Analysis
-
max time kernel
110s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 14:27
Static task
static1
Behavioral task
behavioral1
Sample
445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
Resource
win10v20210408
General
-
Target
445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe
-
Size
833KB
-
MD5
aff59ff4873a180e497cac498323fd56
-
SHA1
3cb24379d8aeb29a58fddac419f8bd0fc1068c89
-
SHA256
445bc3da96e63745748cc4d7d14faaa80122f46bc86e2a4628956f5aea4b70f7
-
SHA512
cbf9ed1d90ea527bc9e8f3564d1fd2f3d1f9c92e10ba8da790f58c815f07ae11f6c5da3772b95b286867e3be124994ddc32aa1758a1d2acb8667d01dfca7b929
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
D&H.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" D&H.exe -
Executes dropped EXE 2 IoCs
Processes:
D&H.exemsdcsc.exepid process 4084 D&H.exe 776 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\D&H.exe upx C:\Users\Admin\AppData\Local\Temp\D&H.exe upx C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe upx C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
D&H.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" D&H.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
D&H.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4084 D&H.exe Token: SeSecurityPrivilege 4084 D&H.exe Token: SeTakeOwnershipPrivilege 4084 D&H.exe Token: SeLoadDriverPrivilege 4084 D&H.exe Token: SeSystemProfilePrivilege 4084 D&H.exe Token: SeSystemtimePrivilege 4084 D&H.exe Token: SeProfSingleProcessPrivilege 4084 D&H.exe Token: SeIncBasePriorityPrivilege 4084 D&H.exe Token: SeCreatePagefilePrivilege 4084 D&H.exe Token: SeBackupPrivilege 4084 D&H.exe Token: SeRestorePrivilege 4084 D&H.exe Token: SeShutdownPrivilege 4084 D&H.exe Token: SeDebugPrivilege 4084 D&H.exe Token: SeSystemEnvironmentPrivilege 4084 D&H.exe Token: SeChangeNotifyPrivilege 4084 D&H.exe Token: SeRemoteShutdownPrivilege 4084 D&H.exe Token: SeUndockPrivilege 4084 D&H.exe Token: SeManageVolumePrivilege 4084 D&H.exe Token: SeImpersonatePrivilege 4084 D&H.exe Token: SeCreateGlobalPrivilege 4084 D&H.exe Token: 33 4084 D&H.exe Token: 34 4084 D&H.exe Token: 35 4084 D&H.exe Token: 36 4084 D&H.exe Token: SeIncreaseQuotaPrivilege 776 msdcsc.exe Token: SeSecurityPrivilege 776 msdcsc.exe Token: SeTakeOwnershipPrivilege 776 msdcsc.exe Token: SeLoadDriverPrivilege 776 msdcsc.exe Token: SeSystemProfilePrivilege 776 msdcsc.exe Token: SeSystemtimePrivilege 776 msdcsc.exe Token: SeProfSingleProcessPrivilege 776 msdcsc.exe Token: SeIncBasePriorityPrivilege 776 msdcsc.exe Token: SeCreatePagefilePrivilege 776 msdcsc.exe Token: SeBackupPrivilege 776 msdcsc.exe Token: SeRestorePrivilege 776 msdcsc.exe Token: SeShutdownPrivilege 776 msdcsc.exe Token: SeDebugPrivilege 776 msdcsc.exe Token: SeSystemEnvironmentPrivilege 776 msdcsc.exe Token: SeChangeNotifyPrivilege 776 msdcsc.exe Token: SeRemoteShutdownPrivilege 776 msdcsc.exe Token: SeUndockPrivilege 776 msdcsc.exe Token: SeManageVolumePrivilege 776 msdcsc.exe Token: SeImpersonatePrivilege 776 msdcsc.exe Token: SeCreateGlobalPrivilege 776 msdcsc.exe Token: 33 776 msdcsc.exe Token: 34 776 msdcsc.exe Token: 35 776 msdcsc.exe Token: 36 776 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 776 msdcsc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.execmd.exe445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exeD&H.exedescription pid process target process PID 2840 wrote to memory of 2928 2840 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe cmd.exe PID 2840 wrote to memory of 2928 2840 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe cmd.exe PID 2840 wrote to memory of 2928 2840 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe cmd.exe PID 2840 wrote to memory of 4084 2840 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe D&H.exe PID 2840 wrote to memory of 4084 2840 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe D&H.exe PID 2840 wrote to memory of 4084 2840 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe D&H.exe PID 2840 wrote to memory of 196 2840 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe PID 2840 wrote to memory of 196 2840 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe PID 2840 wrote to memory of 196 2840 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe PID 2928 wrote to memory of 2384 2928 cmd.exe schtasks.exe PID 2928 wrote to memory of 2384 2928 cmd.exe schtasks.exe PID 2928 wrote to memory of 2384 2928 cmd.exe schtasks.exe PID 196 wrote to memory of 3460 196 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe PID 196 wrote to memory of 3460 196 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe PID 196 wrote to memory of 3460 196 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe 445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe PID 4084 wrote to memory of 776 4084 D&H.exe msdcsc.exe PID 4084 wrote to memory of 776 4084 D&H.exe msdcsc.exe PID 4084 wrote to memory of 776 4084 D&H.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks /Create /TN svchost.exe /XML "C:\Users\Admin\AppData\Local\Temp\906e3b9444e74d05a4e8d74c157bad7e.xml"2⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN svchost.exe /XML "C:\Users\Admin\AppData\Local\Temp\906e3b9444e74d05a4e8d74c157bad7e.xml"3⤵
- Creates scheduled task(s)
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\D&H.exe"C:\Users\Admin\AppData\Local\Temp\D&H.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:776 -
C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:196 -
C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"C:\Users\Admin\AppData\Local\Temp\445bc3da96e63745748cc4d7d14faaa80122f46bc86e2.exe"3⤵PID:3460
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f0e0e81f7cf053c3bb14ea4e007fae8e
SHA1ee5362c257452de3241d01c497f2a0d101b55164
SHA2566843901f475e8ae813a07cf3551672f497208cfe6967a9239075f480b5a6e0bc
SHA5128c5c373b7cd41a24664c0ea3d5618e351481a95c3d180e5fb1a5a69aa7e8cb54067e4de9ee8ee4cddb07097ea596f71dcb95e09566c77a5f96df4ccdcd448670
-
MD5
6ecfbfb290b771d5aad3a289494a7e01
SHA1999277c449813f3292afce6e2a105e9f5331ba21
SHA256d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f
SHA5129b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18
-
MD5
6ecfbfb290b771d5aad3a289494a7e01
SHA1999277c449813f3292afce6e2a105e9f5331ba21
SHA256d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f
SHA5129b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18
-
MD5
6ecfbfb290b771d5aad3a289494a7e01
SHA1999277c449813f3292afce6e2a105e9f5331ba21
SHA256d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f
SHA5129b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18
-
MD5
6ecfbfb290b771d5aad3a289494a7e01
SHA1999277c449813f3292afce6e2a105e9f5331ba21
SHA256d1d5863a9d03fe4f0d32466a06e0384a5750990343cc62c46f45fd8ea6ae644f
SHA5129b71b3b503416f701257531247588fce8aefb21e990f1955e0cd6286686eb0f97edd43a2b8ee3af46c48d4857e2c5d09adde32e44d7a0589a5529da571b93f18