Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
31-08-2021 06:53
Static task
static1
Behavioral task
behavioral1
Sample
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe
Resource
win7v20210408
General
-
Target
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe
-
Size
251KB
-
MD5
13f25517b98fdc189bf40e62782c677a
-
SHA1
9ad5a3a60cbd712a904f925e789bcbe61cb22ba8
-
SHA256
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20
-
SHA512
bb136fc1d84e5dcce27477e3ad9633a24cb4a523618cdea314c759ad7528d20bbb5a9f7f9fadec139a131f8208b6cdc569e4cbeb6e3f45664e34d00eec66dcc0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 692 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeSecurityPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeTakeOwnershipPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeLoadDriverPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeSystemProfilePrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeSystemtimePrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeProfSingleProcessPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeIncBasePriorityPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeCreatePagefilePrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeBackupPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeRestorePrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeShutdownPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeDebugPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeSystemEnvironmentPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeChangeNotifyPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeRemoteShutdownPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeUndockPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeManageVolumePrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeImpersonatePrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeCreateGlobalPrivilege 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: 33 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: 34 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: 35 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: 36 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe Token: SeIncreaseQuotaPrivilege 692 msdcsc.exe Token: SeSecurityPrivilege 692 msdcsc.exe Token: SeTakeOwnershipPrivilege 692 msdcsc.exe Token: SeLoadDriverPrivilege 692 msdcsc.exe Token: SeSystemProfilePrivilege 692 msdcsc.exe Token: SeSystemtimePrivilege 692 msdcsc.exe Token: SeProfSingleProcessPrivilege 692 msdcsc.exe Token: SeIncBasePriorityPrivilege 692 msdcsc.exe Token: SeCreatePagefilePrivilege 692 msdcsc.exe Token: SeBackupPrivilege 692 msdcsc.exe Token: SeRestorePrivilege 692 msdcsc.exe Token: SeShutdownPrivilege 692 msdcsc.exe Token: SeDebugPrivilege 692 msdcsc.exe Token: SeSystemEnvironmentPrivilege 692 msdcsc.exe Token: SeChangeNotifyPrivilege 692 msdcsc.exe Token: SeRemoteShutdownPrivilege 692 msdcsc.exe Token: SeUndockPrivilege 692 msdcsc.exe Token: SeManageVolumePrivilege 692 msdcsc.exe Token: SeImpersonatePrivilege 692 msdcsc.exe Token: SeCreateGlobalPrivilege 692 msdcsc.exe Token: 33 692 msdcsc.exe Token: 34 692 msdcsc.exe Token: 35 692 msdcsc.exe Token: 36 692 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 692 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exemsdcsc.exedescription pid process target process PID 900 wrote to memory of 692 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe msdcsc.exe PID 900 wrote to memory of 692 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe msdcsc.exe PID 900 wrote to memory of 692 900 b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe msdcsc.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe PID 692 wrote to memory of 3844 692 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe"C:\Users\Admin\AppData\Local\Temp\b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
13f25517b98fdc189bf40e62782c677a
SHA19ad5a3a60cbd712a904f925e789bcbe61cb22ba8
SHA256b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20
SHA512bb136fc1d84e5dcce27477e3ad9633a24cb4a523618cdea314c759ad7528d20bbb5a9f7f9fadec139a131f8208b6cdc569e4cbeb6e3f45664e34d00eec66dcc0
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeMD5
13f25517b98fdc189bf40e62782c677a
SHA19ad5a3a60cbd712a904f925e789bcbe61cb22ba8
SHA256b61182634b32940e012d1551df9983cf12b53816c89ccfe8c68b185767362a20
SHA512bb136fc1d84e5dcce27477e3ad9633a24cb4a523618cdea314c759ad7528d20bbb5a9f7f9fadec139a131f8208b6cdc569e4cbeb6e3f45664e34d00eec66dcc0
-
memory/692-115-0x0000000000000000-mapping.dmp
-
memory/692-118-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/900-114-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/3844-119-0x0000000000000000-mapping.dmp
-
memory/3844-120-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB