Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 12:05
Static task
static1
Behavioral task
behavioral1
Sample
309a5f9f926b2fa365a94cbf98214566.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
309a5f9f926b2fa365a94cbf98214566.exe
Resource
win10v20201028
General
-
Target
309a5f9f926b2fa365a94cbf98214566.exe
-
Size
559KB
-
MD5
e4e5a0ee373f5b6085efdb3f2a5f0071
-
SHA1
85e6daa5792408d4cb4f23767436759f03b683ac
-
SHA256
fec8c19e1915a8d64f709db2021902713998b20826dda3128a8dd2a414dd7172
-
SHA512
549bb1c0256b45cf5c7342e915bfd6c5adc1c4ff9d27e13756e5468edbcd2dbf07fbd9ec712ac757c0226d41d2b57ff159968368e18d66485fc74568d0e67658
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
mcsft.exemcsft.exepid process 1700 mcsft.exe 1360 mcsft.exe -
Processes:
yara_rule upx \Users\Admin\AppData\Roaming\mcsft.exe upx \Users\Admin\AppData\Roaming\mcsft.exe upx \Users\Admin\AppData\Roaming\mcsft.exe upx \Users\Admin\AppData\Roaming\mcsft.exe upx \Users\Admin\AppData\Roaming\mcsft.exe upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx behavioral1/memory/1360-15-0x0000000000400000-0x00000000004B5000-memory.dmp upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx behavioral1/memory/1360-18-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1360-19-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mcsft.exe -
Loads dropped DLL 5 IoCs
Processes:
309a5f9f926b2fa365a94cbf98214566.exepid process 1668 309a5f9f926b2fa365a94cbf98214566.exe 1668 309a5f9f926b2fa365a94cbf98214566.exe 1668 309a5f9f926b2fa365a94cbf98214566.exe 1668 309a5f9f926b2fa365a94cbf98214566.exe 1668 309a5f9f926b2fa365a94cbf98214566.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoft = "C:\\Users\\Admin\\AppData\\Roaming\\mcsft.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mcsft.exedescription pid process target process PID 1700 set thread context of 1360 1700 mcsft.exe mcsft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier mcsft.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier mcsft.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
mcsft.exedescription pid process Token: SeIncreaseQuotaPrivilege 1360 mcsft.exe Token: SeSecurityPrivilege 1360 mcsft.exe Token: SeTakeOwnershipPrivilege 1360 mcsft.exe Token: SeLoadDriverPrivilege 1360 mcsft.exe Token: SeSystemProfilePrivilege 1360 mcsft.exe Token: SeSystemtimePrivilege 1360 mcsft.exe Token: SeProfSingleProcessPrivilege 1360 mcsft.exe Token: SeIncBasePriorityPrivilege 1360 mcsft.exe Token: SeCreatePagefilePrivilege 1360 mcsft.exe Token: SeBackupPrivilege 1360 mcsft.exe Token: SeRestorePrivilege 1360 mcsft.exe Token: SeShutdownPrivilege 1360 mcsft.exe Token: SeDebugPrivilege 1360 mcsft.exe Token: SeSystemEnvironmentPrivilege 1360 mcsft.exe Token: SeChangeNotifyPrivilege 1360 mcsft.exe Token: SeRemoteShutdownPrivilege 1360 mcsft.exe Token: SeUndockPrivilege 1360 mcsft.exe Token: SeManageVolumePrivilege 1360 mcsft.exe Token: SeImpersonatePrivilege 1360 mcsft.exe Token: SeCreateGlobalPrivilege 1360 mcsft.exe Token: 33 1360 mcsft.exe Token: 34 1360 mcsft.exe Token: 35 1360 mcsft.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
309a5f9f926b2fa365a94cbf98214566.exemcsft.exemcsft.exepid process 1668 309a5f9f926b2fa365a94cbf98214566.exe 1700 mcsft.exe 1360 mcsft.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
309a5f9f926b2fa365a94cbf98214566.execmd.exemcsft.exedescription pid process target process PID 1668 wrote to memory of 628 1668 309a5f9f926b2fa365a94cbf98214566.exe cmd.exe PID 1668 wrote to memory of 628 1668 309a5f9f926b2fa365a94cbf98214566.exe cmd.exe PID 1668 wrote to memory of 628 1668 309a5f9f926b2fa365a94cbf98214566.exe cmd.exe PID 1668 wrote to memory of 628 1668 309a5f9f926b2fa365a94cbf98214566.exe cmd.exe PID 628 wrote to memory of 1772 628 cmd.exe reg.exe PID 628 wrote to memory of 1772 628 cmd.exe reg.exe PID 628 wrote to memory of 1772 628 cmd.exe reg.exe PID 628 wrote to memory of 1772 628 cmd.exe reg.exe PID 1668 wrote to memory of 1700 1668 309a5f9f926b2fa365a94cbf98214566.exe mcsft.exe PID 1668 wrote to memory of 1700 1668 309a5f9f926b2fa365a94cbf98214566.exe mcsft.exe PID 1668 wrote to memory of 1700 1668 309a5f9f926b2fa365a94cbf98214566.exe mcsft.exe PID 1668 wrote to memory of 1700 1668 309a5f9f926b2fa365a94cbf98214566.exe mcsft.exe PID 1700 wrote to memory of 1360 1700 mcsft.exe mcsft.exe PID 1700 wrote to memory of 1360 1700 mcsft.exe mcsft.exe PID 1700 wrote to memory of 1360 1700 mcsft.exe mcsft.exe PID 1700 wrote to memory of 1360 1700 mcsft.exe mcsft.exe PID 1700 wrote to memory of 1360 1700 mcsft.exe mcsft.exe PID 1700 wrote to memory of 1360 1700 mcsft.exe mcsft.exe PID 1700 wrote to memory of 1360 1700 mcsft.exe mcsft.exe PID 1700 wrote to memory of 1360 1700 mcsft.exe mcsft.exe PID 1700 wrote to memory of 1360 1700 mcsft.exe mcsft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\309a5f9f926b2fa365a94cbf98214566.exe"C:\Users\Admin\AppData\Local\Temp\309a5f9f926b2fa365a94cbf98214566.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QhRVz.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mcsft.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\mcsft.exe"C:\Users\Admin\AppData\Roaming\mcsft.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mcsft.exeC:\Users\Admin\AppData\Roaming\mcsft.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\QhRVz.batMD5
a5feca573884d76f559b996d45e8ad9a
SHA10e81a993f3af4e31d60653dc2513186f0495f1c8
SHA256c98e20d46d6465febb5d29cfab51241521ea5d6cd621f5e18b9b7d6fbfac3f0f
SHA512a9239648b5f15eac4d4151b6e1bdc81065eeaeb101404c2a0126f03bc87f1e6a57206bfa07a44379e9d3bba889e4497a9991ff41fb109099b01512df3dc3cbda
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
c2d08824a8aeffc72399811086781d0a
SHA144393b8ec11b5d2d0cf9fdb569a8acd11e5dafa4
SHA2568364bc726377bf03fb9c9a88682df0ffa0bd244a05ca1c816471c6ff053afae6
SHA512b8eded84bf06c82c8ccd203094aa802cba03f9d9b4a7e46c8d7442948f1dc00728b9d2b8e70fdfb40ed3d8ad90f1f8b2005513ae3cd1025a687538e95ddc7777
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
c2d08824a8aeffc72399811086781d0a
SHA144393b8ec11b5d2d0cf9fdb569a8acd11e5dafa4
SHA2568364bc726377bf03fb9c9a88682df0ffa0bd244a05ca1c816471c6ff053afae6
SHA512b8eded84bf06c82c8ccd203094aa802cba03f9d9b4a7e46c8d7442948f1dc00728b9d2b8e70fdfb40ed3d8ad90f1f8b2005513ae3cd1025a687538e95ddc7777
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
c2d08824a8aeffc72399811086781d0a
SHA144393b8ec11b5d2d0cf9fdb569a8acd11e5dafa4
SHA2568364bc726377bf03fb9c9a88682df0ffa0bd244a05ca1c816471c6ff053afae6
SHA512b8eded84bf06c82c8ccd203094aa802cba03f9d9b4a7e46c8d7442948f1dc00728b9d2b8e70fdfb40ed3d8ad90f1f8b2005513ae3cd1025a687538e95ddc7777
-
\Users\Admin\AppData\Roaming\mcsft.exeMD5
c2d08824a8aeffc72399811086781d0a
SHA144393b8ec11b5d2d0cf9fdb569a8acd11e5dafa4
SHA2568364bc726377bf03fb9c9a88682df0ffa0bd244a05ca1c816471c6ff053afae6
SHA512b8eded84bf06c82c8ccd203094aa802cba03f9d9b4a7e46c8d7442948f1dc00728b9d2b8e70fdfb40ed3d8ad90f1f8b2005513ae3cd1025a687538e95ddc7777
-
\Users\Admin\AppData\Roaming\mcsft.exeMD5
c2d08824a8aeffc72399811086781d0a
SHA144393b8ec11b5d2d0cf9fdb569a8acd11e5dafa4
SHA2568364bc726377bf03fb9c9a88682df0ffa0bd244a05ca1c816471c6ff053afae6
SHA512b8eded84bf06c82c8ccd203094aa802cba03f9d9b4a7e46c8d7442948f1dc00728b9d2b8e70fdfb40ed3d8ad90f1f8b2005513ae3cd1025a687538e95ddc7777
-
\Users\Admin\AppData\Roaming\mcsft.exeMD5
c2d08824a8aeffc72399811086781d0a
SHA144393b8ec11b5d2d0cf9fdb569a8acd11e5dafa4
SHA2568364bc726377bf03fb9c9a88682df0ffa0bd244a05ca1c816471c6ff053afae6
SHA512b8eded84bf06c82c8ccd203094aa802cba03f9d9b4a7e46c8d7442948f1dc00728b9d2b8e70fdfb40ed3d8ad90f1f8b2005513ae3cd1025a687538e95ddc7777
-
\Users\Admin\AppData\Roaming\mcsft.exeMD5
c2d08824a8aeffc72399811086781d0a
SHA144393b8ec11b5d2d0cf9fdb569a8acd11e5dafa4
SHA2568364bc726377bf03fb9c9a88682df0ffa0bd244a05ca1c816471c6ff053afae6
SHA512b8eded84bf06c82c8ccd203094aa802cba03f9d9b4a7e46c8d7442948f1dc00728b9d2b8e70fdfb40ed3d8ad90f1f8b2005513ae3cd1025a687538e95ddc7777
-
\Users\Admin\AppData\Roaming\mcsft.exeMD5
c2d08824a8aeffc72399811086781d0a
SHA144393b8ec11b5d2d0cf9fdb569a8acd11e5dafa4
SHA2568364bc726377bf03fb9c9a88682df0ffa0bd244a05ca1c816471c6ff053afae6
SHA512b8eded84bf06c82c8ccd203094aa802cba03f9d9b4a7e46c8d7442948f1dc00728b9d2b8e70fdfb40ed3d8ad90f1f8b2005513ae3cd1025a687538e95ddc7777
-
memory/628-2-0x0000000000000000-mapping.dmp
-
memory/1360-16-0x00000000004B3320-mapping.dmp
-
memory/1360-15-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1360-18-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1360-19-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/1700-10-0x0000000000000000-mapping.dmp
-
memory/1772-4-0x0000000000000000-mapping.dmp