Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-11-2020 22:40
Static task
static1
Behavioral task
behavioral1
Sample
78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
Resource
win10v20201028
General
-
Target
78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe
-
Size
251KB
-
MD5
0ff29b69d35e90def532d1131eddaf78
-
SHA1
28024d4cdbec6c77b14788662e66933bedff8cd7
-
SHA256
78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f
-
SHA512
194da7f5fb7312f99733b18f6e72844e3650b7e0054a1975beae48d45d9867132be51aa5597f05f5cee9a2e6bc9360b4f8edcdc3bd01287e2e87064deab64f21
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\msdcsc.exe" 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1980 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\msdcsc.exe upx \Users\Admin\AppData\Local\Temp\msdcsc.exe upx C:\Users\Admin\AppData\Local\Temp\msdcsc.exe upx C:\Users\Admin\AppData\Local\Temp\msdcsc.exe upx -
Loads dropped DLL 2 IoCs
Processes:
78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exepid process 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msdcsc.exe" 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeSecurityPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeTakeOwnershipPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeLoadDriverPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeSystemProfilePrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeSystemtimePrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeProfSingleProcessPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeIncBasePriorityPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeCreatePagefilePrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeBackupPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeRestorePrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeShutdownPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeDebugPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeSystemEnvironmentPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeChangeNotifyPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeRemoteShutdownPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeUndockPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeManageVolumePrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeImpersonatePrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeCreateGlobalPrivilege 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: 33 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: 34 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: 35 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe Token: SeIncreaseQuotaPrivilege 1980 msdcsc.exe Token: SeSecurityPrivilege 1980 msdcsc.exe Token: SeTakeOwnershipPrivilege 1980 msdcsc.exe Token: SeLoadDriverPrivilege 1980 msdcsc.exe Token: SeSystemProfilePrivilege 1980 msdcsc.exe Token: SeSystemtimePrivilege 1980 msdcsc.exe Token: SeProfSingleProcessPrivilege 1980 msdcsc.exe Token: SeIncBasePriorityPrivilege 1980 msdcsc.exe Token: SeCreatePagefilePrivilege 1980 msdcsc.exe Token: SeBackupPrivilege 1980 msdcsc.exe Token: SeRestorePrivilege 1980 msdcsc.exe Token: SeShutdownPrivilege 1980 msdcsc.exe Token: SeDebugPrivilege 1980 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1980 msdcsc.exe Token: SeChangeNotifyPrivilege 1980 msdcsc.exe Token: SeRemoteShutdownPrivilege 1980 msdcsc.exe Token: SeUndockPrivilege 1980 msdcsc.exe Token: SeManageVolumePrivilege 1980 msdcsc.exe Token: SeImpersonatePrivilege 1980 msdcsc.exe Token: SeCreateGlobalPrivilege 1980 msdcsc.exe Token: 33 1980 msdcsc.exe Token: 34 1980 msdcsc.exe Token: 35 1980 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1980 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exemsdcsc.exedescription pid process target process PID 784 wrote to memory of 1980 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe msdcsc.exe PID 784 wrote to memory of 1980 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe msdcsc.exe PID 784 wrote to memory of 1980 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe msdcsc.exe PID 784 wrote to memory of 1980 784 78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe msdcsc.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe PID 1980 wrote to memory of 1904 1980 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe"C:\Users\Admin\AppData\Local\Temp\78f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\msdcsc.exeMD5
0ff29b69d35e90def532d1131eddaf78
SHA128024d4cdbec6c77b14788662e66933bedff8cd7
SHA25678f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f
SHA512194da7f5fb7312f99733b18f6e72844e3650b7e0054a1975beae48d45d9867132be51aa5597f05f5cee9a2e6bc9360b4f8edcdc3bd01287e2e87064deab64f21
-
C:\Users\Admin\AppData\Local\Temp\msdcsc.exeMD5
0ff29b69d35e90def532d1131eddaf78
SHA128024d4cdbec6c77b14788662e66933bedff8cd7
SHA25678f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f
SHA512194da7f5fb7312f99733b18f6e72844e3650b7e0054a1975beae48d45d9867132be51aa5597f05f5cee9a2e6bc9360b4f8edcdc3bd01287e2e87064deab64f21
-
\Users\Admin\AppData\Local\Temp\msdcsc.exeMD5
0ff29b69d35e90def532d1131eddaf78
SHA128024d4cdbec6c77b14788662e66933bedff8cd7
SHA25678f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f
SHA512194da7f5fb7312f99733b18f6e72844e3650b7e0054a1975beae48d45d9867132be51aa5597f05f5cee9a2e6bc9360b4f8edcdc3bd01287e2e87064deab64f21
-
\Users\Admin\AppData\Local\Temp\msdcsc.exeMD5
0ff29b69d35e90def532d1131eddaf78
SHA128024d4cdbec6c77b14788662e66933bedff8cd7
SHA25678f238d4d7a071b5bf3a4f956a1ad26bed53df57ceb2174c8d12122499cad28f
SHA512194da7f5fb7312f99733b18f6e72844e3650b7e0054a1975beae48d45d9867132be51aa5597f05f5cee9a2e6bc9360b4f8edcdc3bd01287e2e87064deab64f21
-
memory/1904-5-0x0000000000000000-mapping.dmp
-
memory/1904-6-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1904-7-0x0000000000000000-mapping.dmp
-
memory/1980-2-0x0000000000000000-mapping.dmp