Analysis
-
max time kernel
150s -
max time network
182s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
31-08-2021 06:53
Static task
static1
Behavioral task
behavioral1
Sample
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe
Resource
win7v20210408
General
-
Target
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe
-
Size
251KB
-
MD5
13f25517b98fdc189bf40e62782c677a
-
SHA1
9ad5a3a60cbd712a904f925e789bcbe61cb22ba8
-
SHA256
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20
-
SHA512
bb136fc1d84e5dcce27477e3ad9633a24cb4a523618cdea314c759ad7528d20bbb5a9f7f9fadec139a131f8208b6cdc569e4cbeb6e3f45664e34d00eec66dcc0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1712 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Loads dropped DLL 2 IoCs
Processes:
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exepid process 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeSecurityPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeTakeOwnershipPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeLoadDriverPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeSystemProfilePrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeSystemtimePrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeProfSingleProcessPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeIncBasePriorityPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeCreatePagefilePrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeBackupPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeRestorePrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeShutdownPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeDebugPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeSystemEnvironmentPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeChangeNotifyPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeRemoteShutdownPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeUndockPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeManageVolumePrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeImpersonatePrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeCreateGlobalPrivilege 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: 33 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: 34 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: 35 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeIncreaseQuotaPrivilege 1712 msdcsc.exe Token: SeSecurityPrivilege 1712 msdcsc.exe Token: SeTakeOwnershipPrivilege 1712 msdcsc.exe Token: SeLoadDriverPrivilege 1712 msdcsc.exe Token: SeSystemProfilePrivilege 1712 msdcsc.exe Token: SeSystemtimePrivilege 1712 msdcsc.exe Token: SeProfSingleProcessPrivilege 1712 msdcsc.exe Token: SeIncBasePriorityPrivilege 1712 msdcsc.exe Token: SeCreatePagefilePrivilege 1712 msdcsc.exe Token: SeBackupPrivilege 1712 msdcsc.exe Token: SeRestorePrivilege 1712 msdcsc.exe Token: SeShutdownPrivilege 1712 msdcsc.exe Token: SeDebugPrivilege 1712 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1712 msdcsc.exe Token: SeChangeNotifyPrivilege 1712 msdcsc.exe Token: SeRemoteShutdownPrivilege 1712 msdcsc.exe Token: SeUndockPrivilege 1712 msdcsc.exe Token: SeManageVolumePrivilege 1712 msdcsc.exe Token: SeImpersonatePrivilege 1712 msdcsc.exe Token: SeCreateGlobalPrivilege 1712 msdcsc.exe Token: 33 1712 msdcsc.exe Token: 34 1712 msdcsc.exe Token: 35 1712 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1712 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exemsdcsc.exedescription pid process target process PID 2016 wrote to memory of 1712 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe msdcsc.exe PID 2016 wrote to memory of 1712 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe msdcsc.exe PID 2016 wrote to memory of 1712 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe msdcsc.exe PID 2016 wrote to memory of 1712 2016 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe msdcsc.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe PID 1712 wrote to memory of 1216 1712 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe"C:\Users\Admin\AppData\Local\Temp\b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
13f25517b98fdc189bf40e62782c677a
SHA19ad5a3a60cbd712a904f925e789bcbe61cb22ba8
SHA256b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20
SHA512bb136fc1d84e5dcce27477e3ad9633a24cb4a523618cdea314c759ad7528d20bbb5a9f7f9fadec139a131f8208b6cdc569e4cbeb6e3f45664e34d00eec66dcc0
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
13f25517b98fdc189bf40e62782c677a
SHA19ad5a3a60cbd712a904f925e789bcbe61cb22ba8
SHA256b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20
SHA512bb136fc1d84e5dcce27477e3ad9633a24cb4a523618cdea314c759ad7528d20bbb5a9f7f9fadec139a131f8208b6cdc569e4cbeb6e3f45664e34d00eec66dcc0
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
13f25517b98fdc189bf40e62782c677a
SHA19ad5a3a60cbd712a904f925e789bcbe61cb22ba8
SHA256b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20
SHA512bb136fc1d84e5dcce27477e3ad9633a24cb4a523618cdea314c759ad7528d20bbb5a9f7f9fadec139a131f8208b6cdc569e4cbeb6e3f45664e34d00eec66dcc0
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
13f25517b98fdc189bf40e62782c677a
SHA19ad5a3a60cbd712a904f925e789bcbe61cb22ba8
SHA256b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20
SHA512bb136fc1d84e5dcce27477e3ad9633a24cb4a523618cdea314c759ad7528d20bbb5a9f7f9fadec139a131f8208b6cdc569e4cbeb6e3f45664e34d00eec66dcc0
-
memory/1216-68-0x0000000000000000-mapping.dmp
-
memory/1216-71-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1712-63-0x0000000000000000-mapping.dmp
-
memory/1712-69-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2016-60-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/2016-67-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB