Analysis
-
max time kernel
93s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2024, 11:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cc2ae7d197cad41ad672837405c5fe8c.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
cc2ae7d197cad41ad672837405c5fe8c.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
cc2ae7d197cad41ad672837405c5fe8c.exe
-
Size
324KB
-
MD5
cc2ae7d197cad41ad672837405c5fe8c
-
SHA1
e01e694f6cb37ceb73205c9ced8b42fdef3a8386
-
SHA256
ca19e71ae296e637960c96e402a22632e8aba1abe00db4df77ad10b470f92a37
-
SHA512
cf5ce629a2fb54fc9a804abc806487f45450fc813b3369821b5f45e4a02fc0083c983fa989495667dd22510319fe7068c8b9ec29d5af9d9cebf4626008e2de8d
-
SSDEEP
6144:yVTzU1kCV/w+p+pXd6I9dUhJZXAnBY+adSEm:ATzU13jspt6adqJhqBY+b
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1276 OKFNRRB.EXE -
Modifies system executable filetype association 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cc2ae7d197cad41ad672837405c5fe8c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\ANGMJ.EXE \"%1\" %*" cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell OKFNRRB.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ANGMJ.EXE = "C:\\Program Files (x86)\\ANGMJ.EXE" cc2ae7d197cad41ad672837405c5fe8c.exe -
Enumerates connected drives 3 TTPs 34 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\N: OKFNRRB.EXE File opened (read-only) \??\P: OKFNRRB.EXE File opened (read-only) \??\V: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\U: OKFNRRB.EXE File opened (read-only) \??\J: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\N: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\K: OKFNRRB.EXE File opened (read-only) \??\L: OKFNRRB.EXE File opened (read-only) \??\V: OKFNRRB.EXE File opened (read-only) \??\E: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\L: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\T: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\U: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\M: OKFNRRB.EXE File opened (read-only) \??\Q: OKFNRRB.EXE File opened (read-only) \??\H: OKFNRRB.EXE File opened (read-only) \??\S: OKFNRRB.EXE File opened (read-only) \??\T: OKFNRRB.EXE File opened (read-only) \??\P: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\Q: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\S: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\R: OKFNRRB.EXE File opened (read-only) \??\K: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\O: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\G: OKFNRRB.EXE File opened (read-only) \??\I: OKFNRRB.EXE File opened (read-only) \??\J: OKFNRRB.EXE File opened (read-only) \??\H: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\I: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\M: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\R: cc2ae7d197cad41ad672837405c5fe8c.exe File opened (read-only) \??\E: OKFNRRB.EXE File opened (read-only) \??\O: OKFNRRB.EXE -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\ANGMJ.EXE cc2ae7d197cad41ad672837405c5fe8c.exe File opened for modification C:\Program Files (x86)\ANGMJ.EXE cc2ae7d197cad41ad672837405c5fe8c.exe File created C:\Program Files (x86)\HBRP.EXE OKFNRRB.EXE -
Modifies registry class 38 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open OKFNRRB.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\OKFNRRB.EXE \"%1\"" cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command cc2ae7d197cad41ad672837405c5fe8c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\OKFNRRB.EXE \"%1\"" cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file OKFNRRB.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\OKFNRRB.EXE %1" cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile OKFNRRB.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files (x86)\\ANGMJ.EXE %1" cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cc2ae7d197cad41ad672837405c5fe8c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\ANGMJ.EXE \"%1\" %*" cc2ae7d197cad41ad672837405c5fe8c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell OKFNRRB.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile OKFNRRB.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1020 wrote to memory of 1276 1020 cc2ae7d197cad41ad672837405c5fe8c.exe 82 PID 1020 wrote to memory of 1276 1020 cc2ae7d197cad41ad672837405c5fe8c.exe 82 PID 1020 wrote to memory of 1276 1020 cc2ae7d197cad41ad672837405c5fe8c.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc2ae7d197cad41ad672837405c5fe8c.exe"C:\Users\Admin\AppData\Local\Temp\cc2ae7d197cad41ad672837405c5fe8c.exe"1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
F:\$RECYCLE.BIN\OKFNRRB.EXEF:\$RECYCLE.BIN\OKFNRRB.EXE2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
PID:1276
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
325KB
MD58966c2dcf291d735adb31f756a8a0c4d
SHA10a122069c1329d402ab09adbc6895d09face961a
SHA256e68220880f2e5114bfd52e9d2e960b1abbcadf62dd1b568d999c281aba13a3be
SHA512a5968b85c5f6ef4cc684956a170169693ce59f1fee070db359544c0c35a6775fe9c51740de4b33b6796d3db4817d300a4646551eca76ae07a07e4c4441ca2df4