Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 17:47
Static task
static1
Behavioral task
behavioral1
Sample
f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe
Resource
win10v20201028
General
-
Target
f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe
-
Size
266KB
-
MD5
ffc54622e9daa09c0726b5694167c61b
-
SHA1
000b2b6115dc37258f2dc55106c57fbf298644af
-
SHA256
f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514
-
SHA512
64f6218a73c173481a828c81e98c85818934db85f408330ae70207f16359a9f0ea40adc2d3a53a22174e9da6f864727ae01db1225e6816e70910ba595e7a5cff
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 792 msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeSecurityPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeTakeOwnershipPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeLoadDriverPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeSystemProfilePrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeSystemtimePrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeProfSingleProcessPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeIncBasePriorityPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeCreatePagefilePrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeBackupPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeRestorePrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeShutdownPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeDebugPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeSystemEnvironmentPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeChangeNotifyPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeRemoteShutdownPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeUndockPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeManageVolumePrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeImpersonatePrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeCreateGlobalPrivilege 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: 33 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: 34 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: 35 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: 36 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe Token: SeIncreaseQuotaPrivilege 792 msdcsc.exe Token: SeSecurityPrivilege 792 msdcsc.exe Token: SeTakeOwnershipPrivilege 792 msdcsc.exe Token: SeLoadDriverPrivilege 792 msdcsc.exe Token: SeSystemProfilePrivilege 792 msdcsc.exe Token: SeSystemtimePrivilege 792 msdcsc.exe Token: SeProfSingleProcessPrivilege 792 msdcsc.exe Token: SeIncBasePriorityPrivilege 792 msdcsc.exe Token: SeCreatePagefilePrivilege 792 msdcsc.exe Token: SeBackupPrivilege 792 msdcsc.exe Token: SeRestorePrivilege 792 msdcsc.exe Token: SeShutdownPrivilege 792 msdcsc.exe Token: SeDebugPrivilege 792 msdcsc.exe Token: SeSystemEnvironmentPrivilege 792 msdcsc.exe Token: SeChangeNotifyPrivilege 792 msdcsc.exe Token: SeRemoteShutdownPrivilege 792 msdcsc.exe Token: SeUndockPrivilege 792 msdcsc.exe Token: SeManageVolumePrivilege 792 msdcsc.exe Token: SeImpersonatePrivilege 792 msdcsc.exe Token: SeCreateGlobalPrivilege 792 msdcsc.exe Token: 33 792 msdcsc.exe Token: 34 792 msdcsc.exe Token: 35 792 msdcsc.exe Token: 36 792 msdcsc.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.execmd.exemsdcsc.exedescription pid process target process PID 4076 wrote to memory of 2408 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe cmd.exe PID 4076 wrote to memory of 2408 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe cmd.exe PID 4076 wrote to memory of 2408 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe cmd.exe PID 2408 wrote to memory of 3084 2408 cmd.exe attrib.exe PID 2408 wrote to memory of 3084 2408 cmd.exe attrib.exe PID 2408 wrote to memory of 3084 2408 cmd.exe attrib.exe PID 4076 wrote to memory of 792 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe msdcsc.exe PID 4076 wrote to memory of 792 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe msdcsc.exe PID 4076 wrote to memory of 792 4076 f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe msdcsc.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe PID 792 wrote to memory of 1764 792 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe"C:\Users\Admin\AppData\Local\Temp\f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
ffc54622e9daa09c0726b5694167c61b
SHA1000b2b6115dc37258f2dc55106c57fbf298644af
SHA256f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514
SHA51264f6218a73c173481a828c81e98c85818934db85f408330ae70207f16359a9f0ea40adc2d3a53a22174e9da6f864727ae01db1225e6816e70910ba595e7a5cff
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
ffc54622e9daa09c0726b5694167c61b
SHA1000b2b6115dc37258f2dc55106c57fbf298644af
SHA256f59392bc9a917137068cdc81dc75a2a749b081ea0ecdc1ce8103b57fa0328514
SHA51264f6218a73c173481a828c81e98c85818934db85f408330ae70207f16359a9f0ea40adc2d3a53a22174e9da6f864727ae01db1225e6816e70910ba595e7a5cff
-
memory/792-2-0x0000000000000000-mapping.dmp
-
memory/1764-5-0x0000000000000000-mapping.dmp
-
memory/1764-6-0x0000000002A10000-0x0000000002A11000-memory.dmpFilesize
4KB
-
memory/1764-7-0x0000000000000000-mapping.dmp
-
memory/2408-0-0x0000000000000000-mapping.dmp
-
memory/3084-1-0x0000000000000000-mapping.dmp