Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-11-2020 23:14
Static task
static1
Behavioral task
behavioral1
Sample
a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe
Resource
win10v20201028
General
-
Target
a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe
-
Size
252KB
-
MD5
3e734884cff7885e868bd18a37d626b2
-
SHA1
e76e6ee891dbfc141218b5fe4378f9a851664224
-
SHA256
a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b
-
SHA512
30df6493053c37eb1b494009557672f30d1d67c71145950aea0e2112c64d905f071b0d543b1da73965b823ef03bc1b43ff6d37dab5f0b27b876291fe3c271701
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3940 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 4056 notepad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 3940 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeSecurityPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeTakeOwnershipPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeLoadDriverPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeSystemProfilePrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeSystemtimePrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeProfSingleProcessPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeIncBasePriorityPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeCreatePagefilePrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeBackupPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeRestorePrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeShutdownPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeDebugPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeSystemEnvironmentPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeChangeNotifyPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeRemoteShutdownPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeUndockPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeManageVolumePrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeImpersonatePrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeCreateGlobalPrivilege 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: 33 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: 34 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: 35 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: 36 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe Token: SeIncreaseQuotaPrivilege 3940 msdcsc.exe Token: SeSecurityPrivilege 3940 msdcsc.exe Token: SeTakeOwnershipPrivilege 3940 msdcsc.exe Token: SeLoadDriverPrivilege 3940 msdcsc.exe Token: SeSystemProfilePrivilege 3940 msdcsc.exe Token: SeSystemtimePrivilege 3940 msdcsc.exe Token: SeProfSingleProcessPrivilege 3940 msdcsc.exe Token: SeIncBasePriorityPrivilege 3940 msdcsc.exe Token: SeCreatePagefilePrivilege 3940 msdcsc.exe Token: SeBackupPrivilege 3940 msdcsc.exe Token: SeRestorePrivilege 3940 msdcsc.exe Token: SeShutdownPrivilege 3940 msdcsc.exe Token: SeDebugPrivilege 3940 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3940 msdcsc.exe Token: SeChangeNotifyPrivilege 3940 msdcsc.exe Token: SeRemoteShutdownPrivilege 3940 msdcsc.exe Token: SeUndockPrivilege 3940 msdcsc.exe Token: SeManageVolumePrivilege 3940 msdcsc.exe Token: SeImpersonatePrivilege 3940 msdcsc.exe Token: SeCreateGlobalPrivilege 3940 msdcsc.exe Token: 33 3940 msdcsc.exe Token: 34 3940 msdcsc.exe Token: 35 3940 msdcsc.exe Token: 36 3940 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3940 msdcsc.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exemsdcsc.exedescription pid process target process PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 4056 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe notepad.exe PID 1028 wrote to memory of 3940 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe msdcsc.exe PID 1028 wrote to memory of 3940 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe msdcsc.exe PID 1028 wrote to memory of 3940 1028 a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe msdcsc.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe PID 3940 wrote to memory of 3192 3940 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe"C:\Users\Admin\AppData\Local\Temp\a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
3e734884cff7885e868bd18a37d626b2
SHA1e76e6ee891dbfc141218b5fe4378f9a851664224
SHA256a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b
SHA51230df6493053c37eb1b494009557672f30d1d67c71145950aea0e2112c64d905f071b0d543b1da73965b823ef03bc1b43ff6d37dab5f0b27b876291fe3c271701
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
3e734884cff7885e868bd18a37d626b2
SHA1e76e6ee891dbfc141218b5fe4378f9a851664224
SHA256a413b2f308d79534c8989b5b1f63663c261e8258caf452ae021a4a0c291f5f7b
SHA51230df6493053c37eb1b494009557672f30d1d67c71145950aea0e2112c64d905f071b0d543b1da73965b823ef03bc1b43ff6d37dab5f0b27b876291fe3c271701
-
memory/3192-6-0x0000000000000000-mapping.dmp
-
memory/3192-7-0x00000000032F0000-0x00000000032F1000-memory.dmpFilesize
4KB
-
memory/3192-8-0x0000000000000000-mapping.dmp
-
memory/3940-3-0x0000000000000000-mapping.dmp
-
memory/4056-0-0x0000000000000000-mapping.dmp
-
memory/4056-1-0x0000000002E70000-0x0000000002E71000-memory.dmpFilesize
4KB
-
memory/4056-2-0x0000000000000000-mapping.dmp