deac2a87da8340b072a2c266b465d517f86c1e3b18113e1c0113d662ba043c6b

General

Target

mpc-hc64.exe
Size

12.1MB
MD5

b371a4b7ccb2ac89e38db6db3fff5381
SHA1

e6b9b895ea94d41b0440bde57c3ac1b98f72ac3f
SHA256

deac2a87da8340b072a2c266b465d517f86c1e3b18113e1c0113d662ba043c6b
SHA512

899bfe03b8d9e327e5fa333b1dacf625bc1770b1d6101d5cf8994f06de6ff9531fdb57244eaa98a90e3dad0805f0d9e40eb6bc80dc6505d0bc77153de13d395b

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mpc-hc64.exe

description	ioc	process
File opened (read-only)	\??\U:	mpc-hc64.exe
File opened (read-only)	\??\X:	mpc-hc64.exe
File opened (read-only)	\??\A:	mpc-hc64.exe
File opened (read-only)	\??\L:	mpc-hc64.exe
File opened (read-only)	\??\M:	mpc-hc64.exe
File opened (read-only)	\??\J:	mpc-hc64.exe
File opened (read-only)	\??\N:	mpc-hc64.exe
File opened (read-only)	\??\O:	mpc-hc64.exe
File opened (read-only)	\??\T:	mpc-hc64.exe
File opened (read-only)	\??\V:	mpc-hc64.exe
File opened (read-only)	\??\D:	mpc-hc64.exe
File opened (read-only)	\??\F:	mpc-hc64.exe
File opened (read-only)	\??\I:	mpc-hc64.exe
File opened (read-only)	\??\H:	mpc-hc64.exe
File opened (read-only)	\??\Q:	mpc-hc64.exe
File opened (read-only)	\??\R:	mpc-hc64.exe
File opened (read-only)	\??\Y:	mpc-hc64.exe
File opened (read-only)	\??\Z:	mpc-hc64.exe
File opened (read-only)	\??\B:	mpc-hc64.exe
File opened (read-only)	\??\E:	mpc-hc64.exe
File opened (read-only)	\??\G:	mpc-hc64.exe
File opened (read-only)	\??\W:	mpc-hc64.exe
File opened (read-only)	\??\K:	mpc-hc64.exe
File opened (read-only)	\??\P:	mpc-hc64.exe
File opened (read-only)	\??\S:	mpc-hc64.exe

Modifies registry class 33 IoCs

Processes:

mpc-hc64.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	mpc-hc64.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	mpc-hc64.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	mpc-hc64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	mpc-hc64.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	mpc-hc64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	mpc-hc64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	mpc-hc64.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	mpc-hc64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000	mpc-hc64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	mpc-hc64.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	mpc-hc64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	mpc-hc64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	mpc-hc64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	mpc-hc64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	mpc-hc64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	mpc-hc64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	mpc-hc64.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	mpc-hc64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	mpc-hc64.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	mpc-hc64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	mpc-hc64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	mpc-hc64.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	mpc-hc64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	mpc-hc64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	mpc-hc64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	mpc-hc64.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	mpc-hc64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	mpc-hc64.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	mpc-hc64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	mpc-hc64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	mpc-hc64.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	mpc-hc64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	mpc-hc64.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

mpc-hc64.exe

pid process

644 mpc-hc64.exe
644 mpc-hc64.exe
644 mpc-hc64.exe
644 mpc-hc64.exe
644 mpc-hc64.exe
644 mpc-hc64.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mpc-hc64.exe

description pid process

Token: SeIncBasePriorityPrivilege 644 mpc-hc64.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

mpc-hc64.exe

pid process

644 mpc-hc64.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

mpc-hc64.exe

pid process

644 mpc-hc64.exe
644 mpc-hc64.exe
644 mpc-hc64.exe
644 mpc-hc64.exe
644 mpc-hc64.exe

pid	process
644	mpc-hc64.exe
644	mpc-hc64.exe
644	mpc-hc64.exe
644	mpc-hc64.exe
644	mpc-hc64.exe
644	mpc-hc64.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	644	mpc-hc64.exe

pid	process
644	mpc-hc64.exe

pid	process
644	mpc-hc64.exe
644	mpc-hc64.exe
644	mpc-hc64.exe
644	mpc-hc64.exe
644	mpc-hc64.exe

C:\Users\Admin\AppData\Local\Temp\mpc-hc64.exe
"C:\Users\Admin\AppData\Local\Temp\mpc-hc64.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:644