Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:13
Static task
static1
Behavioral task
behavioral1
Sample
0fb89311917a7c35fe6a9937df19c35d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0fb89311917a7c35fe6a9937df19c35d.exe
Resource
win10v20201028
General
-
Target
0fb89311917a7c35fe6a9937df19c35d.exe
-
Size
251KB
-
MD5
9c5373d6db48bdd5c32079243ca053b6
-
SHA1
9ce8117701b2d59d545b8d0cca89361027f93b98
-
SHA256
b6910434cad37d2d9d982f68947d7df93fbb2d63b68302f59688183c9a4935dd
-
SHA512
69645d8ffea903a4a109193789894173a3c60f4f6462bb6c77335bbf2b3a7c67b0ca33387de4f2fb048e30c46bed910dcc9698394fe94667582968931e991b94
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
0fb89311917a7c35fe6a9937df19c35d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\msdcsc.exe" 0fb89311917a7c35fe6a9937df19c35d.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3572 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\msdcsc.exe upx C:\Users\Admin\AppData\Local\Temp\msdcsc.exe upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0fb89311917a7c35fe6a9937df19c35d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msdcsc.exe" 0fb89311917a7c35fe6a9937df19c35d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
0fb89311917a7c35fe6a9937df19c35d.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeSecurityPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeTakeOwnershipPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeLoadDriverPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeSystemProfilePrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeSystemtimePrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeProfSingleProcessPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeIncBasePriorityPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeCreatePagefilePrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeBackupPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeRestorePrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeShutdownPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeDebugPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeSystemEnvironmentPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeChangeNotifyPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeRemoteShutdownPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeUndockPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeManageVolumePrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeImpersonatePrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeCreateGlobalPrivilege 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: 33 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: 34 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: 35 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: 36 4768 0fb89311917a7c35fe6a9937df19c35d.exe Token: SeIncreaseQuotaPrivilege 3572 msdcsc.exe Token: SeSecurityPrivilege 3572 msdcsc.exe Token: SeTakeOwnershipPrivilege 3572 msdcsc.exe Token: SeLoadDriverPrivilege 3572 msdcsc.exe Token: SeSystemProfilePrivilege 3572 msdcsc.exe Token: SeSystemtimePrivilege 3572 msdcsc.exe Token: SeProfSingleProcessPrivilege 3572 msdcsc.exe Token: SeIncBasePriorityPrivilege 3572 msdcsc.exe Token: SeCreatePagefilePrivilege 3572 msdcsc.exe Token: SeBackupPrivilege 3572 msdcsc.exe Token: SeRestorePrivilege 3572 msdcsc.exe Token: SeShutdownPrivilege 3572 msdcsc.exe Token: SeDebugPrivilege 3572 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3572 msdcsc.exe Token: SeChangeNotifyPrivilege 3572 msdcsc.exe Token: SeRemoteShutdownPrivilege 3572 msdcsc.exe Token: SeUndockPrivilege 3572 msdcsc.exe Token: SeManageVolumePrivilege 3572 msdcsc.exe Token: SeImpersonatePrivilege 3572 msdcsc.exe Token: SeCreateGlobalPrivilege 3572 msdcsc.exe Token: 33 3572 msdcsc.exe Token: 34 3572 msdcsc.exe Token: 35 3572 msdcsc.exe Token: 36 3572 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3572 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
0fb89311917a7c35fe6a9937df19c35d.exemsdcsc.exedescription pid process target process PID 4768 wrote to memory of 3572 4768 0fb89311917a7c35fe6a9937df19c35d.exe msdcsc.exe PID 4768 wrote to memory of 3572 4768 0fb89311917a7c35fe6a9937df19c35d.exe msdcsc.exe PID 4768 wrote to memory of 3572 4768 0fb89311917a7c35fe6a9937df19c35d.exe msdcsc.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe PID 3572 wrote to memory of 4200 3572 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fb89311917a7c35fe6a9937df19c35d.exe"C:\Users\Admin\AppData\Local\Temp\0fb89311917a7c35fe6a9937df19c35d.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\msdcsc.exeMD5
9c5373d6db48bdd5c32079243ca053b6
SHA19ce8117701b2d59d545b8d0cca89361027f93b98
SHA256b6910434cad37d2d9d982f68947d7df93fbb2d63b68302f59688183c9a4935dd
SHA51269645d8ffea903a4a109193789894173a3c60f4f6462bb6c77335bbf2b3a7c67b0ca33387de4f2fb048e30c46bed910dcc9698394fe94667582968931e991b94
-
C:\Users\Admin\AppData\Local\Temp\msdcsc.exeMD5
9c5373d6db48bdd5c32079243ca053b6
SHA19ce8117701b2d59d545b8d0cca89361027f93b98
SHA256b6910434cad37d2d9d982f68947d7df93fbb2d63b68302f59688183c9a4935dd
SHA51269645d8ffea903a4a109193789894173a3c60f4f6462bb6c77335bbf2b3a7c67b0ca33387de4f2fb048e30c46bed910dcc9698394fe94667582968931e991b94
-
memory/3572-0-0x0000000000000000-mapping.dmp
-
memory/4200-3-0x0000000000000000-mapping.dmp
-
memory/4200-4-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/4200-5-0x0000000000000000-mapping.dmp