Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 16:25
Static task
static1
Behavioral task
behavioral1
Sample
c276255be8c317392e43735e0f707cf9.exe
Resource
win7v20201028
General
-
Target
c276255be8c317392e43735e0f707cf9.exe
-
Size
1.3MB
-
MD5
c276255be8c317392e43735e0f707cf9
-
SHA1
8deb38349ef9978a83b8fee521de5e06d2b86052
-
SHA256
5fe7d9e94105fcb2dd524faee708442a10c98a98c9ea3b6ef35da17b6f7f4f47
-
SHA512
ebb335783435b6675751d9efaeb601874df6a21f41f9ac0877afc7ab19a5ef7287fa4f8fc81984396a6ff5e29c5a40449635745e3d51a254096d53398b2dd1a3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
c276255be8c317392e43735e0f707cf9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" c276255be8c317392e43735e0f707cf9.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 3 IoCs
Processes:
RUFUS-3.12.EXEmsdcsc.exeRUFUS-3.12.EXEpid process 204 RUFUS-3.12.EXE 520 msdcsc.exe 2224 RUFUS-3.12.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RUFUS-3.12.EXE upx C:\Users\Admin\AppData\Local\Temp\RUFUS-3.12.EXE upx C:\Users\Admin\AppData\Local\Temp\RUFUS-3.12.EXE upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c276255be8c317392e43735e0f707cf9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation c276255be8c317392e43735e0f707cf9.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1012 notepad.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c276255be8c317392e43735e0f707cf9.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" c276255be8c317392e43735e0f707cf9.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Processes:
RUFUS-3.12.EXERUFUS-3.12.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RUFUS-3.12.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RUFUS-3.12.EXE -
Drops file in System32 directory 4 IoCs
Processes:
RUFUS-3.12.EXEdescription ioc process File opened for modification C:\Windows\System32\GroupPolicy RUFUS-3.12.EXE File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini RUFUS-3.12.EXE File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol RUFUS-3.12.EXE File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI RUFUS-3.12.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
c276255be8c317392e43735e0f707cf9.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance c276255be8c317392e43735e0f707cf9.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 520 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
c276255be8c317392e43735e0f707cf9.exeRUFUS-3.12.EXEmsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeSecurityPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeTakeOwnershipPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeLoadDriverPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeSystemProfilePrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeSystemtimePrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeProfSingleProcessPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeIncBasePriorityPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeCreatePagefilePrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeBackupPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeRestorePrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeShutdownPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeDebugPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeSystemEnvironmentPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeChangeNotifyPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeRemoteShutdownPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeUndockPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeManageVolumePrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeImpersonatePrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeCreateGlobalPrivilege 4032 c276255be8c317392e43735e0f707cf9.exe Token: 33 4032 c276255be8c317392e43735e0f707cf9.exe Token: 34 4032 c276255be8c317392e43735e0f707cf9.exe Token: 35 4032 c276255be8c317392e43735e0f707cf9.exe Token: 36 4032 c276255be8c317392e43735e0f707cf9.exe Token: SeDebugPrivilege 204 RUFUS-3.12.EXE Token: SeIncreaseQuotaPrivilege 520 msdcsc.exe Token: SeSecurityPrivilege 520 msdcsc.exe Token: SeTakeOwnershipPrivilege 520 msdcsc.exe Token: SeLoadDriverPrivilege 520 msdcsc.exe Token: SeSystemProfilePrivilege 520 msdcsc.exe Token: SeSystemtimePrivilege 520 msdcsc.exe Token: SeProfSingleProcessPrivilege 520 msdcsc.exe Token: SeIncBasePriorityPrivilege 520 msdcsc.exe Token: SeCreatePagefilePrivilege 520 msdcsc.exe Token: SeBackupPrivilege 520 msdcsc.exe Token: SeRestorePrivilege 520 msdcsc.exe Token: SeShutdownPrivilege 520 msdcsc.exe Token: SeDebugPrivilege 520 msdcsc.exe Token: SeSystemEnvironmentPrivilege 520 msdcsc.exe Token: SeChangeNotifyPrivilege 520 msdcsc.exe Token: SeRemoteShutdownPrivilege 520 msdcsc.exe Token: SeUndockPrivilege 520 msdcsc.exe Token: SeManageVolumePrivilege 520 msdcsc.exe Token: SeImpersonatePrivilege 520 msdcsc.exe Token: SeCreateGlobalPrivilege 520 msdcsc.exe Token: 33 520 msdcsc.exe Token: 34 520 msdcsc.exe Token: 35 520 msdcsc.exe Token: 36 520 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 520 msdcsc.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
c276255be8c317392e43735e0f707cf9.execmd.execmd.exemsdcsc.exedescription pid process target process PID 4032 wrote to memory of 2920 4032 c276255be8c317392e43735e0f707cf9.exe cmd.exe PID 4032 wrote to memory of 2920 4032 c276255be8c317392e43735e0f707cf9.exe cmd.exe PID 4032 wrote to memory of 2920 4032 c276255be8c317392e43735e0f707cf9.exe cmd.exe PID 4032 wrote to memory of 3484 4032 c276255be8c317392e43735e0f707cf9.exe cmd.exe PID 4032 wrote to memory of 3484 4032 c276255be8c317392e43735e0f707cf9.exe cmd.exe PID 4032 wrote to memory of 3484 4032 c276255be8c317392e43735e0f707cf9.exe cmd.exe PID 4032 wrote to memory of 204 4032 c276255be8c317392e43735e0f707cf9.exe RUFUS-3.12.EXE PID 4032 wrote to memory of 204 4032 c276255be8c317392e43735e0f707cf9.exe RUFUS-3.12.EXE PID 4032 wrote to memory of 204 4032 c276255be8c317392e43735e0f707cf9.exe RUFUS-3.12.EXE PID 2920 wrote to memory of 3944 2920 cmd.exe attrib.exe PID 2920 wrote to memory of 3944 2920 cmd.exe attrib.exe PID 2920 wrote to memory of 3944 2920 cmd.exe attrib.exe PID 3484 wrote to memory of 2940 3484 cmd.exe attrib.exe PID 3484 wrote to memory of 2940 3484 cmd.exe attrib.exe PID 3484 wrote to memory of 2940 3484 cmd.exe attrib.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 1012 4032 c276255be8c317392e43735e0f707cf9.exe notepad.exe PID 4032 wrote to memory of 520 4032 c276255be8c317392e43735e0f707cf9.exe msdcsc.exe PID 4032 wrote to memory of 520 4032 c276255be8c317392e43735e0f707cf9.exe msdcsc.exe PID 4032 wrote to memory of 520 4032 c276255be8c317392e43735e0f707cf9.exe msdcsc.exe PID 520 wrote to memory of 2224 520 msdcsc.exe RUFUS-3.12.EXE PID 520 wrote to memory of 2224 520 msdcsc.exe RUFUS-3.12.EXE PID 520 wrote to memory of 2224 520 msdcsc.exe RUFUS-3.12.EXE PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe PID 520 wrote to memory of 2768 520 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3944 attrib.exe 2940 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c276255be8c317392e43735e0f707cf9.exe"C:\Users\Admin\AppData\Local\Temp\c276255be8c317392e43735e0f707cf9.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\c276255be8c317392e43735e0f707cf9.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\c276255be8c317392e43735e0f707cf9.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\RUFUS-3.12.EXE"C:\Users\Admin\AppData\Local\Temp\RUFUS-3.12.EXE"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\RUFUS-3.12.EXE"C:\Users\Admin\AppData\Local\Temp\RUFUS-3.12.EXE"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RUFUS-3.12.EXEMD5
cd822912b4ff3c303a62d2538fa88d01
SHA19bf6d9bbc06150a933b4171d55c7a8a297cd9cc5
SHA256f37771fbb9a9747c255bfed791c8d25b170a05390c07b977ceed83fda2930db0
SHA512dc22c5b25f00a707903e09faa17102afa8c7c33c601c4a9e565f0ba1f9be38b2d3fd33d6cd4fb3f106559826e5b2d4830ebb47f454bd211e948abada5bd40bf7
-
C:\Users\Admin\AppData\Local\Temp\RUFUS-3.12.EXEMD5
cd822912b4ff3c303a62d2538fa88d01
SHA19bf6d9bbc06150a933b4171d55c7a8a297cd9cc5
SHA256f37771fbb9a9747c255bfed791c8d25b170a05390c07b977ceed83fda2930db0
SHA512dc22c5b25f00a707903e09faa17102afa8c7c33c601c4a9e565f0ba1f9be38b2d3fd33d6cd4fb3f106559826e5b2d4830ebb47f454bd211e948abada5bd40bf7
-
C:\Users\Admin\AppData\Local\Temp\RUFUS-3.12.EXEMD5
cd822912b4ff3c303a62d2538fa88d01
SHA19bf6d9bbc06150a933b4171d55c7a8a297cd9cc5
SHA256f37771fbb9a9747c255bfed791c8d25b170a05390c07b977ceed83fda2930db0
SHA512dc22c5b25f00a707903e09faa17102afa8c7c33c601c4a9e565f0ba1f9be38b2d3fd33d6cd4fb3f106559826e5b2d4830ebb47f454bd211e948abada5bd40bf7
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
c276255be8c317392e43735e0f707cf9
SHA18deb38349ef9978a83b8fee521de5e06d2b86052
SHA2565fe7d9e94105fcb2dd524faee708442a10c98a98c9ea3b6ef35da17b6f7f4f47
SHA512ebb335783435b6675751d9efaeb601874df6a21f41f9ac0877afc7ab19a5ef7287fa4f8fc81984396a6ff5e29c5a40449635745e3d51a254096d53398b2dd1a3
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
c276255be8c317392e43735e0f707cf9
SHA18deb38349ef9978a83b8fee521de5e06d2b86052
SHA2565fe7d9e94105fcb2dd524faee708442a10c98a98c9ea3b6ef35da17b6f7f4f47
SHA512ebb335783435b6675751d9efaeb601874df6a21f41f9ac0877afc7ab19a5ef7287fa4f8fc81984396a6ff5e29c5a40449635745e3d51a254096d53398b2dd1a3
-
memory/204-4-0x0000000000000000-mapping.dmp
-
memory/520-12-0x0000000000000000-mapping.dmp
-
memory/1012-10-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/1012-11-0x0000000000000000-mapping.dmp
-
memory/1012-9-0x0000000000000000-mapping.dmp
-
memory/2224-15-0x0000000000000000-mapping.dmp
-
memory/2768-17-0x0000000000000000-mapping.dmp
-
memory/2768-18-0x0000000003110000-0x0000000003111000-memory.dmpFilesize
4KB
-
memory/2768-19-0x0000000000000000-mapping.dmp
-
memory/2920-2-0x0000000000000000-mapping.dmp
-
memory/2940-7-0x0000000000000000-mapping.dmp
-
memory/3484-3-0x0000000000000000-mapping.dmp
-
memory/3944-6-0x0000000000000000-mapping.dmp