Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 12:13
Static task
static1
Behavioral task
behavioral1
Sample
0fb89311917a7c35fe6a9937df19c35d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0fb89311917a7c35fe6a9937df19c35d.exe
Resource
win10v20201028
General
-
Target
0fb89311917a7c35fe6a9937df19c35d.exe
-
Size
251KB
-
MD5
9c5373d6db48bdd5c32079243ca053b6
-
SHA1
9ce8117701b2d59d545b8d0cca89361027f93b98
-
SHA256
b6910434cad37d2d9d982f68947d7df93fbb2d63b68302f59688183c9a4935dd
-
SHA512
69645d8ffea903a4a109193789894173a3c60f4f6462bb6c77335bbf2b3a7c67b0ca33387de4f2fb048e30c46bed910dcc9698394fe94667582968931e991b94
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
0fb89311917a7c35fe6a9937df19c35d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\msdcsc.exe" 0fb89311917a7c35fe6a9937df19c35d.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2000 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\msdcsc.exe upx \Users\Admin\AppData\Local\Temp\msdcsc.exe upx C:\Users\Admin\AppData\Local\Temp\msdcsc.exe upx C:\Users\Admin\AppData\Local\Temp\msdcsc.exe upx -
Loads dropped DLL 2 IoCs
Processes:
0fb89311917a7c35fe6a9937df19c35d.exepid process 596 0fb89311917a7c35fe6a9937df19c35d.exe 596 0fb89311917a7c35fe6a9937df19c35d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fb89311917a7c35fe6a9937df19c35d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msdcsc.exe" 0fb89311917a7c35fe6a9937df19c35d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
0fb89311917a7c35fe6a9937df19c35d.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeSecurityPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeTakeOwnershipPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeLoadDriverPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeSystemProfilePrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeSystemtimePrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeProfSingleProcessPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeIncBasePriorityPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeCreatePagefilePrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeBackupPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeRestorePrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeShutdownPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeDebugPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeSystemEnvironmentPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeChangeNotifyPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeRemoteShutdownPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeUndockPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeManageVolumePrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeImpersonatePrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeCreateGlobalPrivilege 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: 33 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: 34 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: 35 596 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeIncreaseQuotaPrivilege 2000 msdcsc.exe Token: SeSecurityPrivilege 2000 msdcsc.exe Token: SeTakeOwnershipPrivilege 2000 msdcsc.exe Token: SeLoadDriverPrivilege 2000 msdcsc.exe Token: SeSystemProfilePrivilege 2000 msdcsc.exe Token: SeSystemtimePrivilege 2000 msdcsc.exe Token: SeProfSingleProcessPrivilege 2000 msdcsc.exe Token: SeIncBasePriorityPrivilege 2000 msdcsc.exe Token: SeCreatePagefilePrivilege 2000 msdcsc.exe Token: SeBackupPrivilege 2000 msdcsc.exe Token: SeRestorePrivilege 2000 msdcsc.exe Token: SeShutdownPrivilege 2000 msdcsc.exe Token: SeDebugPrivilege 2000 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2000 msdcsc.exe Token: SeChangeNotifyPrivilege 2000 msdcsc.exe Token: SeRemoteShutdownPrivilege 2000 msdcsc.exe Token: SeUndockPrivilege 2000 msdcsc.exe Token: SeManageVolumePrivilege 2000 msdcsc.exe Token: SeImpersonatePrivilege 2000 msdcsc.exe Token: SeCreateGlobalPrivilege 2000 msdcsc.exe Token: 33 2000 msdcsc.exe Token: 34 2000 msdcsc.exe Token: 35 2000 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2000 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
0fb89311917a7c35fe6a9937df19c35d.exemsdcsc.exedescription pid process target process PID 596 wrote to memory of 2000 596 0fb89311917a7c35fe6a9937df19c35d.exe msdcsc.exe PID 596 wrote to memory of 2000 596 0fb89311917a7c35fe6a9937df19c35d.exe msdcsc.exe PID 596 wrote to memory of 2000 596 0fb89311917a7c35fe6a9937df19c35d.exe msdcsc.exe PID 596 wrote to memory of 2000 596 0fb89311917a7c35fe6a9937df19c35d.exe msdcsc.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe PID 2000 wrote to memory of 1440 2000 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fb89311917a7c35fe6a9937df19c35d.exe"C:\Users\Admin\AppData\Local\Temp\0fb89311917a7c35fe6a9937df19c35d.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\msdcsc.exeMD5
9c5373d6db48bdd5c32079243ca053b6
SHA19ce8117701b2d59d545b8d0cca89361027f93b98
SHA256b6910434cad37d2d9d982f68947d7df93fbb2d63b68302f59688183c9a4935dd
SHA51269645d8ffea903a4a109193789894173a3c60f4f6462bb6c77335bbf2b3a7c67b0ca33387de4f2fb048e30c46bed910dcc9698394fe94667582968931e991b94
-
C:\Users\Admin\AppData\Local\Temp\msdcsc.exeMD5
9c5373d6db48bdd5c32079243ca053b6
SHA19ce8117701b2d59d545b8d0cca89361027f93b98
SHA256b6910434cad37d2d9d982f68947d7df93fbb2d63b68302f59688183c9a4935dd
SHA51269645d8ffea903a4a109193789894173a3c60f4f6462bb6c77335bbf2b3a7c67b0ca33387de4f2fb048e30c46bed910dcc9698394fe94667582968931e991b94
-
\Users\Admin\AppData\Local\Temp\msdcsc.exeMD5
9c5373d6db48bdd5c32079243ca053b6
SHA19ce8117701b2d59d545b8d0cca89361027f93b98
SHA256b6910434cad37d2d9d982f68947d7df93fbb2d63b68302f59688183c9a4935dd
SHA51269645d8ffea903a4a109193789894173a3c60f4f6462bb6c77335bbf2b3a7c67b0ca33387de4f2fb048e30c46bed910dcc9698394fe94667582968931e991b94
-
\Users\Admin\AppData\Local\Temp\msdcsc.exeMD5
9c5373d6db48bdd5c32079243ca053b6
SHA19ce8117701b2d59d545b8d0cca89361027f93b98
SHA256b6910434cad37d2d9d982f68947d7df93fbb2d63b68302f59688183c9a4935dd
SHA51269645d8ffea903a4a109193789894173a3c60f4f6462bb6c77335bbf2b3a7c67b0ca33387de4f2fb048e30c46bed910dcc9698394fe94667582968931e991b94
-
memory/1440-5-0x0000000000000000-mapping.dmp
-
memory/1440-6-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1440-7-0x0000000000000000-mapping.dmp
-
memory/2000-2-0x0000000000000000-mapping.dmp