Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:45
Behavioral task
behavioral1
Sample
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe
Resource
win7-20220414-en
General
-
Target
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe
-
Size
349KB
-
MD5
4ba3b7693391fa5d8326b686692a9f91
-
SHA1
bfe26b996c5a1176896cbd82ef8044af25042720
-
SHA256
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f
-
SHA512
de6c30aa11c1cc63947566b5bcbed45dbefce9d9edabadb069b14157bf64d9aad87bcc92e9453f89e7b5b3858a87d41deb7dc3f288db9430aad0e64dfeddeb1d
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe" 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
Windows.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" Windows.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Windows.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Windows.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
Windows.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" Windows.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Disables RegEdit via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
Windows.exepid process 1624 Windows.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe upx C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exeWindows.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe" 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe" Windows.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\Windows.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Windows.exedescription pid process target process PID 1624 set thread context of 4920 1624 Windows.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exeWindows.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeSecurityPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeTakeOwnershipPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeLoadDriverPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeSystemProfilePrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeSystemtimePrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeProfSingleProcessPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeIncBasePriorityPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeCreatePagefilePrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeBackupPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeRestorePrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeShutdownPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeDebugPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeSystemEnvironmentPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeChangeNotifyPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeRemoteShutdownPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeUndockPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeManageVolumePrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeImpersonatePrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeCreateGlobalPrivilege 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: 33 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: 34 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: 35 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: 36 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Token: SeIncreaseQuotaPrivilege 1624 Windows.exe Token: SeSecurityPrivilege 1624 Windows.exe Token: SeTakeOwnershipPrivilege 1624 Windows.exe Token: SeLoadDriverPrivilege 1624 Windows.exe Token: SeSystemProfilePrivilege 1624 Windows.exe Token: SeSystemtimePrivilege 1624 Windows.exe Token: SeProfSingleProcessPrivilege 1624 Windows.exe Token: SeIncBasePriorityPrivilege 1624 Windows.exe Token: SeCreatePagefilePrivilege 1624 Windows.exe Token: SeBackupPrivilege 1624 Windows.exe Token: SeRestorePrivilege 1624 Windows.exe Token: SeShutdownPrivilege 1624 Windows.exe Token: SeDebugPrivilege 1624 Windows.exe Token: SeSystemEnvironmentPrivilege 1624 Windows.exe Token: SeChangeNotifyPrivilege 1624 Windows.exe Token: SeRemoteShutdownPrivilege 1624 Windows.exe Token: SeUndockPrivilege 1624 Windows.exe Token: SeManageVolumePrivilege 1624 Windows.exe Token: SeImpersonatePrivilege 1624 Windows.exe Token: SeCreateGlobalPrivilege 1624 Windows.exe Token: 33 1624 Windows.exe Token: 34 1624 Windows.exe Token: 35 1624 Windows.exe Token: 36 1624 Windows.exe Token: SeIncreaseQuotaPrivilege 4920 iexplore.exe Token: SeSecurityPrivilege 4920 iexplore.exe Token: SeTakeOwnershipPrivilege 4920 iexplore.exe Token: SeLoadDriverPrivilege 4920 iexplore.exe Token: SeSystemProfilePrivilege 4920 iexplore.exe Token: SeSystemtimePrivilege 4920 iexplore.exe Token: SeProfSingleProcessPrivilege 4920 iexplore.exe Token: SeIncBasePriorityPrivilege 4920 iexplore.exe Token: SeCreatePagefilePrivilege 4920 iexplore.exe Token: SeBackupPrivilege 4920 iexplore.exe Token: SeRestorePrivilege 4920 iexplore.exe Token: SeShutdownPrivilege 4920 iexplore.exe Token: SeDebugPrivilege 4920 iexplore.exe Token: SeSystemEnvironmentPrivilege 4920 iexplore.exe Token: SeChangeNotifyPrivilege 4920 iexplore.exe Token: SeRemoteShutdownPrivilege 4920 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 4920 iexplore.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.execmd.execmd.exeWindows.exedescription pid process target process PID 1688 wrote to memory of 3480 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1688 wrote to memory of 3480 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1688 wrote to memory of 3480 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1688 wrote to memory of 3676 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1688 wrote to memory of 3676 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 1688 wrote to memory of 3676 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe cmd.exe PID 3480 wrote to memory of 2776 3480 cmd.exe attrib.exe PID 3480 wrote to memory of 2776 3480 cmd.exe attrib.exe PID 3480 wrote to memory of 2776 3480 cmd.exe attrib.exe PID 3676 wrote to memory of 2352 3676 cmd.exe attrib.exe PID 3676 wrote to memory of 2352 3676 cmd.exe attrib.exe PID 3676 wrote to memory of 2352 3676 cmd.exe attrib.exe PID 1688 wrote to memory of 1624 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Windows.exe PID 1688 wrote to memory of 1624 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Windows.exe PID 1688 wrote to memory of 1624 1688 475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe Windows.exe PID 1624 wrote to memory of 4920 1624 Windows.exe iexplore.exe PID 1624 wrote to memory of 4920 1624 Windows.exe iexplore.exe PID 1624 wrote to memory of 4920 1624 Windows.exe iexplore.exe PID 1624 wrote to memory of 4920 1624 Windows.exe iexplore.exe PID 1624 wrote to memory of 4920 1624 Windows.exe iexplore.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Windows.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion Windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern Windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" Windows.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2776 attrib.exe 2352 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe"C:\Users\Admin\AppData\Local\Temp\475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exeFilesize
349KB
MD54ba3b7693391fa5d8326b686692a9f91
SHA1bfe26b996c5a1176896cbd82ef8044af25042720
SHA256475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f
SHA512de6c30aa11c1cc63947566b5bcbed45dbefce9d9edabadb069b14157bf64d9aad87bcc92e9453f89e7b5b3858a87d41deb7dc3f288db9430aad0e64dfeddeb1d
-
C:\Users\Admin\AppData\Roaming\MSDCSC\Windows.exeFilesize
349KB
MD54ba3b7693391fa5d8326b686692a9f91
SHA1bfe26b996c5a1176896cbd82ef8044af25042720
SHA256475604a43c345971022ae3da673840556e6a65e9355ca2376cc3b81b65bbce3f
SHA512de6c30aa11c1cc63947566b5bcbed45dbefce9d9edabadb069b14157bf64d9aad87bcc92e9453f89e7b5b3858a87d41deb7dc3f288db9430aad0e64dfeddeb1d
-
memory/1624-134-0x0000000000000000-mapping.dmp
-
memory/2352-133-0x0000000000000000-mapping.dmp
-
memory/2776-132-0x0000000000000000-mapping.dmp
-
memory/3480-130-0x0000000000000000-mapping.dmp
-
memory/3676-131-0x0000000000000000-mapping.dmp