Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe
Resource
win10v2004-20241007-en
General
-
Target
606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe
-
Size
260KB
-
MD5
0b0b0742f00569a644de0d91f04981b5
-
SHA1
3ae1c9f2017981ce389baa55a0775241b87e7529
-
SHA256
606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd
-
SHA512
a178a5e07a0d500f6b366152d058af73e0e3af18bcbe7713a05ae5a0b16d9b20e4b2f45d2313ba7181d4c0c208995def738d2ee868407728cf3166142dd74cbc
-
SSDEEP
6144:zefpY2nDl/XExmqGSE1w+DrseAB7LWg5nD9dwLi0Q:z6JDexmqGR1DnfsDLw20Q
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1248 pkhgfc.exe -
Executes dropped EXE 2 IoCs
pid Process 1248 pkhgfc.exe 2204 ccd.exe -
Loads dropped DLL 7 IoCs
pid Process 2176 cmd.exe 2176 cmd.exe 1248 pkhgfc.exe 2204 ccd.exe 2204 ccd.exe 2204 ccd.exe 2204 ccd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cache = "c:\\Program Files\\cvhmbhp\\ccd.exe \"c:\\Program Files\\cvhmbhp\\ccdjm.dll\",Cache" ccd.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: ccd.exe File opened (read-only) \??\u: ccd.exe File opened (read-only) \??\k: ccd.exe File opened (read-only) \??\m: ccd.exe File opened (read-only) \??\s: ccd.exe File opened (read-only) \??\y: ccd.exe File opened (read-only) \??\a: ccd.exe File opened (read-only) \??\b: ccd.exe File opened (read-only) \??\e: ccd.exe File opened (read-only) \??\j: ccd.exe File opened (read-only) \??\q: ccd.exe File opened (read-only) \??\r: ccd.exe File opened (read-only) \??\t: ccd.exe File opened (read-only) \??\w: ccd.exe File opened (read-only) \??\h: ccd.exe File opened (read-only) \??\l: ccd.exe File opened (read-only) \??\n: ccd.exe File opened (read-only) \??\p: ccd.exe File opened (read-only) \??\z: ccd.exe File opened (read-only) \??\g: ccd.exe File opened (read-only) \??\o: ccd.exe File opened (read-only) \??\v: ccd.exe File opened (read-only) \??\x: ccd.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 ccd.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\cvhmbhp pkhgfc.exe File created \??\c:\Program Files\cvhmbhp\ccdjm.dll pkhgfc.exe File created \??\c:\Program Files\cvhmbhp\ccd.exe pkhgfc.exe File opened for modification \??\c:\Program Files\cvhmbhp\ccd.exe pkhgfc.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pkhgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2176 cmd.exe 2572 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ccd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ccd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2572 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2204 ccd.exe 2204 ccd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2204 ccd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2136 606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe 1248 pkhgfc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2176 2136 606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe 30 PID 2136 wrote to memory of 2176 2136 606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe 30 PID 2136 wrote to memory of 2176 2136 606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe 30 PID 2136 wrote to memory of 2176 2136 606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe 30 PID 2176 wrote to memory of 2572 2176 cmd.exe 32 PID 2176 wrote to memory of 2572 2176 cmd.exe 32 PID 2176 wrote to memory of 2572 2176 cmd.exe 32 PID 2176 wrote to memory of 2572 2176 cmd.exe 32 PID 2176 wrote to memory of 1248 2176 cmd.exe 33 PID 2176 wrote to memory of 1248 2176 cmd.exe 33 PID 2176 wrote to memory of 1248 2176 cmd.exe 33 PID 2176 wrote to memory of 1248 2176 cmd.exe 33 PID 1248 wrote to memory of 2204 1248 pkhgfc.exe 34 PID 1248 wrote to memory of 2204 1248 pkhgfc.exe 34 PID 1248 wrote to memory of 2204 1248 pkhgfc.exe 34 PID 1248 wrote to memory of 2204 1248 pkhgfc.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe"C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\pkhgfc.exe "C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\pkhgfc.exeC:\Users\Admin\AppData\Local\Temp\\pkhgfc.exe "C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\Program Files\cvhmbhp\ccd.exe"c:\Program Files\cvhmbhp\ccd.exe" "c:\Program Files\cvhmbhp\ccdjm.dll",Cache C:\Users\Admin\AppData\Local\Temp\pkhgfc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD53aeead0d21bcfc72576464a992f2185a
SHA121f376305cc3e072ceda98c17aa735c6ab4fdc07
SHA2567a16088679c8c25714ea51203f3f9d8735b4a1630c366c1a43f2344b762a999b
SHA51203d64f82c12c15c0fe450e0a8508f53f43ad0477e830613c80a678a3d7de3a23583b0eb49ac3c188ed8d2a36559bb5d51e40e56446a18871f27da971f124daa5
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
260KB
MD55fb2cd4226244fb133bb7c354c18541b
SHA173b6248940c99a0c642c83d19521de5689439449
SHA2561d0066a026c70f8aa0d4ab3c2add5848eed9697978b0b5fe2007f3aa213501f5
SHA512ddc71f93fc71e2cc333e12c88f7b6439b42fe34dfecc2a273480f4d2fbf25bfe95a82bea89920af08c0fd573e1e7bad8d0c9a69c261f774a4fa312ba52e07be0