Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 17:39
Static task
static1
Behavioral task
behavioral1
Sample
2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe
Resource
win7v20201028
General
-
Target
2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe
-
Size
283KB
-
MD5
8907e1d0d4a40c8e246f53531fd91038
-
SHA1
9c2f5d929f53057e67f1ba925f230127dfaeae07
-
SHA256
2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca
-
SHA512
db671efde25adbe37553565ff965228dc3f3b4b899cc4e990f22028ba4758a57a53e15c53464614860ec676068b728a2566bd73be0c021d3f91e12b416aea2b7
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1972 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Loads dropped DLL 2 IoCs
Processes:
2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exepid process 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1972 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeSecurityPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeTakeOwnershipPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeLoadDriverPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeSystemProfilePrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeSystemtimePrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeProfSingleProcessPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeIncBasePriorityPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeCreatePagefilePrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeBackupPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeRestorePrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeShutdownPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeDebugPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeSystemEnvironmentPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeChangeNotifyPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeRemoteShutdownPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeUndockPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeManageVolumePrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeImpersonatePrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeCreateGlobalPrivilege 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: 33 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: 34 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: 35 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe Token: SeIncreaseQuotaPrivilege 1972 msdcsc.exe Token: SeSecurityPrivilege 1972 msdcsc.exe Token: SeTakeOwnershipPrivilege 1972 msdcsc.exe Token: SeLoadDriverPrivilege 1972 msdcsc.exe Token: SeSystemProfilePrivilege 1972 msdcsc.exe Token: SeSystemtimePrivilege 1972 msdcsc.exe Token: SeProfSingleProcessPrivilege 1972 msdcsc.exe Token: SeIncBasePriorityPrivilege 1972 msdcsc.exe Token: SeCreatePagefilePrivilege 1972 msdcsc.exe Token: SeBackupPrivilege 1972 msdcsc.exe Token: SeRestorePrivilege 1972 msdcsc.exe Token: SeShutdownPrivilege 1972 msdcsc.exe Token: SeDebugPrivilege 1972 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1972 msdcsc.exe Token: SeChangeNotifyPrivilege 1972 msdcsc.exe Token: SeRemoteShutdownPrivilege 1972 msdcsc.exe Token: SeUndockPrivilege 1972 msdcsc.exe Token: SeManageVolumePrivilege 1972 msdcsc.exe Token: SeImpersonatePrivilege 1972 msdcsc.exe Token: SeCreateGlobalPrivilege 1972 msdcsc.exe Token: 33 1972 msdcsc.exe Token: 34 1972 msdcsc.exe Token: 35 1972 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1972 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1880 wrote to memory of 1416 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe cmd.exe PID 1880 wrote to memory of 1416 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe cmd.exe PID 1880 wrote to memory of 1416 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe cmd.exe PID 1880 wrote to memory of 1416 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe cmd.exe PID 1880 wrote to memory of 1176 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe cmd.exe PID 1880 wrote to memory of 1176 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe cmd.exe PID 1880 wrote to memory of 1176 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe cmd.exe PID 1880 wrote to memory of 1176 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe cmd.exe PID 1176 wrote to memory of 1560 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1560 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1560 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1560 1176 cmd.exe attrib.exe PID 1416 wrote to memory of 2004 1416 cmd.exe attrib.exe PID 1416 wrote to memory of 2004 1416 cmd.exe attrib.exe PID 1416 wrote to memory of 2004 1416 cmd.exe attrib.exe PID 1416 wrote to memory of 2004 1416 cmd.exe attrib.exe PID 1880 wrote to memory of 1972 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe msdcsc.exe PID 1880 wrote to memory of 1972 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe msdcsc.exe PID 1880 wrote to memory of 1972 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe msdcsc.exe PID 1880 wrote to memory of 1972 1880 2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe msdcsc.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1724 1972 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1560 attrib.exe 2004 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe"C:\Users\Admin\AppData\Local\Temp\2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\2654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
8907e1d0d4a40c8e246f53531fd91038
SHA19c2f5d929f53057e67f1ba925f230127dfaeae07
SHA2562654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca
SHA512db671efde25adbe37553565ff965228dc3f3b4b899cc4e990f22028ba4758a57a53e15c53464614860ec676068b728a2566bd73be0c021d3f91e12b416aea2b7
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
8907e1d0d4a40c8e246f53531fd91038
SHA19c2f5d929f53057e67f1ba925f230127dfaeae07
SHA2562654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca
SHA512db671efde25adbe37553565ff965228dc3f3b4b899cc4e990f22028ba4758a57a53e15c53464614860ec676068b728a2566bd73be0c021d3f91e12b416aea2b7
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
8907e1d0d4a40c8e246f53531fd91038
SHA19c2f5d929f53057e67f1ba925f230127dfaeae07
SHA2562654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca
SHA512db671efde25adbe37553565ff965228dc3f3b4b899cc4e990f22028ba4758a57a53e15c53464614860ec676068b728a2566bd73be0c021d3f91e12b416aea2b7
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
8907e1d0d4a40c8e246f53531fd91038
SHA19c2f5d929f53057e67f1ba925f230127dfaeae07
SHA2562654ec9fe7ccee977306d6edd42e76cc5540210dcf1364f8de82b6c1760168ca
SHA512db671efde25adbe37553565ff965228dc3f3b4b899cc4e990f22028ba4758a57a53e15c53464614860ec676068b728a2566bd73be0c021d3f91e12b416aea2b7
-
memory/1176-1-0x0000000000000000-mapping.dmp
-
memory/1416-0-0x0000000000000000-mapping.dmp
-
memory/1560-2-0x0000000000000000-mapping.dmp
-
memory/1724-9-0x0000000000000000-mapping.dmp
-
memory/1724-10-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/1724-11-0x0000000000000000-mapping.dmp
-
memory/1972-6-0x0000000000000000-mapping.dmp
-
memory/2004-3-0x0000000000000000-mapping.dmp