Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 15:06
Static task
static1
Behavioral task
behavioral1
Sample
52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe
-
Size
449KB
-
MD5
8a488db081cc65579bf9f2f0e7e402d4
-
SHA1
b528651971ac466807350ce24728d76fb6cd0e1a
-
SHA256
52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea
-
SHA512
628c3827272e6639008d20c580fb5c7cf6097424b5a55996f588c5c375a79b80684e6c2b783e4161193a53f10d6ae5a84ca81cf30339301ff55e8b289b13f6ba
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exedescription pid process Token: SeIncreaseQuotaPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeSecurityPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeTakeOwnershipPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeLoadDriverPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeSystemProfilePrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeSystemtimePrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeProfSingleProcessPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeIncBasePriorityPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeCreatePagefilePrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeBackupPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeRestorePrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeShutdownPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeDebugPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeSystemEnvironmentPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeChangeNotifyPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeRemoteShutdownPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeUndockPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeManageVolumePrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeImpersonatePrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: SeCreateGlobalPrivilege 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: 33 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: 34 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: 35 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe Token: 36 2804 52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe"C:\Users\Admin\AppData\Local\Temp\52b6f57b2e7a9fc832227cc0ae02794e506358a295dadcf75387755a1b84b1ea.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2804