Analysis
-
max time kernel
150s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 17:45
Static task
static1
Behavioral task
behavioral1
Sample
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe
Resource
win7v20201028
General
-
Target
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe
-
Size
251KB
-
MD5
fede7a68bdb1f79b5f09c590b1226e34
-
SHA1
48037cae2e1fbd08b80f39e43c8209acaf3e4dd6
-
SHA256
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f
-
SHA512
4926d0eb30428c18e09553a3a66a677bb746c635c3bbe024a14270a6bf4da089c4564d449856d15e3ba4bd515fbe1daedbc3af631b064feafe2a333d12b821ff
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1980 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Loads dropped DLL 2 IoCs
Processes:
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exepid process 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeSecurityPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeTakeOwnershipPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeLoadDriverPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeSystemProfilePrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeSystemtimePrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeProfSingleProcessPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeIncBasePriorityPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeCreatePagefilePrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeBackupPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeRestorePrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeShutdownPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeDebugPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeSystemEnvironmentPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeChangeNotifyPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeRemoteShutdownPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeUndockPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeManageVolumePrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeImpersonatePrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeCreateGlobalPrivilege 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: 33 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: 34 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: 35 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe Token: SeIncreaseQuotaPrivilege 1980 msdcsc.exe Token: SeSecurityPrivilege 1980 msdcsc.exe Token: SeTakeOwnershipPrivilege 1980 msdcsc.exe Token: SeLoadDriverPrivilege 1980 msdcsc.exe Token: SeSystemProfilePrivilege 1980 msdcsc.exe Token: SeSystemtimePrivilege 1980 msdcsc.exe Token: SeProfSingleProcessPrivilege 1980 msdcsc.exe Token: SeIncBasePriorityPrivilege 1980 msdcsc.exe Token: SeCreatePagefilePrivilege 1980 msdcsc.exe Token: SeBackupPrivilege 1980 msdcsc.exe Token: SeRestorePrivilege 1980 msdcsc.exe Token: SeShutdownPrivilege 1980 msdcsc.exe Token: SeDebugPrivilege 1980 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1980 msdcsc.exe Token: SeChangeNotifyPrivilege 1980 msdcsc.exe Token: SeRemoteShutdownPrivilege 1980 msdcsc.exe Token: SeUndockPrivilege 1980 msdcsc.exe Token: SeManageVolumePrivilege 1980 msdcsc.exe Token: SeImpersonatePrivilege 1980 msdcsc.exe Token: SeCreateGlobalPrivilege 1980 msdcsc.exe Token: 33 1980 msdcsc.exe Token: 34 1980 msdcsc.exe Token: 35 1980 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1980 msdcsc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exemsdcsc.exedescription pid process target process PID 1900 wrote to memory of 1980 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe msdcsc.exe PID 1900 wrote to memory of 1980 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe msdcsc.exe PID 1900 wrote to memory of 1980 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe msdcsc.exe PID 1900 wrote to memory of 1980 1900 46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe msdcsc.exe PID 1980 wrote to memory of 1800 1980 msdcsc.exe iexplore.exe PID 1980 wrote to memory of 1800 1980 msdcsc.exe iexplore.exe PID 1980 wrote to memory of 1800 1980 msdcsc.exe iexplore.exe PID 1980 wrote to memory of 1800 1980 msdcsc.exe iexplore.exe PID 1980 wrote to memory of 1592 1980 msdcsc.exe explorer.exe PID 1980 wrote to memory of 1592 1980 msdcsc.exe explorer.exe PID 1980 wrote to memory of 1592 1980 msdcsc.exe explorer.exe PID 1980 wrote to memory of 1592 1980 msdcsc.exe explorer.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe"C:\Users\Admin\AppData\Local\Temp\46e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
fede7a68bdb1f79b5f09c590b1226e34
SHA148037cae2e1fbd08b80f39e43c8209acaf3e4dd6
SHA25646e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f
SHA5124926d0eb30428c18e09553a3a66a677bb746c635c3bbe024a14270a6bf4da089c4564d449856d15e3ba4bd515fbe1daedbc3af631b064feafe2a333d12b821ff
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
fede7a68bdb1f79b5f09c590b1226e34
SHA148037cae2e1fbd08b80f39e43c8209acaf3e4dd6
SHA25646e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f
SHA5124926d0eb30428c18e09553a3a66a677bb746c635c3bbe024a14270a6bf4da089c4564d449856d15e3ba4bd515fbe1daedbc3af631b064feafe2a333d12b821ff
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
fede7a68bdb1f79b5f09c590b1226e34
SHA148037cae2e1fbd08b80f39e43c8209acaf3e4dd6
SHA25646e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f
SHA5124926d0eb30428c18e09553a3a66a677bb746c635c3bbe024a14270a6bf4da089c4564d449856d15e3ba4bd515fbe1daedbc3af631b064feafe2a333d12b821ff
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
fede7a68bdb1f79b5f09c590b1226e34
SHA148037cae2e1fbd08b80f39e43c8209acaf3e4dd6
SHA25646e316656467773c8c7044d69005ff9abac681d72608bcad5aa494e747b63c3f
SHA5124926d0eb30428c18e09553a3a66a677bb746c635c3bbe024a14270a6bf4da089c4564d449856d15e3ba4bd515fbe1daedbc3af631b064feafe2a333d12b821ff
-
memory/1980-2-0x0000000000000000-mapping.dmp