Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-11-2020 15:48
Static task
static1
Behavioral task
behavioral1
Sample
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe
Resource
win10v20201028
General
-
Target
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe
-
Size
559KB
-
MD5
c55c34449fd71a2a2ebd9fa8d9d3c279
-
SHA1
bf04419202022f6b226d0769fca952a7b1b94ca2
-
SHA256
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66
-
SHA512
1923e4024a37fcee70661532c111e82a444d75d34447515f91ddc8064431193a4eb9f2bb625d7cc5d04f05ccbd6a510ffc82bb0a94478060f6f28abcbc87b927
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
mcsft.exemcsft.exepid process 1968 mcsft.exe 2192 mcsft.exe -
Processes:
yara_rule upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx behavioral2/memory/2192-11-0x0000000000400000-0x00000000004B5000-memory.dmp upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx behavioral2/memory/2192-15-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/2192-16-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mcsft.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoft = "C:\\Users\\Admin\\AppData\\Roaming\\mcsft.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mcsft.exedescription pid process target process PID 1968 set thread context of 2192 1968 mcsft.exe mcsft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier mcsft.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier mcsft.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
mcsft.exedescription pid process Token: SeIncreaseQuotaPrivilege 2192 mcsft.exe Token: SeSecurityPrivilege 2192 mcsft.exe Token: SeTakeOwnershipPrivilege 2192 mcsft.exe Token: SeLoadDriverPrivilege 2192 mcsft.exe Token: SeSystemProfilePrivilege 2192 mcsft.exe Token: SeSystemtimePrivilege 2192 mcsft.exe Token: SeProfSingleProcessPrivilege 2192 mcsft.exe Token: SeIncBasePriorityPrivilege 2192 mcsft.exe Token: SeCreatePagefilePrivilege 2192 mcsft.exe Token: SeBackupPrivilege 2192 mcsft.exe Token: SeRestorePrivilege 2192 mcsft.exe Token: SeShutdownPrivilege 2192 mcsft.exe Token: SeDebugPrivilege 2192 mcsft.exe Token: SeSystemEnvironmentPrivilege 2192 mcsft.exe Token: SeChangeNotifyPrivilege 2192 mcsft.exe Token: SeRemoteShutdownPrivilege 2192 mcsft.exe Token: SeUndockPrivilege 2192 mcsft.exe Token: SeManageVolumePrivilege 2192 mcsft.exe Token: SeImpersonatePrivilege 2192 mcsft.exe Token: SeCreateGlobalPrivilege 2192 mcsft.exe Token: 33 2192 mcsft.exe Token: 34 2192 mcsft.exe Token: 35 2192 mcsft.exe Token: 36 2192 mcsft.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exemcsft.exemcsft.exepid process 640 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe 1968 mcsft.exe 2192 mcsft.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.execmd.exemcsft.exedescription pid process target process PID 640 wrote to memory of 1068 640 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe cmd.exe PID 640 wrote to memory of 1068 640 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe cmd.exe PID 640 wrote to memory of 1068 640 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe cmd.exe PID 1068 wrote to memory of 196 1068 cmd.exe reg.exe PID 1068 wrote to memory of 196 1068 cmd.exe reg.exe PID 1068 wrote to memory of 196 1068 cmd.exe reg.exe PID 640 wrote to memory of 1968 640 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe mcsft.exe PID 640 wrote to memory of 1968 640 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe mcsft.exe PID 640 wrote to memory of 1968 640 e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe mcsft.exe PID 1968 wrote to memory of 2192 1968 mcsft.exe mcsft.exe PID 1968 wrote to memory of 2192 1968 mcsft.exe mcsft.exe PID 1968 wrote to memory of 2192 1968 mcsft.exe mcsft.exe PID 1968 wrote to memory of 2192 1968 mcsft.exe mcsft.exe PID 1968 wrote to memory of 2192 1968 mcsft.exe mcsft.exe PID 1968 wrote to memory of 2192 1968 mcsft.exe mcsft.exe PID 1968 wrote to memory of 2192 1968 mcsft.exe mcsft.exe PID 1968 wrote to memory of 2192 1968 mcsft.exe mcsft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe"C:\Users\Admin\AppData\Local\Temp\e9d3a58d421ecd9c8c57f7220c4ee420e52bf449194d35b367aa45c863bd0f66.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pNkVQ.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mcsft.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\mcsft.exe"C:\Users\Admin\AppData\Roaming\mcsft.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mcsft.exeC:\Users\Admin\AppData\Roaming\mcsft.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pNkVQ.batMD5
a5feca573884d76f559b996d45e8ad9a
SHA10e81a993f3af4e31d60653dc2513186f0495f1c8
SHA256c98e20d46d6465febb5d29cfab51241521ea5d6cd621f5e18b9b7d6fbfac3f0f
SHA512a9239648b5f15eac4d4151b6e1bdc81065eeaeb101404c2a0126f03bc87f1e6a57206bfa07a44379e9d3bba889e4497a9991ff41fb109099b01512df3dc3cbda
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
ed15f5d968e218b9775944dd231d064a
SHA1e8f202c520f0631cc1cd82255cf623da3a8bc978
SHA256c9ab6141b8e9045377daf7ccae367d569661f50e4bffc28a05ca6c53a28188b7
SHA512642e2efe537b923d5a346054f31194a6b7e7b0e24407873018776a327ed9c1c128047d8c5554b8c05dfdd47592e7a45ee4ec35d0b12382ce535c968997cdad45
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
ed15f5d968e218b9775944dd231d064a
SHA1e8f202c520f0631cc1cd82255cf623da3a8bc978
SHA256c9ab6141b8e9045377daf7ccae367d569661f50e4bffc28a05ca6c53a28188b7
SHA512642e2efe537b923d5a346054f31194a6b7e7b0e24407873018776a327ed9c1c128047d8c5554b8c05dfdd47592e7a45ee4ec35d0b12382ce535c968997cdad45
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
ed15f5d968e218b9775944dd231d064a
SHA1e8f202c520f0631cc1cd82255cf623da3a8bc978
SHA256c9ab6141b8e9045377daf7ccae367d569661f50e4bffc28a05ca6c53a28188b7
SHA512642e2efe537b923d5a346054f31194a6b7e7b0e24407873018776a327ed9c1c128047d8c5554b8c05dfdd47592e7a45ee4ec35d0b12382ce535c968997cdad45
-
memory/196-4-0x0000000000000000-mapping.dmp
-
memory/1068-2-0x0000000000000000-mapping.dmp
-
memory/1968-5-0x0000000000000000-mapping.dmp
-
memory/1968-8-0x0000000074760000-0x00000000747F3000-memory.dmpFilesize
588KB
-
memory/2192-11-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2192-12-0x00000000004B3320-mapping.dmp
-
memory/2192-14-0x0000000074760000-0x00000000747F3000-memory.dmpFilesize
588KB
-
memory/2192-15-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/2192-16-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB