Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-11-2020 15:43
Static task
static1
Behavioral task
behavioral1
Sample
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe
Resource
win7v20201028
General
-
Target
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe
-
Size
251KB
-
MD5
44fa6d3ed60372a6e2fc42a8d37d1a0f
-
SHA1
b37f23945917b4a32e20f8e0760a002164f39e85
-
SHA256
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1
-
SHA512
1bfde61583860f33e2375cfcd0e9fcfa334520db541e47281f8d5e188ea5a0c978f4153b5bcc1a5304a7a187910d2c0dba777bd724b39ccb2bdf862f2843f63b
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2864 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeSecurityPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeTakeOwnershipPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeLoadDriverPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeSystemProfilePrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeSystemtimePrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeProfSingleProcessPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeIncBasePriorityPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeCreatePagefilePrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeBackupPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeRestorePrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeShutdownPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeDebugPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeSystemEnvironmentPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeChangeNotifyPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeRemoteShutdownPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeUndockPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeManageVolumePrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeImpersonatePrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeCreateGlobalPrivilege 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: 33 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: 34 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: 35 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: 36 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe Token: SeIncreaseQuotaPrivilege 2864 msdcsc.exe Token: SeSecurityPrivilege 2864 msdcsc.exe Token: SeTakeOwnershipPrivilege 2864 msdcsc.exe Token: SeLoadDriverPrivilege 2864 msdcsc.exe Token: SeSystemProfilePrivilege 2864 msdcsc.exe Token: SeSystemtimePrivilege 2864 msdcsc.exe Token: SeProfSingleProcessPrivilege 2864 msdcsc.exe Token: SeIncBasePriorityPrivilege 2864 msdcsc.exe Token: SeCreatePagefilePrivilege 2864 msdcsc.exe Token: SeBackupPrivilege 2864 msdcsc.exe Token: SeRestorePrivilege 2864 msdcsc.exe Token: SeShutdownPrivilege 2864 msdcsc.exe Token: SeDebugPrivilege 2864 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2864 msdcsc.exe Token: SeChangeNotifyPrivilege 2864 msdcsc.exe Token: SeRemoteShutdownPrivilege 2864 msdcsc.exe Token: SeUndockPrivilege 2864 msdcsc.exe Token: SeManageVolumePrivilege 2864 msdcsc.exe Token: SeImpersonatePrivilege 2864 msdcsc.exe Token: SeCreateGlobalPrivilege 2864 msdcsc.exe Token: 33 2864 msdcsc.exe Token: 34 2864 msdcsc.exe Token: 35 2864 msdcsc.exe Token: 36 2864 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2864 msdcsc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exemsdcsc.exedescription pid process target process PID 912 wrote to memory of 2864 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe msdcsc.exe PID 912 wrote to memory of 2864 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe msdcsc.exe PID 912 wrote to memory of 2864 912 4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe msdcsc.exe PID 2864 wrote to memory of 4052 2864 msdcsc.exe iexplore.exe PID 2864 wrote to memory of 4052 2864 msdcsc.exe iexplore.exe PID 2864 wrote to memory of 4052 2864 msdcsc.exe iexplore.exe PID 2864 wrote to memory of 3548 2864 msdcsc.exe explorer.exe PID 2864 wrote to memory of 3548 2864 msdcsc.exe explorer.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe"C:\Users\Admin\AppData\Local\Temp\4f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
44fa6d3ed60372a6e2fc42a8d37d1a0f
SHA1b37f23945917b4a32e20f8e0760a002164f39e85
SHA2564f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1
SHA5121bfde61583860f33e2375cfcd0e9fcfa334520db541e47281f8d5e188ea5a0c978f4153b5bcc1a5304a7a187910d2c0dba777bd724b39ccb2bdf862f2843f63b
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
44fa6d3ed60372a6e2fc42a8d37d1a0f
SHA1b37f23945917b4a32e20f8e0760a002164f39e85
SHA2564f66e8cd1ac8e685e39c3ed2b1b8cb99525fde8bd36921afe2456f9c9ea31fb1
SHA5121bfde61583860f33e2375cfcd0e9fcfa334520db541e47281f8d5e188ea5a0c978f4153b5bcc1a5304a7a187910d2c0dba777bd724b39ccb2bdf862f2843f63b
-
memory/2864-0-0x0000000000000000-mapping.dmp