Analysis
-
max time kernel
116s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 17:47
Static task
static1
Behavioral task
behavioral1
Sample
efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe
-
Size
333KB
-
MD5
bc2a4e4a9fa948b1bc09a9f93ea22012
-
SHA1
f9004d1637f11c7d80a72a49b843da6be8cba857
-
SHA256
efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae
-
SHA512
fd7551a43e8f581e42b79c738ee161129fc1d1fcef742a42c89856ef4f60e1e8360b395fcef79b07c9884e402188cafa75c15010385bd3f756602b0e48916cf7
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exedescription pid process Token: SeIncreaseQuotaPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeSecurityPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeTakeOwnershipPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeLoadDriverPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeSystemProfilePrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeSystemtimePrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeProfSingleProcessPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeIncBasePriorityPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeCreatePagefilePrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeBackupPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeRestorePrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeShutdownPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeDebugPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeSystemEnvironmentPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeChangeNotifyPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeRemoteShutdownPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeUndockPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeManageVolumePrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeImpersonatePrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: SeCreateGlobalPrivilege 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: 33 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: 34 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: 35 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe Token: 36 584 efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe"C:\Users\Admin\AppData\Local\Temp\efc9f9ca13c114d810b971b931c214fb69b3515bcca6d0df77605e490814bcae.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken