Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 17:41
Static task
static1
Behavioral task
behavioral1
Sample
62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe
Resource
win7v20201028
General
-
Target
62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe
-
Size
283KB
-
MD5
250c1edca599ee5249e355479e43cbed
-
SHA1
3bf1484a1b5cbbee4b04f97c6c6922d9a5453d3c
-
SHA256
62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6
-
SHA512
c358655cb6244abae04634451ef2d8b2fa4d7b226d4473d92eed4b05a5bbaa5c42be67e00a98edc75bea50a7468ca62b0153696ce6c789223bcbcb70d025c774
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2016 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Loads dropped DLL 2 IoCs
Processes:
62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exepid process 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2016 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeSecurityPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeTakeOwnershipPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeLoadDriverPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeSystemProfilePrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeSystemtimePrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeProfSingleProcessPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeIncBasePriorityPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeCreatePagefilePrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeBackupPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeRestorePrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeShutdownPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeDebugPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeSystemEnvironmentPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeChangeNotifyPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeRemoteShutdownPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeUndockPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeManageVolumePrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeImpersonatePrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeCreateGlobalPrivilege 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: 33 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: 34 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: 35 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe Token: SeIncreaseQuotaPrivilege 2016 msdcsc.exe Token: SeSecurityPrivilege 2016 msdcsc.exe Token: SeTakeOwnershipPrivilege 2016 msdcsc.exe Token: SeLoadDriverPrivilege 2016 msdcsc.exe Token: SeSystemProfilePrivilege 2016 msdcsc.exe Token: SeSystemtimePrivilege 2016 msdcsc.exe Token: SeProfSingleProcessPrivilege 2016 msdcsc.exe Token: SeIncBasePriorityPrivilege 2016 msdcsc.exe Token: SeCreatePagefilePrivilege 2016 msdcsc.exe Token: SeBackupPrivilege 2016 msdcsc.exe Token: SeRestorePrivilege 2016 msdcsc.exe Token: SeShutdownPrivilege 2016 msdcsc.exe Token: SeDebugPrivilege 2016 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2016 msdcsc.exe Token: SeChangeNotifyPrivilege 2016 msdcsc.exe Token: SeRemoteShutdownPrivilege 2016 msdcsc.exe Token: SeUndockPrivilege 2016 msdcsc.exe Token: SeManageVolumePrivilege 2016 msdcsc.exe Token: SeImpersonatePrivilege 2016 msdcsc.exe Token: SeCreateGlobalPrivilege 2016 msdcsc.exe Token: 33 2016 msdcsc.exe Token: 34 2016 msdcsc.exe Token: 35 2016 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2016 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.execmd.execmd.exemsdcsc.exedescription pid process target process PID 300 wrote to memory of 1828 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe cmd.exe PID 300 wrote to memory of 1828 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe cmd.exe PID 300 wrote to memory of 1828 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe cmd.exe PID 300 wrote to memory of 1828 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe cmd.exe PID 300 wrote to memory of 1848 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe cmd.exe PID 300 wrote to memory of 1848 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe cmd.exe PID 300 wrote to memory of 1848 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe cmd.exe PID 300 wrote to memory of 1848 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe cmd.exe PID 300 wrote to memory of 2016 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe msdcsc.exe PID 300 wrote to memory of 2016 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe msdcsc.exe PID 300 wrote to memory of 2016 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe msdcsc.exe PID 300 wrote to memory of 2016 300 62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe msdcsc.exe PID 1848 wrote to memory of 552 1848 cmd.exe attrib.exe PID 1848 wrote to memory of 552 1848 cmd.exe attrib.exe PID 1848 wrote to memory of 552 1848 cmd.exe attrib.exe PID 1848 wrote to memory of 552 1848 cmd.exe attrib.exe PID 1828 wrote to memory of 524 1828 cmd.exe attrib.exe PID 1828 wrote to memory of 524 1828 cmd.exe attrib.exe PID 1828 wrote to memory of 524 1828 cmd.exe attrib.exe PID 1828 wrote to memory of 524 1828 cmd.exe attrib.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe PID 2016 wrote to memory of 848 2016 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 524 attrib.exe 552 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe"C:\Users\Admin\AppData\Local\Temp\62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\62a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
250c1edca599ee5249e355479e43cbed
SHA13bf1484a1b5cbbee4b04f97c6c6922d9a5453d3c
SHA25662a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6
SHA512c358655cb6244abae04634451ef2d8b2fa4d7b226d4473d92eed4b05a5bbaa5c42be67e00a98edc75bea50a7468ca62b0153696ce6c789223bcbcb70d025c774
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
250c1edca599ee5249e355479e43cbed
SHA13bf1484a1b5cbbee4b04f97c6c6922d9a5453d3c
SHA25662a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6
SHA512c358655cb6244abae04634451ef2d8b2fa4d7b226d4473d92eed4b05a5bbaa5c42be67e00a98edc75bea50a7468ca62b0153696ce6c789223bcbcb70d025c774
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
250c1edca599ee5249e355479e43cbed
SHA13bf1484a1b5cbbee4b04f97c6c6922d9a5453d3c
SHA25662a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6
SHA512c358655cb6244abae04634451ef2d8b2fa4d7b226d4473d92eed4b05a5bbaa5c42be67e00a98edc75bea50a7468ca62b0153696ce6c789223bcbcb70d025c774
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
250c1edca599ee5249e355479e43cbed
SHA13bf1484a1b5cbbee4b04f97c6c6922d9a5453d3c
SHA25662a1ff600ffae28164b1012e08717a87a2ab69fa49f165204092a449201b07c6
SHA512c358655cb6244abae04634451ef2d8b2fa4d7b226d4473d92eed4b05a5bbaa5c42be67e00a98edc75bea50a7468ca62b0153696ce6c789223bcbcb70d025c774
-
memory/524-8-0x0000000000000000-mapping.dmp
-
memory/552-7-0x0000000000000000-mapping.dmp
-
memory/848-9-0x0000000000000000-mapping.dmp
-
memory/848-10-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/848-11-0x0000000000000000-mapping.dmp
-
memory/1828-0-0x0000000000000000-mapping.dmp
-
memory/1848-1-0x0000000000000000-mapping.dmp
-
memory/2016-4-0x0000000000000000-mapping.dmp