Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 21:25
Static task
static1
Behavioral task
behavioral1
Sample
4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe
Resource
win10v20201028
General
-
Target
4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe
-
Size
559KB
-
MD5
68d4862582ead747c602162f317e6af2
-
SHA1
72d5522daaba8b1163405d52a3ed053c2735c0b5
-
SHA256
4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b
-
SHA512
16b19b016b78a3825c3aa3568ce540689dcaac40879f5f0af6ec492d774d2a016617c50f2d9969b59da55a7425f1c99e1636de5c9ef7ef9a4e13b2132474e00f
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
mcsft.exemcsft.exepid process 3808 mcsft.exe 3096 mcsft.exe -
Processes:
yara_rule upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx behavioral2/memory/3096-11-0x0000000000400000-0x00000000004B5000-memory.dmp upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx behavioral2/memory/3096-15-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/3096-16-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mcsft.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoft = "C:\\Users\\Admin\\AppData\\Roaming\\mcsft.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mcsft.exedescription pid process target process PID 3808 set thread context of 3096 3808 mcsft.exe mcsft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier mcsft.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier mcsft.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
mcsft.exedescription pid process Token: SeIncreaseQuotaPrivilege 3096 mcsft.exe Token: SeSecurityPrivilege 3096 mcsft.exe Token: SeTakeOwnershipPrivilege 3096 mcsft.exe Token: SeLoadDriverPrivilege 3096 mcsft.exe Token: SeSystemProfilePrivilege 3096 mcsft.exe Token: SeSystemtimePrivilege 3096 mcsft.exe Token: SeProfSingleProcessPrivilege 3096 mcsft.exe Token: SeIncBasePriorityPrivilege 3096 mcsft.exe Token: SeCreatePagefilePrivilege 3096 mcsft.exe Token: SeBackupPrivilege 3096 mcsft.exe Token: SeRestorePrivilege 3096 mcsft.exe Token: SeShutdownPrivilege 3096 mcsft.exe Token: SeDebugPrivilege 3096 mcsft.exe Token: SeSystemEnvironmentPrivilege 3096 mcsft.exe Token: SeChangeNotifyPrivilege 3096 mcsft.exe Token: SeRemoteShutdownPrivilege 3096 mcsft.exe Token: SeUndockPrivilege 3096 mcsft.exe Token: SeManageVolumePrivilege 3096 mcsft.exe Token: SeImpersonatePrivilege 3096 mcsft.exe Token: SeCreateGlobalPrivilege 3096 mcsft.exe Token: 33 3096 mcsft.exe Token: 34 3096 mcsft.exe Token: 35 3096 mcsft.exe Token: 36 3096 mcsft.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exemcsft.exemcsft.exepid process 4684 4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe 3808 mcsft.exe 3096 mcsft.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.execmd.exemcsft.exedescription pid process target process PID 4684 wrote to memory of 492 4684 4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe cmd.exe PID 4684 wrote to memory of 492 4684 4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe cmd.exe PID 4684 wrote to memory of 492 4684 4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe cmd.exe PID 492 wrote to memory of 3232 492 cmd.exe reg.exe PID 492 wrote to memory of 3232 492 cmd.exe reg.exe PID 492 wrote to memory of 3232 492 cmd.exe reg.exe PID 4684 wrote to memory of 3808 4684 4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe mcsft.exe PID 4684 wrote to memory of 3808 4684 4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe mcsft.exe PID 4684 wrote to memory of 3808 4684 4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe mcsft.exe PID 3808 wrote to memory of 3096 3808 mcsft.exe mcsft.exe PID 3808 wrote to memory of 3096 3808 mcsft.exe mcsft.exe PID 3808 wrote to memory of 3096 3808 mcsft.exe mcsft.exe PID 3808 wrote to memory of 3096 3808 mcsft.exe mcsft.exe PID 3808 wrote to memory of 3096 3808 mcsft.exe mcsft.exe PID 3808 wrote to memory of 3096 3808 mcsft.exe mcsft.exe PID 3808 wrote to memory of 3096 3808 mcsft.exe mcsft.exe PID 3808 wrote to memory of 3096 3808 mcsft.exe mcsft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe"C:\Users\Admin\AppData\Local\Temp\4ec1a6802b035f8ea1685fd57cf98a6571c968a8c36244cd775a92a72a83610b.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KZTSr.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mcsft.exe" /f3⤵
- Adds Run key to start application
PID:3232 -
C:\Users\Admin\AppData\Roaming\mcsft.exe"C:\Users\Admin\AppData\Roaming\mcsft.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Roaming\mcsft.exeC:\Users\Admin\AppData\Roaming\mcsft.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\KZTSr.batMD5
a5feca573884d76f559b996d45e8ad9a
SHA10e81a993f3af4e31d60653dc2513186f0495f1c8
SHA256c98e20d46d6465febb5d29cfab51241521ea5d6cd621f5e18b9b7d6fbfac3f0f
SHA512a9239648b5f15eac4d4151b6e1bdc81065eeaeb101404c2a0126f03bc87f1e6a57206bfa07a44379e9d3bba889e4497a9991ff41fb109099b01512df3dc3cbda
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
57955d6df8446a9425baf080214a6d37
SHA14d9e39b7bcbfa637dd0b9d3761ea0296c15ab7e3
SHA256deb3601f1f009caad838f63983712eb095b1da9b94d755b47a5a31635cb7f139
SHA512837d904c428a38ea6062907991a2bacc9cbb4ff479fe1c209f56964380bdb9f12cd3c1720321e8e78a0c0a30ab56f4ea54ba96fdb27d72bfd00e5c66843bb473
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
57955d6df8446a9425baf080214a6d37
SHA14d9e39b7bcbfa637dd0b9d3761ea0296c15ab7e3
SHA256deb3601f1f009caad838f63983712eb095b1da9b94d755b47a5a31635cb7f139
SHA512837d904c428a38ea6062907991a2bacc9cbb4ff479fe1c209f56964380bdb9f12cd3c1720321e8e78a0c0a30ab56f4ea54ba96fdb27d72bfd00e5c66843bb473
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
57955d6df8446a9425baf080214a6d37
SHA14d9e39b7bcbfa637dd0b9d3761ea0296c15ab7e3
SHA256deb3601f1f009caad838f63983712eb095b1da9b94d755b47a5a31635cb7f139
SHA512837d904c428a38ea6062907991a2bacc9cbb4ff479fe1c209f56964380bdb9f12cd3c1720321e8e78a0c0a30ab56f4ea54ba96fdb27d72bfd00e5c66843bb473
-
memory/492-2-0x0000000000000000-mapping.dmp
-
memory/3096-11-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3096-14-0x0000000073C10000-0x0000000073CA3000-memory.dmpFilesize
588KB
-
memory/3096-12-0x00000000004B3320-mapping.dmp
-
memory/3096-15-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3096-16-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3232-4-0x0000000000000000-mapping.dmp
-
memory/3808-8-0x0000000073C10000-0x0000000073CA3000-memory.dmpFilesize
588KB
-
memory/3808-5-0x0000000000000000-mapping.dmp