ebd3bc74866f6cd818141da0ff7ae51b4b1970dad1695f3f57845909f9c7b7a4

Analysis

max time kernel
90s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14-08-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CCUpdate.exe
Size

809KB
MD5

943a4f169e9a3303ed6defc1ac3690bd
SHA1

e0bd76b866624164c10b85d37efb6474b84164df
SHA256

e531742a357907248de84b99f68ed7e8edd70e7ca918d21b24cc17ee4c128240
SHA512

da29cafdd63fd3ab3d2378fc6c2810d7579ebd6b62a4f99248458094cd2e42dc0071b83f0aee4185ca1c81139dec2991212ac383d77a737937558bbcb29d688c
SSDEEP

24576:Jjtgw77IpNyggggMrSQ5hEGnh0lhSMXlLtBq7ZnP:JjtgI6yggggMrSQ52bbq7ZnP

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CCUpdate.ini	CCUpdate.exe

Loads dropped DLL 1 IoCs

pid	Process
4348	CCUpdate.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 4348	1832	CCUpdate.exe	82
PID 1832 wrote to memory of 4348	1832	CCUpdate.exe	82
PID 1832 wrote to memory of 4348	1832	CCUpdate.exe	82

C:\Users\Admin\AppData\Local\Temp\CCUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\CCUpdate.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\CCUpdate.exe
  CCUpdate.exe /emupdater /applydll "C:\Users\Admin\AppData\Local\Temp\6df8ed85-352a-4878-9ad5-f1b90f07dbce.dll"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2c8b8380-ec44-4269-8d73-57c874b145a0.ini

Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Users\Admin\AppData\Local\Temp\6df8ed85-352a-4878-9ad5-f1b90f07dbce.dll

Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads