Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-11-2020 15:48
Static task
static1
Behavioral task
behavioral1
Sample
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe
Resource
win10v20201028
General
-
Target
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe
-
Size
559KB
-
MD5
c55c34449fd71a2a2ebd9fa8d9d3c279
-
SHA1
bf04419202022f6b226d0769fca952a7b1b94ca2
-
SHA256
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66
-
SHA512
1923e4024a37fcee70661532c111e82a444d75d34447515f91ddc8064431193a4eb9f2bb625d7cc5d04f05ccbd6a510ffc82bb0a94478060f6f28abcbc87b927
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
mcsft.exemcsft.exepid process 1760 mcsft.exe 1328 mcsft.exe -
Processes:
yara_rule upx \Users\Admin\AppData\Roaming\mcsft.exe upx \Users\Admin\AppData\Roaming\mcsft.exe upx \Users\Admin\AppData\Roaming\mcsft.exe upx \Users\Admin\AppData\Roaming\mcsft.exe upx \Users\Admin\AppData\Roaming\mcsft.exe upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx behavioral1/memory/1328-15-0x0000000000400000-0x00000000004B5000-memory.dmp upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx behavioral1/memory/1328-18-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1328-19-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mcsft.exe -
Loads dropped DLL 5 IoCs
Processes:
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exepid process 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoft = "C:\\Users\\Admin\\AppData\\Roaming\\mcsft.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mcsft.exedescription pid process target process PID 1760 set thread context of 1328 1760 mcsft.exe mcsft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier mcsft.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier mcsft.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
mcsft.exedescription pid process Token: SeIncreaseQuotaPrivilege 1328 mcsft.exe Token: SeSecurityPrivilege 1328 mcsft.exe Token: SeTakeOwnershipPrivilege 1328 mcsft.exe Token: SeLoadDriverPrivilege 1328 mcsft.exe Token: SeSystemProfilePrivilege 1328 mcsft.exe Token: SeSystemtimePrivilege 1328 mcsft.exe Token: SeProfSingleProcessPrivilege 1328 mcsft.exe Token: SeIncBasePriorityPrivilege 1328 mcsft.exe Token: SeCreatePagefilePrivilege 1328 mcsft.exe Token: SeBackupPrivilege 1328 mcsft.exe Token: SeRestorePrivilege 1328 mcsft.exe Token: SeShutdownPrivilege 1328 mcsft.exe Token: SeDebugPrivilege 1328 mcsft.exe Token: SeSystemEnvironmentPrivilege 1328 mcsft.exe Token: SeChangeNotifyPrivilege 1328 mcsft.exe Token: SeRemoteShutdownPrivilege 1328 mcsft.exe Token: SeUndockPrivilege 1328 mcsft.exe Token: SeManageVolumePrivilege 1328 mcsft.exe Token: SeImpersonatePrivilege 1328 mcsft.exe Token: SeCreateGlobalPrivilege 1328 mcsft.exe Token: 33 1328 mcsft.exe Token: 34 1328 mcsft.exe Token: 35 1328 mcsft.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exemcsft.exemcsft.exepid process 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe 1760 mcsft.exe 1328 mcsft.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.execmd.exemcsft.exedescription pid process target process PID 1204 wrote to memory of 1968 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe cmd.exe PID 1204 wrote to memory of 1968 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe cmd.exe PID 1204 wrote to memory of 1968 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe cmd.exe PID 1204 wrote to memory of 1968 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe cmd.exe PID 1968 wrote to memory of 1348 1968 cmd.exe reg.exe PID 1968 wrote to memory of 1348 1968 cmd.exe reg.exe PID 1968 wrote to memory of 1348 1968 cmd.exe reg.exe PID 1968 wrote to memory of 1348 1968 cmd.exe reg.exe PID 1204 wrote to memory of 1760 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe mcsft.exe PID 1204 wrote to memory of 1760 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe mcsft.exe PID 1204 wrote to memory of 1760 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe mcsft.exe PID 1204 wrote to memory of 1760 1204 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe mcsft.exe PID 1760 wrote to memory of 1328 1760 mcsft.exe mcsft.exe PID 1760 wrote to memory of 1328 1760 mcsft.exe mcsft.exe PID 1760 wrote to memory of 1328 1760 mcsft.exe mcsft.exe PID 1760 wrote to memory of 1328 1760 mcsft.exe mcsft.exe PID 1760 wrote to memory of 1328 1760 mcsft.exe mcsft.exe PID 1760 wrote to memory of 1328 1760 mcsft.exe mcsft.exe PID 1760 wrote to memory of 1328 1760 mcsft.exe mcsft.exe PID 1760 wrote to memory of 1328 1760 mcsft.exe mcsft.exe PID 1760 wrote to memory of 1328 1760 mcsft.exe mcsft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe"C:\Users\Admin\AppData\Local\Temp\e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rBFtB.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mcsft.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\mcsft.exe"C:\Users\Admin\AppData\Roaming\mcsft.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mcsft.exeC:\Users\Admin\AppData\Roaming\mcsft.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\rBFtB.batMD5
a5feca573884d76f559b996d45e8ad9a
SHA10e81a993f3af4e31d60653dc2513186f0495f1c8
SHA256c98e20d46d6465febb5d29cfab51241521ea5d6cd621f5e18b9b7d6fbfac3f0f
SHA512a9239648b5f15eac4d4151b6e1bdc81065eeaeb101404c2a0126f03bc87f1e6a57206bfa07a44379e9d3bba889e4497a9991ff41fb109099b01512df3dc3cbda
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
5c08f4134796571fa8cc57a8d786229e
SHA1d5859b25105c230981b36caefcb4ee9c00997049
SHA256a3978d3815eceede91c52e4f572e1b47759435e489d1b81ce0534e038eb802b7
SHA5128592801f4aeb22ab3af9518475be2824d210598bb0accd2081724687ef8fe085eb55132f7806a0a758c2964493c5929e0ca7666a5224461e56e74ae3059ab0e0
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
5c08f4134796571fa8cc57a8d786229e
SHA1d5859b25105c230981b36caefcb4ee9c00997049
SHA256a3978d3815eceede91c52e4f572e1b47759435e489d1b81ce0534e038eb802b7
SHA5128592801f4aeb22ab3af9518475be2824d210598bb0accd2081724687ef8fe085eb55132f7806a0a758c2964493c5929e0ca7666a5224461e56e74ae3059ab0e0
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
5c08f4134796571fa8cc57a8d786229e
SHA1d5859b25105c230981b36caefcb4ee9c00997049
SHA256a3978d3815eceede91c52e4f572e1b47759435e489d1b81ce0534e038eb802b7
SHA5128592801f4aeb22ab3af9518475be2824d210598bb0accd2081724687ef8fe085eb55132f7806a0a758c2964493c5929e0ca7666a5224461e56e74ae3059ab0e0
-
\Users\Admin\AppData\Roaming\mcsft.exeMD5
5c08f4134796571fa8cc57a8d786229e
SHA1d5859b25105c230981b36caefcb4ee9c00997049
SHA256a3978d3815eceede91c52e4f572e1b47759435e489d1b81ce0534e038eb802b7
SHA5128592801f4aeb22ab3af9518475be2824d210598bb0accd2081724687ef8fe085eb55132f7806a0a758c2964493c5929e0ca7666a5224461e56e74ae3059ab0e0
-
\Users\Admin\AppData\Roaming\mcsft.exeMD5
5c08f4134796571fa8cc57a8d786229e
SHA1d5859b25105c230981b36caefcb4ee9c00997049
SHA256a3978d3815eceede91c52e4f572e1b47759435e489d1b81ce0534e038eb802b7
SHA5128592801f4aeb22ab3af9518475be2824d210598bb0accd2081724687ef8fe085eb55132f7806a0a758c2964493c5929e0ca7666a5224461e56e74ae3059ab0e0
-
\Users\Admin\AppData\Roaming\mcsft.exeMD5
5c08f4134796571fa8cc57a8d786229e
SHA1d5859b25105c230981b36caefcb4ee9c00997049
SHA256a3978d3815eceede91c52e4f572e1b47759435e489d1b81ce0534e038eb802b7
SHA5128592801f4aeb22ab3af9518475be2824d210598bb0accd2081724687ef8fe085eb55132f7806a0a758c2964493c5929e0ca7666a5224461e56e74ae3059ab0e0
-
\Users\Admin\AppData\Roaming\mcsft.exeMD5
5c08f4134796571fa8cc57a8d786229e
SHA1d5859b25105c230981b36caefcb4ee9c00997049
SHA256a3978d3815eceede91c52e4f572e1b47759435e489d1b81ce0534e038eb802b7
SHA5128592801f4aeb22ab3af9518475be2824d210598bb0accd2081724687ef8fe085eb55132f7806a0a758c2964493c5929e0ca7666a5224461e56e74ae3059ab0e0
-
\Users\Admin\AppData\Roaming\mcsft.exeMD5
5c08f4134796571fa8cc57a8d786229e
SHA1d5859b25105c230981b36caefcb4ee9c00997049
SHA256a3978d3815eceede91c52e4f572e1b47759435e489d1b81ce0534e038eb802b7
SHA5128592801f4aeb22ab3af9518475be2824d210598bb0accd2081724687ef8fe085eb55132f7806a0a758c2964493c5929e0ca7666a5224461e56e74ae3059ab0e0
-
memory/1328-15-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1328-16-0x00000000004B3320-mapping.dmp
-
memory/1328-18-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1328-19-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1348-4-0x0000000000000000-mapping.dmp
-
memory/1760-10-0x0000000000000000-mapping.dmp
-
memory/1968-2-0x0000000000000000-mapping.dmp