Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 13:30
Behavioral task
behavioral1
Sample
0a40a749d1be6b76c2322c56ea38aeb0N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
0a40a749d1be6b76c2322c56ea38aeb0N.exe
-
Size
4.8MB
-
MD5
0a40a749d1be6b76c2322c56ea38aeb0
-
SHA1
459c2340e9eb61de1f3e83ac4086d4d1f3972355
-
SHA256
6426ee196edb12e2a6b2a9f4254faee41ac4757f20da4c7713045116f2fe134a
-
SHA512
d055d6168bdcdbf73b092fea3bf3240710a40415e92e239334ecc4071477a7316af673a9acc23a53968458ae3e8480d862f8a000e2c99547d5939fb9d11c7651
-
SSDEEP
49152:HoSrOO53RTqtikI8boQhfD6UDvxvykXk1rBsgyegFKvc4clwYbgkEaSGw5r5g:H7rOO53aDmSma+g
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2816 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2676 CCTV.exe -
resource yara_rule behavioral1/memory/2264-0-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/files/0x00140000000173fb-20.dat upx behavioral1/memory/2264-24-0x0000000000400000-0x0000000000425000-memory.dmp upx behavioral1/memory/2676-25-0x0000000000400000-0x0000000000425000-memory.dmp upx -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf CCTV.exe File opened for modification F:\autorun.inf CCTV.exe File created F:\autorun.inf CCTV.exe File opened for modification C:\autorun.inf CCTV.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe CCTV.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe CCTV.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe CCTV.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe CCTV.exe File opened for modification C:\Program Files\7-Zip\7z.exe CCTV.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe CCTV.exe File opened for modification C:\Program Files\Windows Media Player\WMPDMC.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe CCTV.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe CCTV.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe CCTV.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpenc.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe CCTV.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe CCTV.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe CCTV.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe CCTV.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe CCTV.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe CCTV.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE CCTV.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe CCTV.exe File opened for modification C:\Program Files\Windows Media Player\setup_wm.exe CCTV.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe CCTV.exe File opened for modification C:\Program Files\Windows NT\Accessories\wordpad.exe CCTV.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe CCTV.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe CCTV.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe CCTV.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe CCTV.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE CCTV.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\CCTV.exe 0a40a749d1be6b76c2322c56ea38aeb0N.exe File opened for modification C:\Windows\CCTV.exe 0a40a749d1be6b76c2322c56ea38aeb0N.exe File opened for modification C:\Windows\CCTV.exe CCTV.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CCTV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a40a749d1be6b76c2322c56ea38aeb0N.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2264 0a40a749d1be6b76c2322c56ea38aeb0N.exe 2676 CCTV.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2816 2264 0a40a749d1be6b76c2322c56ea38aeb0N.exe 30 PID 2264 wrote to memory of 2816 2264 0a40a749d1be6b76c2322c56ea38aeb0N.exe 30 PID 2264 wrote to memory of 2816 2264 0a40a749d1be6b76c2322c56ea38aeb0N.exe 30 PID 2264 wrote to memory of 2816 2264 0a40a749d1be6b76c2322c56ea38aeb0N.exe 30 PID 2264 wrote to memory of 2676 2264 0a40a749d1be6b76c2322c56ea38aeb0N.exe 32 PID 2264 wrote to memory of 2676 2264 0a40a749d1be6b76c2322c56ea38aeb0N.exe 32 PID 2264 wrote to memory of 2676 2264 0a40a749d1be6b76c2322c56ea38aeb0N.exe 32 PID 2264 wrote to memory of 2676 2264 0a40a749d1be6b76c2322c56ea38aeb0N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a40a749d1be6b76c2322c56ea38aeb0N.exe"C:\Users\Admin\AppData\Local\Temp\0a40a749d1be6b76c2322c56ea38aeb0N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\0a40a749d1be6b76c2322c56ea38aeb0Nkill.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\CCTV.exeC:\Windows\CCTV.exe2⤵
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190B
MD5db2379fc51da045aea90cda15121f9cf
SHA18fa6709b75749bd5b8318c106082c079ac9d1ad1
SHA256df33a592966748625546ff9eb1806405c9da8b3f9135a79fd197b9e10b6d3c1f
SHA512026a29af34d311d7f7b319a222e7b2930f2da995a092f6484996c1ea2703d526c74114638aeab534721ea7f4b4e28aaf52449ceb2ae8555f5668b8ecd895d9dd
-
Filesize
4.8MB
MD50a40a749d1be6b76c2322c56ea38aeb0
SHA1459c2340e9eb61de1f3e83ac4086d4d1f3972355
SHA2566426ee196edb12e2a6b2a9f4254faee41ac4757f20da4c7713045116f2fe134a
SHA512d055d6168bdcdbf73b092fea3bf3240710a40415e92e239334ecc4071477a7316af673a9acc23a53968458ae3e8480d862f8a000e2c99547d5939fb9d11c7651