:1128
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
                      3⤵
                        PID:112
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
                        3⤵
                          PID:3412
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
                          3⤵
                            PID:2512
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:8
                            3⤵
                              PID:5440
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:8
                              3⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5456
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5844 /prefetch:8
                              3⤵
                                PID:5196
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
                                3⤵
                                  PID:5736
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,8319762899112895246,7701427583524634339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
                                  3⤵
                                    PID:2292
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/
                                  2⤵
                                    PID:5916
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe82d846f8,0x7ffe82d84708,0x7ffe82d84718
                                      3⤵
                                        PID:5720
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:3716
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:1644
                                      • C:\Windows\system32\AUDIODG.EXE
                                        C:\Windows\system32\AUDIODG.EXE 0x514 0x52c
                                        1⤵
                                          PID:2192

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                          Filesize

                                          152B

                                          MD5

                                          4b206e54d55dcb61072236144d1f90f8

                                          SHA1

                                          c2600831112447369e5b557e249f86611b05287d

                                          SHA256

                                          87bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b

                                          SHA512

                                          c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                          Filesize

                                          152B

                                          MD5

                                          73c8d54f775a1b870efd00cb75baf547

                                          SHA1

                                          33024c5b7573c9079a3b2beba9d85e3ba35e6b0e

                                          SHA256

                                          1ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94

                                          SHA512

                                          191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                          Filesize

                                          336B

                                          MD5

                                          a209a06a3dd2144e0de701d1731d5707

                                          SHA1

                                          63843fc7e6c855e9033dab0c5a716451e64a4a31

                                          SHA256

                                          06ab5ae7b63575f9176d766f74d2fc96f7bfcb62aec5393cecfe79109c75d0bc

                                          SHA512

                                          703ea30383782b744b4e13da98fc108104a0327e2d2ee8c81f165808c43cbbc36c4a36805d9541230169c1e771606c91e8055bde742b7c0ec2460f1eab9c7a0c

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                          Filesize

                                          111B

                                          MD5

                                          285252a2f6327d41eab203dc2f402c67

                                          SHA1

                                          acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                          SHA256

                                          5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                          SHA512

                                          11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          bb13cf353324ea3476ae58e3730ed7a6

                                          SHA1

                                          4dadc52347ac44e79d62b0caf915d7b03bfd1234

                                          SHA256

                                          546c0adf45be19f7ede60afe6a1e1c25022503542283151300316abf7e180fc4

                                          SHA512

                                          05b8c2d22b9e805ebfcf42c49e84270229b66b618b1669251b2cdea89b602721d52eb6caaa34542d928b6c11c336598eff407b138085bea2bc808446b1cd3afd

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          51dc4826ea71561c2e872a89e5410afa

                                          SHA1

                                          f8b7cc57f5e1d66df8c85e015069ec93e05a1d54

                                          SHA256

                                          1936aac1cd71301fee3ecda9c063884d0e4f8dea5a1041e898c9bc0a918e6707

                                          SHA512

                                          ee4a8f2a11e0ca12a00756c1de24d060fac68311097ab272581a7c25ebad7730246f1aa8e1c9d2f567f259861b67753ffe09da36b7155632bd0d4c36fae72c49

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          8dd522b8392ba3e7fa08dee2efa1e860

                                          SHA1

                                          42f5c48564e19fb43434f3b9ca1e84318d0f35a1

                                          SHA256

                                          87d2a9c9cc363a7572f4b09455e56444bebc70de9467911c179e0d3f60f55cb7

                                          SHA512

                                          9829dba6195b0edc29ce464155c661803e6561828418bc9c7b591a8a974251de3d28bc69b777bac9b17ee48345c74ac58b923e140302211b7730ad0d6721e481

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                          Filesize

                                          16B

                                          MD5

                                          6752a1d65b201c13b62ea44016eb221f

                                          SHA1

                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                          SHA256

                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                          SHA512

                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                          Filesize

                                          11KB

                                          MD5

                                          e388366b785ee890d4848c469d84ae2d

                                          SHA1

                                          6ef6bbca0c0e016cb51a8c29dcdffe551095bc4b

                                          SHA256

                                          b7cd8e22f52c9d7744c53cfec195cadd61087c7baa3009f0549457b7542a542f

                                          SHA512

                                          c05e4ead6ab47fdd6729d636248e1ffc7babb025b84f9177c93eb7ac2fa225640a34f4fa7ce4506e02aa87427d5c6a14317a0d001fb3be453ca385c3f42d1d00

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                          Filesize

                                          11KB

                                          MD5

                                          b554f7be586d720147c863055c055503

                                          SHA1

                                          37e6b8a9f6be6cb2aeb803b75178fbcf59e09fcd

                                          SHA256

                                          38f68a685828c6163f47b39e4f2dac99ee31051f9b0e2b4f520d01c7fb9846d9

                                          SHA512

                                          c35f0bcd7636a4c12a40528d213ca7079dedf586f1a13547d8e3ca6c9a1309442e6b944fbdce9687f716f9e662ed66f4f28fb818ee869108f2acabf32389443c

                                          Download Submit

                                        • C:\Windows\setupact.log
                                          Filesize

                                          29KB

                                          MD5

                                          5f66532416fd1dad59a24f3efa8ffa2c

                                          SHA1

                                          2c8f7135806caeea941102366e586b0e8c870a8b

                                          SHA256

                                          869202a7eb458465ace4163375cd911a83658faa591534201bc057771c6cbcd4

                                          SHA512

                                          b5e9f70fbbe4557c3cc04acdd77c55fab2b8c4f8625448b90b6e4cbae2f2fc82c0fbee71ac6f3a5f5c68ebaee8586591913cb575ecc9394089dbc3f46fde2e8e

                                          Download Submit

                                        • C:\exc.exe
                                          Filesize

                                          249KB

                                          MD5

                                          10b55068575bb1ae0a9de43f11b3ba36

                                          SHA1

                                          4c4699feafc76184bb9fa646c077752115555942

                                          SHA256

                                          bfe0a5e28753790bc80ad4f03f6e329b17a05508bac1530834e38868b0a2274d

                                          SHA512

                                          a7c65ecdc5795a9f1bf5f2d0c0e3b37db9500d98a0c1cb946e8be3c3377162211dd75a7b7cbc8a1c06a367267abaeea7017ad3fa741ca720e5348bf96938887b

                                          Download Submit

                                        • memory/2712-110-0x0000000000400000-0x000000000040A000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/2712-98-0x0000000000400000-0x000000000040A000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/2712-0-0x0000000000400000-0x000000000040A000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/2712-541-0x0000000000400000-0x000000000040A000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/2712-505-0x0000000000400000-0x000000000040A000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/2712-831-0x0000000000400000-0x000000000040A000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/2712-9-0x0000000000400000-0x000000000040A000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/2712-1046-0x0000000000400000-0x000000000040A000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/2712-307-0x0000000000400000-0x000000000040A000-memory.dmp

                                          Filesize

                                          40KB

                                          Download