Overview

overview

10

Static

static

10

UDP.exe

windows11-21h2-x64

3

a

windows11-21h2-x64

1

arm1

windows11-21h2-x64

1

bj.exe

windows11-21h2-x64

10

bjyk.exe

windows11-21h2-x64

10

cctv.exe

windows11-21h2-x64

10

cctv_2.exe

windows11-21h2-x64

10

cn.exe

windows11-21h2-x64

7

cn1.exe

windows11-21h2-x64

3

dhl.exe

windows11-21h2-x64

10

java

windows11-21h2-x64

1

java (2)

windows11-21h2-x64

1

java1

windows11-21h2-x64

1

k5.exe

windows11-21h2-x64

10

ly1

windows11-21h2-x64

1

mh.exe

windows11-21h2-x64

10

mips

windows11-21h2-x64

1

pjhxx

windows11-21h2-x64

1

rootkit

windows11-21h2-x64

1

se.exe

windows11-21h2-x64

7

server.exe

windows11-21h2-x64

10

smss.exe

windows11-21h2-x64

10

sqlrer

windows11-21h2-x64

1

squld

windows11-21h2-x64

1

ssh.sh

windows11-21h2-x64

3

taskmgr.exe

windows11-21h2-x64

10

win.exe

windows11-21h2-x64

10

wm.html

windows11-21h2-x64

4

wrt1

windows11-21h2-x64

1

xm.exe

windows11-21h2-x64

10

yk.exe

windows11-21h2-x64

10

yk1.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1800s
  • max time network
    1801s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-12-2024 18:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cctv.exe

  • Size

    221KB

  • MD5

    dc655daf16748469712aa1d26336e087

  • SHA1

    ad9df22536f9913229849d8ac7b3baff93529d71

  • SHA256

    744d37a30b3e0085b55fb62c9f226a4fd42a2545bd246105ba5e99c8fbfe1011

  • SHA512

    0e2c839ce3d7bcf3ea2766e07970b5c5fb77f8909d1f70225b2c075faced3f130e1a37104d6ecd17a8fa00e3303d90a46d0c296b22bac3e2762ae30f315c3e46

  • SSDEEP

    6144:jzu6Kqcii29Z/3sXnr1eEKNTVCDk0PVLOgE:jp7i2wbJ0Vc/JE

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 4 IoCs
    evasion
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:628
      • C:\Windows\system32\fontdrvhost.exe
        "fontdrvhost.exe"
        2⤵
          PID:812
        • C:\Windows\system32\dwm.exe
          "dwm.exe"
          2⤵
            PID:424
        • C:\Windows\system32\lsass.exe
          C:\Windows\system32\lsass.exe
          1⤵
            PID:688
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch -p
            1⤵
              PID:800
              • C:\Windows\system32\wbem\unsecapp.exe
                C:\Windows\system32\wbem\unsecapp.exe -Embedding
                2⤵
                  PID:3116
                • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                  2⤵
                    PID:3708
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    2⤵
                      PID:3732
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      2⤵
                        PID:3808
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        2⤵
                          PID:3956
                        • C:\Windows\system32\DllHost.exe
                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                          2⤵
                            PID:4004
                          • C:\Windows\system32\DllHost.exe
                            C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
                            2⤵
                              PID:4316
                            • C:\Windows\system32\SppExtComObj.exe
                              C:\Windows\system32\SppExtComObj.exe -Embedding
                              2⤵
                                PID:1844
                              • C:\Windows\system32\DllHost.exe
                                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                2⤵
                                  PID:3084
                              • C:\Windows\system32\fontdrvhost.exe
                                "fontdrvhost.exe"
                                1⤵
                                  PID:820
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k RPCSS -p
                                  1⤵
                                    PID:924
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                    1⤵
                                      PID:988
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                      1⤵
                                        PID:700
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                        1⤵
                                          PID:328
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                          1⤵
                                            PID:1068
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                            1⤵
                                              PID:1092
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                              1⤵
                                                PID:1100
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                1⤵
                                                  PID:1176
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                  1⤵
                                                    PID:1196
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                    1⤵
                                                      PID:1236
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
                                                      1⤵
                                                        PID:1304
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                        1⤵
                                                          PID:1320
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                          1⤵
                                                            PID:1380
                                                            • C:\Windows\system32\sihost.exe
                                                              sihost.exe
                                                              2⤵
                                                                PID:2952
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                              1⤵
                                                                PID:1564
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                1⤵
                                                                  PID:1616
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                  1⤵
                                                                    PID:1624
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p
                                                                    1⤵
                                                                      PID:1664
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                      1⤵
                                                                        PID:1708
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                        1⤵
                                                                          PID:1752
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                          1⤵
                                                                            PID:1848
                                                                          • C:\Windows\System32\svchost.exe
                                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                            1⤵
                                                                              PID:1860
                                                                            • C:\Windows\System32\svchost.exe
                                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                              1⤵
                                                                                PID:1936
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                1⤵
                                                                                  PID:1944
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                  1⤵
                                                                                    PID:1372
                                                                                  • C:\Windows\System32\svchost.exe
                                                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                    1⤵
                                                                                      PID:1776
                                                                                    • C:\Windows\System32\spoolsv.exe
                                                                                      C:\Windows\System32\spoolsv.exe
                                                                                      1⤵
                                                                                        PID:2152
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                                        1⤵
                                                                                          PID:2232
                                                                                        • C:\Windows\System32\svchost.exe
                                                                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                          1⤵
                                                                                            PID:2260
                                                                                          • C:\Windows\System32\svchost.exe
                                                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                            1⤵
                                                                                              PID:2400
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k NetworkService -p
                                                                                              1⤵
                                                                                                PID:2528
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                                1⤵
                                                                                                  PID:2560
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                                                  1⤵
                                                                                                    PID:2584
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                                    1⤵
                                                                                                      PID:2624
                                                                                                    • C:\Windows\sysmon.exe
                                                                                                      C:\Windows\sysmon.exe
                                                                                                      1⤵
                                                                                                        PID:2652
                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                                        1⤵
                                                                                                          PID:2680
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                                          1⤵
                                                                                                            PID:2688
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                                            1⤵
                                                                                                              PID:2704
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                              1⤵
                                                                                                                PID:2092
                                                                                                              • C:\Windows\Explorer.EXE
                                                                                                                C:\Windows\Explorer.EXE
                                                                                                                1⤵
                                                                                                                  PID:3300
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\cctv.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\cctv.exe"
                                                                                                                    2⤵
                                                                                                                    • Modifies firewall policy service
                                                                                                                    • Loads dropped DLL
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Checks processor information in registry
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                    PID:2332
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                  1⤵
                                                                                                                    PID:3448
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                    1⤵
                                                                                                                      PID:3512
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
                                                                                                                      1⤵
                                                                                                                        PID:4052
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
                                                                                                                        1⤵
                                                                                                                          PID:4592
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                          1⤵
                                                                                                                            PID:4304
                                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                            1⤵
                                                                                                                              PID:2348
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                              1⤵
                                                                                                                                PID:2792
                                                                                                                              • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                                "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                                1⤵
                                                                                                                                  PID:4032
                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                  C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                  1⤵
                                                                                                                                    PID:2596
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                    1⤵
                                                                                                                                      PID:4652
                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                                      1⤵
                                                                                                                                        PID:4948

                                                                                                                                      Network

                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                      Replay Monitor

                                                                                                                                      Loading Replay Monitor...

                                                                                                                                      Downloads

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\cni831A.tmp
                                                                                                                                        Filesize

                                                                                                                                        172KB

                                                                                                                                        MD5

                                                                                                                                        685f1cbd4af30a1d0c25f252d399a666

                                                                                                                                        SHA1

                                                                                                                                        6a1b978f5e6150b88c8634146f1406ed97d2f134

                                                                                                                                        SHA256

                                                                                                                                        0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

                                                                                                                                        SHA512

                                                                                                                                        6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

                                                                                                                                        Download Submit

                                                                                                                                      • memory/2332-0-0x0000000000400000-0x000000000040E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        56KB

                                                                                                                                        Download

                                                                                                                                      • memory/2332-5-0x0000000000970000-0x00000000009E3000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        460KB

                                                                                                                                        Download

                                                                                                                                      • memory/2332-8-0x0000000000970000-0x00000000009E3000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        460KB

                                                                                                                                        Download

                                                                                                                                      • memory/2332-9-0x000000007FE70000-0x000000007FE7C000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        48KB

                                                                                                                                        Download

                                                                                                                                      • memory/2332-11-0x00000000770B5000-0x00000000770B6000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                        Download

                                                                                                                                      • memory/2332-10-0x00000000770B4000-0x00000000770B5000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                        Download

                                                                                                                                      • memory/2332-12-0x000000007FE70000-0x000000007FE7C000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        48KB

                                                                                                                                        Download

                                                                                                                                      • memory/2332-13-0x0000000000970000-0x00000000009E3000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        460KB

                                                                                                                                        Download

                                                                                                                                      • memory/2332-20-0x0000000000400000-0x000000000040E000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        56KB

                                                                                                                                        Download

                                                                                                                                      • memory/2332-22-0x000000007FE70000-0x000000007FE7C000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        48KB

                                                                                                                                        Download

                                                                                                                                      • memory/2332-47-0x0000000000970000-0x00000000009E3000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        460KB

                                                                                                                                        Download