Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v20201028
General
-
Target
file.exe
-
Size
251KB
-
MD5
b7b88850bc66c349bc02f81a3b443f39
-
SHA1
4c4fe6f2dc874ca6c3b1d117e8da00e7114860e0
-
SHA256
4c1b6befb06152412567869f27c006cba39f4ac3b1c5dbcf8694a65367444df5
-
SHA512
47c7cd05d6716eaefc1a4305f227e9f95423ede5bb991135d6839c0d1f4b65d7c204bc9c07696ec5d4f71214adc4d6b0976d2fe03d2434e68fd8637a40dad282
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" file.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3224 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe upx C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
file.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 512 file.exe Token: SeSecurityPrivilege 512 file.exe Token: SeTakeOwnershipPrivilege 512 file.exe Token: SeLoadDriverPrivilege 512 file.exe Token: SeSystemProfilePrivilege 512 file.exe Token: SeSystemtimePrivilege 512 file.exe Token: SeProfSingleProcessPrivilege 512 file.exe Token: SeIncBasePriorityPrivilege 512 file.exe Token: SeCreatePagefilePrivilege 512 file.exe Token: SeBackupPrivilege 512 file.exe Token: SeRestorePrivilege 512 file.exe Token: SeShutdownPrivilege 512 file.exe Token: SeDebugPrivilege 512 file.exe Token: SeSystemEnvironmentPrivilege 512 file.exe Token: SeChangeNotifyPrivilege 512 file.exe Token: SeRemoteShutdownPrivilege 512 file.exe Token: SeUndockPrivilege 512 file.exe Token: SeManageVolumePrivilege 512 file.exe Token: SeImpersonatePrivilege 512 file.exe Token: SeCreateGlobalPrivilege 512 file.exe Token: 33 512 file.exe Token: 34 512 file.exe Token: 35 512 file.exe Token: 36 512 file.exe Token: SeIncreaseQuotaPrivilege 3224 msdcsc.exe Token: SeSecurityPrivilege 3224 msdcsc.exe Token: SeTakeOwnershipPrivilege 3224 msdcsc.exe Token: SeLoadDriverPrivilege 3224 msdcsc.exe Token: SeSystemProfilePrivilege 3224 msdcsc.exe Token: SeSystemtimePrivilege 3224 msdcsc.exe Token: SeProfSingleProcessPrivilege 3224 msdcsc.exe Token: SeIncBasePriorityPrivilege 3224 msdcsc.exe Token: SeCreatePagefilePrivilege 3224 msdcsc.exe Token: SeBackupPrivilege 3224 msdcsc.exe Token: SeRestorePrivilege 3224 msdcsc.exe Token: SeShutdownPrivilege 3224 msdcsc.exe Token: SeDebugPrivilege 3224 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3224 msdcsc.exe Token: SeChangeNotifyPrivilege 3224 msdcsc.exe Token: SeRemoteShutdownPrivilege 3224 msdcsc.exe Token: SeUndockPrivilege 3224 msdcsc.exe Token: SeManageVolumePrivilege 3224 msdcsc.exe Token: SeImpersonatePrivilege 3224 msdcsc.exe Token: SeCreateGlobalPrivilege 3224 msdcsc.exe Token: 33 3224 msdcsc.exe Token: 34 3224 msdcsc.exe Token: 35 3224 msdcsc.exe Token: 36 3224 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3224 msdcsc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
file.exedescription pid process target process PID 512 wrote to memory of 3224 512 file.exe msdcsc.exe PID 512 wrote to memory of 3224 512 file.exe msdcsc.exe PID 512 wrote to memory of 3224 512 file.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
b7b88850bc66c349bc02f81a3b443f39
SHA14c4fe6f2dc874ca6c3b1d117e8da00e7114860e0
SHA2564c1b6befb06152412567869f27c006cba39f4ac3b1c5dbcf8694a65367444df5
SHA51247c7cd05d6716eaefc1a4305f227e9f95423ede5bb991135d6839c0d1f4b65d7c204bc9c07696ec5d4f71214adc4d6b0976d2fe03d2434e68fd8637a40dad282
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeMD5
b7b88850bc66c349bc02f81a3b443f39
SHA14c4fe6f2dc874ca6c3b1d117e8da00e7114860e0
SHA2564c1b6befb06152412567869f27c006cba39f4ac3b1c5dbcf8694a65367444df5
SHA51247c7cd05d6716eaefc1a4305f227e9f95423ede5bb991135d6839c0d1f4b65d7c204bc9c07696ec5d4f71214adc4d6b0976d2fe03d2434e68fd8637a40dad282
-
memory/3224-0-0x0000000000000000-mapping.dmp