Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

CCXProcess.exe

windows7-x64

10

CCXProcess.exe

windows10-1703-x64

10

CCXProcess.exe

windows10-2004-x64

10

CCXProcess.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    599s
  • max time network
    604s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/07/2024, 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CCXProcess.exe

  • Size

    127KB

  • MD5

    8fc1ba33db2aeb28138bbafe4708c834

  • SHA1

    7f645dccb5c0641079ab42a44d48903400bfd0cf

  • SHA256

    52d77f0c17e871983e761c9fef3b93b1b3263878fd91caa330bd1a1bc8c75355

  • SHA512

    ac24efdc015deb986a6963b1b92276b54715266d3c15edfb0325f63aa7462434b8539220cc1c3aafacb3f6eb1e3d097bf4f58bc9bfecf00d839ad6ea11784ee2

  • SSDEEP

    3072:rUFcxoyXkiPMVDqgiH1brxVyqQCguKMkDEi4Y:rVkiPMV+VbT5rgNEv

Score
10/10
asyncratstormkittyc2collectiondiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

C2

C2

181.47.208.50:4449

Mutex

egycitgaxejyhidp

Attributes
  • delay

    5

  • install

    true

  • install_file

    CCXProcess.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in Windows directory 2 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CCXProcess.exe
    "C:\Users\Admin\AppData\Local\Temp\CCXProcess.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2356
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1452
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:2260
        • C:\Windows\system32\findstr.exe
          findstr All
          3⤵
            PID:2444
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\system32\chcp.com
            chcp 65001
            3⤵
              PID:3928
            • C:\Windows\system32\netsh.exe
              netsh wlan show networks mode=bssid
              3⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:5092
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4712

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\066e6f523d340da57ba03131615b0d9c\Admin@GKUTWGDF_en-US\System\Process.txt
          Filesize

          3KB

          MD5

          eb69d22fc1d8eec2c29e220c65b96741

          SHA1

          ef3849ecc1ff0c2794b6abdcf2a9be20828e3ffd

          SHA256

          5edeeb5263173fb92c7216f7628227b17c171c13945b6cc2ce902b211b96f730

          SHA512

          4a6834ffaacb871452ac93b4807e524f0461309b0d47206ff14bfb273ae6c984201267c895c429bb55a9fc0caa727d7642bfed9ccb01e67c4d37ac64699b865d

          Download Submit

        • C:\Users\Admin\AppData\Local\066e6f523d340da57ba03131615b0d9c\Admin@GKUTWGDF_en-US\System\Process.txt
          Filesize

          4KB

          MD5

          217635450d31ad9bc27a275854685f69

          SHA1

          26fcf1886a7c8cf7907b7da59bb0ec21c9adc122

          SHA256

          8785e854da960725cb5dc2276c1a4d7559a3a3ef0a5dae303d1d9b9dffb07044

          SHA512

          c8100373de5a8a4cdeca503292063d28b81c991eaf7493e29579e20011d0c6b9d08c6c87c0399dfe41470eedc924cb603b44501d4754ce6eb77e75dfbf2de1fa

          Download Submit

        • C:\Users\Admin\AppData\Local\066e6f523d340da57ba03131615b0d9c\msgid.dat
          Filesize

          1B

          MD5

          cfcd208495d565ef66e7dff9f98764da

          SHA1

          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

          SHA256

          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

          SHA512

          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\places.raw
          Filesize

          5.0MB

          MD5

          992848147f89ffb1c8c56771484ed175

          SHA1

          0d2f38d2f569e18cf37e7771376c42d430fb517b

          SHA256

          90f853eb9adc4d53d070033082db2d8d5100659e85ef477066fc450f68adb112

          SHA512

          1010f75056512235a122cac576634cacf7305a3244631eec80c5e6be1170627073cf24e955e5f23ad22bb74dcfe749ec3274f581ccd5d01bc788ea8afead74e0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp1727.tmp.dat
          Filesize

          46KB

          MD5

          02d2c46697e3714e49f46b680b9a6b83

          SHA1

          84f98b56d49f01e9b6b76a4e21accf64fd319140

          SHA256

          522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

          SHA512

          60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp1728.tmp.dat
          Filesize

          148KB

          MD5

          90a1d4b55edf36fa8b4cc6974ed7d4c4

          SHA1

          aba1b8d0e05421e7df5982899f626211c3c4b5c1

          SHA256

          7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

          SHA512

          ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp2F2A.tmp.dat
          Filesize

          20KB

          MD5

          1eb2d831c942f0084c89794c33205b55

          SHA1

          0988fc3f56f07d258ca3f5629acf18123baff722

          SHA256

          c880a9fb192a7ffb576934c9041c011258e6a3498a861efa3704ec317f351578

          SHA512

          af850b21602c73588709304b46024db2afdb3afaf42627a5fd01bc15f80e2180de042068e2e09563c52bdabc82a580c475fc8605e80cc1e7f98567179948ddd0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp2F6B.tmp.dat
          Filesize

          96KB

          MD5

          d367ddfda80fdcf578726bc3b0bc3e3c

          SHA1

          23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

          SHA256

          0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

          SHA512

          40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpEB3.tmp.dat
          Filesize

          92KB

          MD5

          64408bdf8a846d232d7db045b4aa38b1

          SHA1

          2b004e839e8fc7632c72aa030b99322e1e378750

          SHA256

          292f45b8c48293c19461f901644572f880933cbbde47aedcc060b5162283a9fe

          SHA512

          90c169dbae6e15779c67e013007ac7df182a9221395edd9d6072d15e270132a44e43e330dfe0af818cf3c93754086601cd1c401fb9b69d7c9567407e4d08873b

          Download Submit

        • memory/2356-10-0x00007FF87EFD0000-0x00007FF87F1AB000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2356-1-0x00007FF87EFD0000-0x00007FF87F1AB000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2356-15-0x0000000001460000-0x0000000001582000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2356-39-0x00000000015D0000-0x00000000015F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2356-40-0x000000001CE00000-0x000000001CF34000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2356-41-0x0000000001580000-0x000000000158A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2356-13-0x000000001B9C0000-0x000000001BA26000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2356-12-0x000000001C0E0000-0x000000001C156000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2356-11-0x00007FF87EFD0000-0x00007FF87F1AB000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2356-14-0x000000001BA40000-0x000000001BA5E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2356-8-0x00007FF87EFD0000-0x00007FF87F1AB000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2356-7-0x00007FF87EFD0000-0x00007FF87F1AB000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2356-162-0x000000001C920000-0x000000001C99A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2356-202-0x000000001D050000-0x000000001D0D4000-memory.dmp

          Filesize

          528KB

          Download

        • memory/2356-4-0x00007FF87EFD0000-0x00007FF87F1AB000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2356-3-0x00007FF87EFD0000-0x00007FF87F1AB000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2356-0-0x0000000000D10000-0x0000000000D36000-memory.dmp

          Filesize

          152KB

          Download