11b20dd90c0c56a1112e11e0048ac2923b8dbcf863d8345486fe7538e2eaa390

Analysis

max time kernel
147s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 20:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccsetup624.exe
Size

79.8MB
MD5

688955a48d3a9122191bb9d41b3353f0
SHA1

b4f2892c127b9d125855bc409748456b755ae28f
SHA256

11b20dd90c0c56a1112e11e0048ac2923b8dbcf863d8345486fe7538e2eaa390
SHA512

ef070e51531407fedb9b8addf3a6fe34ed4d2631964bb476100ff7620d873b1aaaa72909b2eaca2d14f5004dda5e8639ec8d14975f46bc2f2eb46c1351382f4e
SSDEEP

1572864:+Qy1AHAbjAigJ8iwDycu/xyiiqZ5DjEP4rzA/TGAHlV7H6grTUwHPwu:+1+228iwDA/xy34rMTGwggrTDvw

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ccsetup624.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Loads dropped DLL 9 IoCs

pid	Process
1672	ccsetup624.exe
1672	ccsetup624.exe
1672	ccsetup624.exe
1672	ccsetup624.exe
1672	ccsetup624.exe
1672	ccsetup624.exe
1672	ccsetup624.exe
1672	ccsetup624.exe
1672	ccsetup624.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ccsetup624.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ccsetup624.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ccsetup624.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1672	ccsetup624.exe
1672	ccsetup624.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1672	ccsetup624.exe
Token: SeCreatePagefilePrivilege	1672	ccsetup624.exe
Token: SeShutdownPrivilege	1672	ccsetup624.exe
Token: SeCreatePagefilePrivilege	1672	ccsetup624.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1672	ccsetup624.exe
1672	ccsetup624.exe

C:\Users\Admin\AppData\Local\Temp\ccsetup624.exe
"C:\Users\Admin\AppData\Local\Temp\ccsetup624.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsw9750.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9750.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9750.tmp\a\asdk.dll

Filesize
1.0MB

MD5
e3f60a2cf6b1d155f5f7d17615907013

SHA1
8191871854dcbcc4fe34218040215581b0fccf43

SHA256
74fcd2367fb1d9c0084547ebaf1c6db081946453a5d0a2d668d83d3c489a60a9

SHA512
20a57a1d2ce3d081958b4b3b48f1c902039f26dd28abcac94fad6f20e8e5d630bbfd2365eb7200f7c8d676c593cb3dc465a406e8536abdf63bd7ef76bb86df2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9750.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9750.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9750.tmp\p\pfBL.dll

Filesize
13.4MB

MD5
dd7852f725e2441e2af38ac16793e556

SHA1
076454588e78ad5100b152e943251ecca8bbcb70

SHA256
0d52794a670391b7bc804ec5140f4a114910c22bf5676ead321388f31907ef94

SHA512
9ee71f85aeb2615290bc42e9e9fbc215832ef37ceef6cf5d0c5a213e35113da2d99fa6a6c1384de6179641a5d03f08ed81932f6afdfe18efddd451e405e2d323

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9750.tmp\ui\pfUI.dll

Filesize
18.2MB

MD5
7e36940483a62f7e3bdd30d95ef37b93

SHA1
5e5624afd2170a8f32fbc52bc296caf4a16e211d

SHA256
a639f28eb67410b9d685ff7eb564eb8c1a45f1116a6c520321510c8c6eb89923

SHA512
32d12fb13fed59b7801f32a2d65cc54739e99f289398fa62bdf3e952c5c3561819c8d75b35bf2f127967585c11a272a633470ca7325b16c06453d4f06eded663

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9750.tmp\ui\res\CC_Logo_40x96.png

Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9750.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9750.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit