Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:05
Static task
static1
Behavioral task
behavioral1
Sample
309a5f9f926b2fa365a94cbf98214566.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
309a5f9f926b2fa365a94cbf98214566.exe
Resource
win10v20201028
General
-
Target
309a5f9f926b2fa365a94cbf98214566.exe
-
Size
559KB
-
MD5
e4e5a0ee373f5b6085efdb3f2a5f0071
-
SHA1
85e6daa5792408d4cb4f23767436759f03b683ac
-
SHA256
fec8c19e1915a8d64f709db2021902713998b20826dda3128a8dd2a414dd7172
-
SHA512
549bb1c0256b45cf5c7342e915bfd6c5adc1c4ff9d27e13756e5468edbcd2dbf07fbd9ec712ac757c0226d41d2b57ff159968368e18d66485fc74568d0e67658
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
mcsft.exemcsft.exepid process 584 mcsft.exe 192 mcsft.exe -
Processes:
yara_rule upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx behavioral2/memory/192-11-0x0000000000400000-0x00000000004B5000-memory.dmp upx C:\Users\Admin\AppData\Roaming\mcsft.exe upx behavioral2/memory/192-15-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/192-16-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mcsft.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mcrosoft = "C:\\Users\\Admin\\AppData\\Roaming\\mcsft.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mcsft.exedescription pid process target process PID 584 set thread context of 192 584 mcsft.exe mcsft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier mcsft.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier mcsft.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
mcsft.exedescription pid process Token: SeIncreaseQuotaPrivilege 192 mcsft.exe Token: SeSecurityPrivilege 192 mcsft.exe Token: SeTakeOwnershipPrivilege 192 mcsft.exe Token: SeLoadDriverPrivilege 192 mcsft.exe Token: SeSystemProfilePrivilege 192 mcsft.exe Token: SeSystemtimePrivilege 192 mcsft.exe Token: SeProfSingleProcessPrivilege 192 mcsft.exe Token: SeIncBasePriorityPrivilege 192 mcsft.exe Token: SeCreatePagefilePrivilege 192 mcsft.exe Token: SeBackupPrivilege 192 mcsft.exe Token: SeRestorePrivilege 192 mcsft.exe Token: SeShutdownPrivilege 192 mcsft.exe Token: SeDebugPrivilege 192 mcsft.exe Token: SeSystemEnvironmentPrivilege 192 mcsft.exe Token: SeChangeNotifyPrivilege 192 mcsft.exe Token: SeRemoteShutdownPrivilege 192 mcsft.exe Token: SeUndockPrivilege 192 mcsft.exe Token: SeManageVolumePrivilege 192 mcsft.exe Token: SeImpersonatePrivilege 192 mcsft.exe Token: SeCreateGlobalPrivilege 192 mcsft.exe Token: 33 192 mcsft.exe Token: 34 192 mcsft.exe Token: 35 192 mcsft.exe Token: 36 192 mcsft.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
309a5f9f926b2fa365a94cbf98214566.exemcsft.exemcsft.exepid process 980 309a5f9f926b2fa365a94cbf98214566.exe 584 mcsft.exe 192 mcsft.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
309a5f9f926b2fa365a94cbf98214566.execmd.exemcsft.exedescription pid process target process PID 980 wrote to memory of 2564 980 309a5f9f926b2fa365a94cbf98214566.exe cmd.exe PID 980 wrote to memory of 2564 980 309a5f9f926b2fa365a94cbf98214566.exe cmd.exe PID 980 wrote to memory of 2564 980 309a5f9f926b2fa365a94cbf98214566.exe cmd.exe PID 2564 wrote to memory of 824 2564 cmd.exe reg.exe PID 2564 wrote to memory of 824 2564 cmd.exe reg.exe PID 2564 wrote to memory of 824 2564 cmd.exe reg.exe PID 980 wrote to memory of 584 980 309a5f9f926b2fa365a94cbf98214566.exe mcsft.exe PID 980 wrote to memory of 584 980 309a5f9f926b2fa365a94cbf98214566.exe mcsft.exe PID 980 wrote to memory of 584 980 309a5f9f926b2fa365a94cbf98214566.exe mcsft.exe PID 584 wrote to memory of 192 584 mcsft.exe mcsft.exe PID 584 wrote to memory of 192 584 mcsft.exe mcsft.exe PID 584 wrote to memory of 192 584 mcsft.exe mcsft.exe PID 584 wrote to memory of 192 584 mcsft.exe mcsft.exe PID 584 wrote to memory of 192 584 mcsft.exe mcsft.exe PID 584 wrote to memory of 192 584 mcsft.exe mcsft.exe PID 584 wrote to memory of 192 584 mcsft.exe mcsft.exe PID 584 wrote to memory of 192 584 mcsft.exe mcsft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\309a5f9f926b2fa365a94cbf98214566.exe"C:\Users\Admin\AppData\Local\Temp\309a5f9f926b2fa365a94cbf98214566.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pneXB.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mcsft.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\mcsft.exe"C:\Users\Admin\AppData\Roaming\mcsft.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mcsft.exeC:\Users\Admin\AppData\Roaming\mcsft.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pneXB.batMD5
a5feca573884d76f559b996d45e8ad9a
SHA10e81a993f3af4e31d60653dc2513186f0495f1c8
SHA256c98e20d46d6465febb5d29cfab51241521ea5d6cd621f5e18b9b7d6fbfac3f0f
SHA512a9239648b5f15eac4d4151b6e1bdc81065eeaeb101404c2a0126f03bc87f1e6a57206bfa07a44379e9d3bba889e4497a9991ff41fb109099b01512df3dc3cbda
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
5465d21ef5d723e5c678452a463d1359
SHA1ec0124167ea7d1fa011b6fa4377cca8f3befe2a8
SHA2568b527bc0b64e2a7b2de8a166eb1192692a2551371914426a98c7dcd6af0b54de
SHA512b9b9e721c8f3a6eb54ae8084bfedfe676a103250656aaae07d994369f50f7b9cfc0e9a2f4f08a9924d4ffe0e81e9ddee6119842df8c7b7f052ecfb012bba098f
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
5465d21ef5d723e5c678452a463d1359
SHA1ec0124167ea7d1fa011b6fa4377cca8f3befe2a8
SHA2568b527bc0b64e2a7b2de8a166eb1192692a2551371914426a98c7dcd6af0b54de
SHA512b9b9e721c8f3a6eb54ae8084bfedfe676a103250656aaae07d994369f50f7b9cfc0e9a2f4f08a9924d4ffe0e81e9ddee6119842df8c7b7f052ecfb012bba098f
-
C:\Users\Admin\AppData\Roaming\mcsft.exeMD5
5465d21ef5d723e5c678452a463d1359
SHA1ec0124167ea7d1fa011b6fa4377cca8f3befe2a8
SHA2568b527bc0b64e2a7b2de8a166eb1192692a2551371914426a98c7dcd6af0b54de
SHA512b9b9e721c8f3a6eb54ae8084bfedfe676a103250656aaae07d994369f50f7b9cfc0e9a2f4f08a9924d4ffe0e81e9ddee6119842df8c7b7f052ecfb012bba098f
-
memory/192-16-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/192-15-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/192-12-0x00000000004B3320-mapping.dmp
-
memory/192-11-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/192-14-0x0000000073AF0000-0x0000000073B83000-memory.dmpFilesize
588KB
-
memory/584-5-0x0000000000000000-mapping.dmp
-
memory/584-8-0x0000000073AF0000-0x0000000073B83000-memory.dmpFilesize
588KB
-
memory/824-4-0x0000000000000000-mapping.dmp
-
memory/2564-2-0x0000000000000000-mapping.dmp