Analysis
-
max time kernel
137s -
max time network
136s -
platform
windows10_x64 -
resource
win10 -
submitted
25-10-2020 18:12
Static task
static1
Behavioral task
behavioral1
Sample
73f6740e7be932c1cc001494c900a43a.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
73f6740e7be932c1cc001494c900a43a.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
73f6740e7be932c1cc001494c900a43a.exe
-
Size
251KB
-
MD5
73f6740e7be932c1cc001494c900a43a
-
SHA1
6d1593b508f4631b63215a7660f423bb3b8506f3
-
SHA256
8cd7d6ad6c2ef4704a7b4e090c31e43fb32ed02ca81007c190dbb4938c9e526d
-
SHA512
d3e954a10d08931fb56ef1b54619221edd68b81674f8ed1f00c536e39655b6254d2367ea03287637dd7d701c35773f208faa387f04114fa47fd6a315a45d9872
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
73f6740e7be932c1cc001494c900a43a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 73f6740e7be932c1cc001494c900a43a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
73f6740e7be932c1cc001494c900a43a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 73f6740e7be932c1cc001494c900a43a.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
73f6740e7be932c1cc001494c900a43a.exedescription pid process Token: SeIncreaseQuotaPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeSecurityPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeTakeOwnershipPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeLoadDriverPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeSystemProfilePrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeSystemtimePrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeProfSingleProcessPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeIncBasePriorityPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeCreatePagefilePrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeBackupPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeRestorePrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeShutdownPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeDebugPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeSystemEnvironmentPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeChangeNotifyPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeRemoteShutdownPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeUndockPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeManageVolumePrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeImpersonatePrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: SeCreateGlobalPrivilege 4012 73f6740e7be932c1cc001494c900a43a.exe Token: 33 4012 73f6740e7be932c1cc001494c900a43a.exe Token: 34 4012 73f6740e7be932c1cc001494c900a43a.exe Token: 35 4012 73f6740e7be932c1cc001494c900a43a.exe Token: 36 4012 73f6740e7be932c1cc001494c900a43a.exe