Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 11:34
Static task
static1
Behavioral task
behavioral1
Sample
9b89fb51be345ff9564807566ff45444.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
9b89fb51be345ff9564807566ff45444.exe
Resource
win10v20201028
General
-
Target
9b89fb51be345ff9564807566ff45444.exe
-
Size
252KB
-
MD5
1ae87b63858a496bd9473e57fb4d8f31
-
SHA1
30593034cc80261649a334cde198d6c2dc3a866c
-
SHA256
113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d
-
SHA512
d02eb94c60c5361138942a2af0758c8b97e72fa898f31fbb75f4055cfb2eac6a5549407b57155b8c3ee2250b64e1849f662620f2a9d69a0da6057ca440bbe37c
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
9b89fb51be345ff9564807566ff45444.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 9b89fb51be345ff9564807566ff45444.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1972 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2012 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
9b89fb51be345ff9564807566ff45444.exepid process 292 9b89fb51be345ff9564807566ff45444.exe 292 9b89fb51be345ff9564807566ff45444.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9b89fb51be345ff9564807566ff45444.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 9b89fb51be345ff9564807566ff45444.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1972 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
9b89fb51be345ff9564807566ff45444.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeSecurityPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeTakeOwnershipPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeLoadDriverPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeSystemProfilePrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeSystemtimePrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeProfSingleProcessPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeIncBasePriorityPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeCreatePagefilePrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeBackupPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeRestorePrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeShutdownPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeDebugPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeSystemEnvironmentPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeChangeNotifyPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeRemoteShutdownPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeUndockPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeManageVolumePrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeImpersonatePrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: SeCreateGlobalPrivilege 292 9b89fb51be345ff9564807566ff45444.exe Token: 33 292 9b89fb51be345ff9564807566ff45444.exe Token: 34 292 9b89fb51be345ff9564807566ff45444.exe Token: 35 292 9b89fb51be345ff9564807566ff45444.exe Token: SeIncreaseQuotaPrivilege 1972 msdcsc.exe Token: SeSecurityPrivilege 1972 msdcsc.exe Token: SeTakeOwnershipPrivilege 1972 msdcsc.exe Token: SeLoadDriverPrivilege 1972 msdcsc.exe Token: SeSystemProfilePrivilege 1972 msdcsc.exe Token: SeSystemtimePrivilege 1972 msdcsc.exe Token: SeProfSingleProcessPrivilege 1972 msdcsc.exe Token: SeIncBasePriorityPrivilege 1972 msdcsc.exe Token: SeCreatePagefilePrivilege 1972 msdcsc.exe Token: SeBackupPrivilege 1972 msdcsc.exe Token: SeRestorePrivilege 1972 msdcsc.exe Token: SeShutdownPrivilege 1972 msdcsc.exe Token: SeDebugPrivilege 1972 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1972 msdcsc.exe Token: SeChangeNotifyPrivilege 1972 msdcsc.exe Token: SeRemoteShutdownPrivilege 1972 msdcsc.exe Token: SeUndockPrivilege 1972 msdcsc.exe Token: SeManageVolumePrivilege 1972 msdcsc.exe Token: SeImpersonatePrivilege 1972 msdcsc.exe Token: SeCreateGlobalPrivilege 1972 msdcsc.exe Token: 33 1972 msdcsc.exe Token: 34 1972 msdcsc.exe Token: 35 1972 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1972 msdcsc.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
9b89fb51be345ff9564807566ff45444.exemsdcsc.exedescription pid process target process PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 2012 292 9b89fb51be345ff9564807566ff45444.exe notepad.exe PID 292 wrote to memory of 1972 292 9b89fb51be345ff9564807566ff45444.exe msdcsc.exe PID 292 wrote to memory of 1972 292 9b89fb51be345ff9564807566ff45444.exe msdcsc.exe PID 292 wrote to memory of 1972 292 9b89fb51be345ff9564807566ff45444.exe msdcsc.exe PID 292 wrote to memory of 1972 292 9b89fb51be345ff9564807566ff45444.exe msdcsc.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe PID 1972 wrote to memory of 1788 1972 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b89fb51be345ff9564807566ff45444.exe"C:\Users\Admin\AppData\Local\Temp\9b89fb51be345ff9564807566ff45444.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1ae87b63858a496bd9473e57fb4d8f31
SHA130593034cc80261649a334cde198d6c2dc3a866c
SHA256113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d
SHA512d02eb94c60c5361138942a2af0758c8b97e72fa898f31fbb75f4055cfb2eac6a5549407b57155b8c3ee2250b64e1849f662620f2a9d69a0da6057ca440bbe37c
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1ae87b63858a496bd9473e57fb4d8f31
SHA130593034cc80261649a334cde198d6c2dc3a866c
SHA256113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d
SHA512d02eb94c60c5361138942a2af0758c8b97e72fa898f31fbb75f4055cfb2eac6a5549407b57155b8c3ee2250b64e1849f662620f2a9d69a0da6057ca440bbe37c
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1ae87b63858a496bd9473e57fb4d8f31
SHA130593034cc80261649a334cde198d6c2dc3a866c
SHA256113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d
SHA512d02eb94c60c5361138942a2af0758c8b97e72fa898f31fbb75f4055cfb2eac6a5549407b57155b8c3ee2250b64e1849f662620f2a9d69a0da6057ca440bbe37c
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
1ae87b63858a496bd9473e57fb4d8f31
SHA130593034cc80261649a334cde198d6c2dc3a866c
SHA256113936749f6b08da52458f7536043df7dc3da181b084db8240d441ddc3d7c02d
SHA512d02eb94c60c5361138942a2af0758c8b97e72fa898f31fbb75f4055cfb2eac6a5549407b57155b8c3ee2250b64e1849f662620f2a9d69a0da6057ca440bbe37c
-
memory/1788-10-0x0000000000000000-mapping.dmp
-
memory/1788-9-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1788-8-0x0000000000000000-mapping.dmp
-
memory/1972-5-0x0000000000000000-mapping.dmp
-
memory/2012-0-0x0000000000000000-mapping.dmp
-
memory/2012-1-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/2012-2-0x0000000000000000-mapping.dmp