Analysis
-
max time kernel
19s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 22:31
Static task
static1
Behavioral task
behavioral1
Sample
mpc-hc64.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
mpc-hc64.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
mpc-hc64.exe
-
Size
12.1MB
-
MD5
b371a4b7ccb2ac89e38db6db3fff5381
-
SHA1
e6b9b895ea94d41b0440bde57c3ac1b98f72ac3f
-
SHA256
deac2a87da8340b072a2c266b465d517f86c1e3b18113e1c0113d662ba043c6b
-
SHA512
899bfe03b8d9e327e5fa333b1dacf625bc1770b1d6101d5cf8994f06de6ff9531fdb57244eaa98a90e3dad0805f0d9e40eb6bc80dc6505d0bc77153de13d395b
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
mpc-hc64.exedescription ioc process File opened (read-only) \??\E: mpc-hc64.exe File opened (read-only) \??\I: mpc-hc64.exe File opened (read-only) \??\T: mpc-hc64.exe File opened (read-only) \??\W: mpc-hc64.exe File opened (read-only) \??\M: mpc-hc64.exe File opened (read-only) \??\N: mpc-hc64.exe File opened (read-only) \??\R: mpc-hc64.exe File opened (read-only) \??\A: mpc-hc64.exe File opened (read-only) \??\D: mpc-hc64.exe File opened (read-only) \??\F: mpc-hc64.exe File opened (read-only) \??\K: mpc-hc64.exe File opened (read-only) \??\L: mpc-hc64.exe File opened (read-only) \??\U: mpc-hc64.exe File opened (read-only) \??\Z: mpc-hc64.exe File opened (read-only) \??\J: mpc-hc64.exe File opened (read-only) \??\X: mpc-hc64.exe File opened (read-only) \??\Y: mpc-hc64.exe File opened (read-only) \??\Q: mpc-hc64.exe File opened (read-only) \??\S: mpc-hc64.exe File opened (read-only) \??\V: mpc-hc64.exe File opened (read-only) \??\B: mpc-hc64.exe File opened (read-only) \??\G: mpc-hc64.exe File opened (read-only) \??\H: mpc-hc64.exe File opened (read-only) \??\O: mpc-hc64.exe File opened (read-only) \??\P: mpc-hc64.exe -
Modifies registry class 31 IoCs
Processes:
mpc-hc64.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff mpc-hc64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff mpc-hc64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" mpc-hc64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg mpc-hc64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" mpc-hc64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff mpc-hc64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots mpc-hc64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags mpc-hc64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} mpc-hc64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff mpc-hc64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders mpc-hc64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 mpc-hc64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" mpc-hc64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" mpc-hc64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193" mpc-hc64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings mpc-hc64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 mpc-hc64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 mpc-hc64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg mpc-hc64.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 mpc-hc64.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
mpc-hc64.exepid process 1832 mpc-hc64.exe 1832 mpc-hc64.exe 1832 mpc-hc64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mpc-hc64.exepid process 1832 mpc-hc64.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mpc-hc64.exedescription pid process Token: SeIncBasePriorityPrivilege 1832 mpc-hc64.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
mpc-hc64.exepid process 1832 mpc-hc64.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mpc-hc64.exepid process 1832 mpc-hc64.exe 1832 mpc-hc64.exe 1832 mpc-hc64.exe 1832 mpc-hc64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mpc-hc64.exe"C:\Users\Admin\AppData\Local\Temp\mpc-hc64.exe"1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1832-2-0x000000013F690000-0x0000000140301000-memory.dmpFilesize
12.4MB