Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-11-2020 16:20
Static task
static1
Behavioral task
behavioral1
Sample
2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe
Resource
win7v20201028
General
-
Target
2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe
-
Size
283KB
-
MD5
3e2ee0a9428aa04ca0bab47fc1304cad
-
SHA1
776234c1122d01ff366c089e2dbcc074f366fd6d
-
SHA256
2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2
-
SHA512
ee1f4d4f25ba2e226f5d0e09706b77a2cb2559bffdc27262a04a3561ebff39cb2214f158c7fce22907b4596039cc7fc3dc67fa69e6b76f17141ac0a0b88560a9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2040 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Loads dropped DLL 2 IoCs
Processes:
2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exepid process 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 2040 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeSecurityPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeTakeOwnershipPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeLoadDriverPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeSystemProfilePrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeSystemtimePrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeProfSingleProcessPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeIncBasePriorityPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeCreatePagefilePrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeBackupPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeRestorePrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeShutdownPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeDebugPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeSystemEnvironmentPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeChangeNotifyPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeRemoteShutdownPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeUndockPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeManageVolumePrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeImpersonatePrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeCreateGlobalPrivilege 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: 33 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: 34 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: 35 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe Token: SeIncreaseQuotaPrivilege 2040 msdcsc.exe Token: SeSecurityPrivilege 2040 msdcsc.exe Token: SeTakeOwnershipPrivilege 2040 msdcsc.exe Token: SeLoadDriverPrivilege 2040 msdcsc.exe Token: SeSystemProfilePrivilege 2040 msdcsc.exe Token: SeSystemtimePrivilege 2040 msdcsc.exe Token: SeProfSingleProcessPrivilege 2040 msdcsc.exe Token: SeIncBasePriorityPrivilege 2040 msdcsc.exe Token: SeCreatePagefilePrivilege 2040 msdcsc.exe Token: SeBackupPrivilege 2040 msdcsc.exe Token: SeRestorePrivilege 2040 msdcsc.exe Token: SeShutdownPrivilege 2040 msdcsc.exe Token: SeDebugPrivilege 2040 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2040 msdcsc.exe Token: SeChangeNotifyPrivilege 2040 msdcsc.exe Token: SeRemoteShutdownPrivilege 2040 msdcsc.exe Token: SeUndockPrivilege 2040 msdcsc.exe Token: SeManageVolumePrivilege 2040 msdcsc.exe Token: SeImpersonatePrivilege 2040 msdcsc.exe Token: SeCreateGlobalPrivilege 2040 msdcsc.exe Token: 33 2040 msdcsc.exe Token: 34 2040 msdcsc.exe Token: 35 2040 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2040 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.execmd.execmd.exemsdcsc.exedescription pid process target process PID 2036 wrote to memory of 1728 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe cmd.exe PID 2036 wrote to memory of 1728 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe cmd.exe PID 2036 wrote to memory of 1728 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe cmd.exe PID 2036 wrote to memory of 1728 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe cmd.exe PID 2036 wrote to memory of 916 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe cmd.exe PID 2036 wrote to memory of 916 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe cmd.exe PID 2036 wrote to memory of 916 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe cmd.exe PID 2036 wrote to memory of 916 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe cmd.exe PID 2036 wrote to memory of 2040 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe msdcsc.exe PID 2036 wrote to memory of 2040 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe msdcsc.exe PID 2036 wrote to memory of 2040 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe msdcsc.exe PID 2036 wrote to memory of 2040 2036 2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe msdcsc.exe PID 1728 wrote to memory of 1960 1728 cmd.exe attrib.exe PID 1728 wrote to memory of 1960 1728 cmd.exe attrib.exe PID 1728 wrote to memory of 1960 1728 cmd.exe attrib.exe PID 1728 wrote to memory of 1960 1728 cmd.exe attrib.exe PID 916 wrote to memory of 1708 916 cmd.exe attrib.exe PID 916 wrote to memory of 1708 916 cmd.exe attrib.exe PID 916 wrote to memory of 1708 916 cmd.exe attrib.exe PID 916 wrote to memory of 1708 916 cmd.exe attrib.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe PID 2040 wrote to memory of 1680 2040 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1960 attrib.exe 1708 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe"C:\Users\Admin\AppData\Local\Temp\2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\2f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
3e2ee0a9428aa04ca0bab47fc1304cad
SHA1776234c1122d01ff366c089e2dbcc074f366fd6d
SHA2562f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2
SHA512ee1f4d4f25ba2e226f5d0e09706b77a2cb2559bffdc27262a04a3561ebff39cb2214f158c7fce22907b4596039cc7fc3dc67fa69e6b76f17141ac0a0b88560a9
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
3e2ee0a9428aa04ca0bab47fc1304cad
SHA1776234c1122d01ff366c089e2dbcc074f366fd6d
SHA2562f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2
SHA512ee1f4d4f25ba2e226f5d0e09706b77a2cb2559bffdc27262a04a3561ebff39cb2214f158c7fce22907b4596039cc7fc3dc67fa69e6b76f17141ac0a0b88560a9
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
3e2ee0a9428aa04ca0bab47fc1304cad
SHA1776234c1122d01ff366c089e2dbcc074f366fd6d
SHA2562f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2
SHA512ee1f4d4f25ba2e226f5d0e09706b77a2cb2559bffdc27262a04a3561ebff39cb2214f158c7fce22907b4596039cc7fc3dc67fa69e6b76f17141ac0a0b88560a9
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
3e2ee0a9428aa04ca0bab47fc1304cad
SHA1776234c1122d01ff366c089e2dbcc074f366fd6d
SHA2562f4e1635621b1535d4157c9d6bc98cc7a343878d430cc61def7397e270e8fab2
SHA512ee1f4d4f25ba2e226f5d0e09706b77a2cb2559bffdc27262a04a3561ebff39cb2214f158c7fce22907b4596039cc7fc3dc67fa69e6b76f17141ac0a0b88560a9
-
memory/916-1-0x0000000000000000-mapping.dmp
-
memory/1680-9-0x0000000000000000-mapping.dmp
-
memory/1680-11-0x0000000000000000-mapping.dmp
-
memory/1680-10-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1708-7-0x0000000000000000-mapping.dmp
-
memory/1728-0-0x0000000000000000-mapping.dmp
-
memory/1960-5-0x0000000000000000-mapping.dmp
-
memory/2040-4-0x0000000000000000-mapping.dmp