Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
429s -
max time network
599s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/07/2024, 22:17
Behavioral task
behavioral1
Sample
CCXProcess.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
CCXProcess.exe
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
CCXProcess.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
CCXProcess.exe
Resource
win11-20240709-en
General
-
Target
CCXProcess.exe
-
Size
127KB
-
MD5
8fc1ba33db2aeb28138bbafe4708c834
-
SHA1
7f645dccb5c0641079ab42a44d48903400bfd0cf
-
SHA256
52d77f0c17e871983e761c9fef3b93b1b3263878fd91caa330bd1a1bc8c75355
-
SHA512
ac24efdc015deb986a6963b1b92276b54715266d3c15edfb0325f63aa7462434b8539220cc1c3aafacb3f6eb1e3d097bf4f58bc9bfecf00d839ad6ea11784ee2
-
SSDEEP
3072:rUFcxoyXkiPMVDqgiH1brxVyqQCguKMkDEi4Y:rVkiPMV+VbT5rgNEv
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
C2
181.47.208.50:4449
egycitgaxejyhidp
-
delay
5
-
install
true
-
install_file
CCXProcess.exe
-
install_folder
%Temp%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral4/memory/4828-16-0x000000001CDA0000-0x000000001CEC2000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CCXProcess.exe Key opened \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CCXProcess.exe Key opened \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CCXProcess.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 discord.com 12 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com 2 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 CCXProcess.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier CCXProcess.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe 4828 CCXProcess.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4828 CCXProcess.exe Token: SeDebugPrivilege 4828 CCXProcess.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4828 CCXProcess.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4828 wrote to memory of 1232 4828 CCXProcess.exe 82 PID 4828 wrote to memory of 1232 4828 CCXProcess.exe 82 PID 1232 wrote to memory of 2084 1232 cmd.exe 84 PID 1232 wrote to memory of 2084 1232 cmd.exe 84 PID 1232 wrote to memory of 3612 1232 cmd.exe 85 PID 1232 wrote to memory of 3612 1232 cmd.exe 85 PID 1232 wrote to memory of 1956 1232 cmd.exe 86 PID 1232 wrote to memory of 1956 1232 cmd.exe 86 PID 4828 wrote to memory of 4712 4828 CCXProcess.exe 87 PID 4828 wrote to memory of 4712 4828 CCXProcess.exe 87 PID 4712 wrote to memory of 3552 4712 cmd.exe 89 PID 4712 wrote to memory of 3552 4712 cmd.exe 89 PID 4712 wrote to memory of 8 4712 cmd.exe 90 PID 4712 wrote to memory of 8 4712 cmd.exe 90 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CCXProcess.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CCXProcess.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CCXProcess.exe"C:\Users\Admin\AppData\Local\Temp\CCXProcess.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4828 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2084
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3612
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:1956
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3552
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:8
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\31feab0bef027d5291c3ab014828756d\Admin@ELEOLWUJ_en-US\System\Process.txt
Filesize2KB
MD59a8faa7761dacf023fc67ae74eb25c87
SHA169942cbe7d826da039931b7cea975ffc54fa2954
SHA256f7de75164037a525d1fa84a568fd6b265d264477367e4b2029b743ff0d184b86
SHA512f31862771d540a7a84d0bec614bead33093a7597bcf9293571fff5830c4ba2780990ce5036216a5d33d579aee1ef1edd4cad6abd99aace7c30381bc3021fd451
-
C:\Users\Admin\AppData\Local\31feab0bef027d5291c3ab014828756d\Admin@ELEOLWUJ_en-US\System\Process.txt
Filesize3KB
MD504d55908eac79ddda05bfb3a92e2f2ea
SHA1fbcf0bcc9ba8d0896b2c2425bc3bb0ccc4e8dd44
SHA25616a0d567947d475529eb259e1783d7ea4f6b29e90e03831373ccd4a3d732d769
SHA512b88b21f653bb0b582b1b69c9e85d8d38f90b21bc560af9893c42858662a6e6c2cc6ae09d432d5787ba96a314d4dd8aeebd5d7d18122183515973df1acadfb74b
-
C:\Users\Admin\AppData\Local\31feab0bef027d5291c3ab014828756d\Admin@ELEOLWUJ_en-US\System\Process.txt
Filesize4KB
MD5eb29245d4296f559a628e24999a73165
SHA1f9d3fb1e17ac74a892970c495a50110822f91361
SHA256194da30b7b70c65d43ba807629cae3f9cf553e354bf2ca17c2ad116612ec12e8
SHA5123fb951ad39acb52c16539b127bd75d8b8d5a3edd570ff7af18aac86238f7a545ab1b7015917b61c8354f64996e34d130d1cfd924db85624e5dfb896bc43c1b48
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
5.0MB
MD515c652e6e9bb3baf39e74d1ae168af64
SHA10510438958a96aea1dd3b758bec1b5154e0ec2b8
SHA256b485cce001f09618c2922963df6f7e15fea0a4f4335270e1faa9b05edd1af753
SHA512fa060ec18a60b5f46de8edf60a46dee181f1146bada929736d537d707f8f6829da265e8d6c6d32244ea94d88f698743a7b580f3bc469a2a9b97d6d6aaaabac2b
-
Filesize
114KB
MD5f58c7184af18ea41ed8faa6ac4fe5b19
SHA15ab330803374ac6e89227b80ea48a9c7e30a8f89
SHA25610922dee8fdb085d37aa6bc88fc3f4588c6b0c989b1bc4a3a6a8ed40aa145ae4
SHA512934c44d31e7e2d814d405b11c38f1f60305e08e6615670423c1317d92f35e9302fe314fdc125a449c0fc8ace30d598f012aa89dc24575367a652d5a06680f4f0
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
Filesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
Filesize
116KB
MD54e2922249bf476fb3067795f2fa5e794
SHA1d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA5128e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da