Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:45
Behavioral task
behavioral1
Sample
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe
Resource
win7-20220414-en
General
-
Target
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe
-
Size
349KB
-
MD5
4ba3b7693391fa5d8326b686692a9f91
-
SHA1
bfe26b996c5a1176896cbd82ef8044af25042720
-
SHA256
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f
-
SHA512
de6c30aa11c1cc63947566b5bcbed45dbefce9d9edabadb069b14157bf64d9aad87bcc92e9453f89e7b5b3858a87d41deb7dc3f288db9430aad0e64dfeddeb1d
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe" 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
Windows.exeiexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Windows.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Windows.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" Windows.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
Windows.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Windows.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Disables RegEdit via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
Windows.exepid process 1524 Windows.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\MSDCSC\Windows.exe upx \Users\Admin\AppData\Roaming\MSDCSC\Windows.exe upx C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe upx C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe upx -
Loads dropped DLL 2 IoCs
Processes:
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exepid process 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exeWindows.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe" 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe" Windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Windows.exedescription pid process target process PID 1524 set thread context of 572 1524 Windows.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exeWindows.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeSecurityPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeTakeOwnershipPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeLoadDriverPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeSystemProfilePrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeSystemtimePrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeProfSingleProcessPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeIncBasePriorityPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeCreatePagefilePrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeBackupPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeRestorePrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeShutdownPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeDebugPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeSystemEnvironmentPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeChangeNotifyPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeRemoteShutdownPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeUndockPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeManageVolumePrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeImpersonatePrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeCreateGlobalPrivilege 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: 33 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: 34 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: 35 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeIncreaseQuotaPrivilege 1524 Windows.exe Token: SeSecurityPrivilege 1524 Windows.exe Token: SeTakeOwnershipPrivilege 1524 Windows.exe Token: SeLoadDriverPrivilege 1524 Windows.exe Token: SeSystemProfilePrivilege 1524 Windows.exe Token: SeSystemtimePrivilege 1524 Windows.exe Token: SeProfSingleProcessPrivilege 1524 Windows.exe Token: SeIncBasePriorityPrivilege 1524 Windows.exe Token: SeCreatePagefilePrivilege 1524 Windows.exe Token: SeBackupPrivilege 1524 Windows.exe Token: SeRestorePrivilege 1524 Windows.exe Token: SeShutdownPrivilege 1524 Windows.exe Token: SeDebugPrivilege 1524 Windows.exe Token: SeSystemEnvironmentPrivilege 1524 Windows.exe Token: SeChangeNotifyPrivilege 1524 Windows.exe Token: SeRemoteShutdownPrivilege 1524 Windows.exe Token: SeUndockPrivilege 1524 Windows.exe Token: SeManageVolumePrivilege 1524 Windows.exe Token: SeImpersonatePrivilege 1524 Windows.exe Token: SeCreateGlobalPrivilege 1524 Windows.exe Token: 33 1524 Windows.exe Token: 34 1524 Windows.exe Token: 35 1524 Windows.exe Token: SeIncreaseQuotaPrivilege 572 iexplore.exe Token: SeSecurityPrivilege 572 iexplore.exe Token: SeTakeOwnershipPrivilege 572 iexplore.exe Token: SeLoadDriverPrivilege 572 iexplore.exe Token: SeSystemProfilePrivilege 572 iexplore.exe Token: SeSystemtimePrivilege 572 iexplore.exe Token: SeProfSingleProcessPrivilege 572 iexplore.exe Token: SeIncBasePriorityPrivilege 572 iexplore.exe Token: SeCreatePagefilePrivilege 572 iexplore.exe Token: SeBackupPrivilege 572 iexplore.exe Token: SeRestorePrivilege 572 iexplore.exe Token: SeShutdownPrivilege 572 iexplore.exe Token: SeDebugPrivilege 572 iexplore.exe Token: SeSystemEnvironmentPrivilege 572 iexplore.exe Token: SeChangeNotifyPrivilege 572 iexplore.exe Token: SeRemoteShutdownPrivilege 572 iexplore.exe Token: SeUndockPrivilege 572 iexplore.exe Token: SeManageVolumePrivilege 572 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 572 iexplore.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.execmd.execmd.exeWindows.exedescription pid process target process PID 1044 wrote to memory of 1472 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1044 wrote to memory of 1472 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1044 wrote to memory of 1472 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1044 wrote to memory of 1472 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1044 wrote to memory of 936 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1044 wrote to memory of 936 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1044 wrote to memory of 936 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1044 wrote to memory of 936 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1472 wrote to memory of 1580 1472 cmd.exe attrib.exe PID 1472 wrote to memory of 1580 1472 cmd.exe attrib.exe PID 1472 wrote to memory of 1580 1472 cmd.exe attrib.exe PID 1472 wrote to memory of 1580 1472 cmd.exe attrib.exe PID 936 wrote to memory of 1728 936 cmd.exe attrib.exe PID 936 wrote to memory of 1728 936 cmd.exe attrib.exe PID 936 wrote to memory of 1728 936 cmd.exe attrib.exe PID 936 wrote to memory of 1728 936 cmd.exe attrib.exe PID 1044 wrote to memory of 1524 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Windows.exe PID 1044 wrote to memory of 1524 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Windows.exe PID 1044 wrote to memory of 1524 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Windows.exe PID 1044 wrote to memory of 1524 1044 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Windows.exe PID 1524 wrote to memory of 572 1524 Windows.exe iexplore.exe PID 1524 wrote to memory of 572 1524 Windows.exe iexplore.exe PID 1524 wrote to memory of 572 1524 Windows.exe iexplore.exe PID 1524 wrote to memory of 572 1524 Windows.exe iexplore.exe PID 1524 wrote to memory of 572 1524 Windows.exe iexplore.exe PID 1524 wrote to memory of 572 1524 Windows.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Windows.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Windows.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1580 attrib.exe 1728 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe"C:\Users\Admin\AppData\Local\Temp\475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exeFilesize
349KB
MD54ba3b7693391fa5d8326b686692a9f91
SHA1bfe26b996c5a1176896cbd82ef8044af25042720
SHA256475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f
SHA512de6c30aa11c1cc63947566b5bcbed45dbefce9d9edabadb069b14157bf64d9aad87bcc92e9453f89e7b5b3858a87d41deb7dc3f288db9430aad0e64dfeddeb1d
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exeFilesize
349KB
MD54ba3b7693391fa5d8326b686692a9f91
SHA1bfe26b996c5a1176896cbd82ef8044af25042720
SHA256475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f
SHA512de6c30aa11c1cc63947566b5bcbed45dbefce9d9edabadb069b14157bf64d9aad87bcc92e9453f89e7b5b3858a87d41deb7dc3f288db9430aad0e64dfeddeb1d
-
\Users\Admin\AppData\Roaming\MSDCSC\Windows.exeFilesize
349KB
MD54ba3b7693391fa5d8326b686692a9f91
SHA1bfe26b996c5a1176896cbd82ef8044af25042720
SHA256475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f
SHA512de6c30aa11c1cc63947566b5bcbed45dbefce9d9edabadb069b14157bf64d9aad87bcc92e9453f89e7b5b3858a87d41deb7dc3f288db9430aad0e64dfeddeb1d
-
\Users\Admin\AppData\Roaming\MSDCSC\Windows.exeFilesize
349KB
MD54ba3b7693391fa5d8326b686692a9f91
SHA1bfe26b996c5a1176896cbd82ef8044af25042720
SHA256475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f
SHA512de6c30aa11c1cc63947566b5bcbed45dbefce9d9edabadb069b14157bf64d9aad87bcc92e9453f89e7b5b3858a87d41deb7dc3f288db9430aad0e64dfeddeb1d
-
memory/936-56-0x0000000000000000-mapping.dmp
-
memory/1044-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/1472-55-0x0000000000000000-mapping.dmp
-
memory/1524-61-0x0000000000000000-mapping.dmp
-
memory/1580-57-0x0000000000000000-mapping.dmp
-
memory/1728-58-0x0000000000000000-mapping.dmp