Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:54
Behavioral task
behavioral1
Sample
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe
Resource
win7-20220414-en
General
-
Target
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe
-
Size
253KB
-
MD5
8042e161f29f7611e479358616ebce90
-
SHA1
9e66839a0b7175ed89cc3f415979aa20f13caf71
-
SHA256
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0
-
SHA512
0d473b8ef9e8e3ab14aca1bd7ac18cd61be22ee8d6ef59feceff8028a34319afd80c20b8efcd965692e4b12353c62d685680bb2af20b5de9fe45cbce3e6b5e2d
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe" 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1700 msdcsc.exe -
Processes:
resource yara_rule \Windows\MSDCSC\msdcsc.exe upx \Windows\MSDCSC\msdcsc.exe upx C:\Windows\MSDCSC\msdcsc.exe upx -
Loads dropped DLL 2 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exepid process 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe -
Drops file in Windows directory 3 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exedescription ioc process File created C:\Windows\MSDCSC\msdcsc.exe 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe File opened for modification C:\Windows\MSDCSC\msdcsc.exe 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe File opened for modification C:\Windows\MSDCSC\ 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1700 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeSecurityPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeTakeOwnershipPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeLoadDriverPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeSystemProfilePrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeSystemtimePrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeProfSingleProcessPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeIncBasePriorityPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeCreatePagefilePrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeBackupPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeRestorePrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeShutdownPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeDebugPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeSystemEnvironmentPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeChangeNotifyPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeRemoteShutdownPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeUndockPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeManageVolumePrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeImpersonatePrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeCreateGlobalPrivilege 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: 33 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: 34 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: 35 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeIncreaseQuotaPrivilege 1700 msdcsc.exe Token: SeSecurityPrivilege 1700 msdcsc.exe Token: SeTakeOwnershipPrivilege 1700 msdcsc.exe Token: SeLoadDriverPrivilege 1700 msdcsc.exe Token: SeSystemProfilePrivilege 1700 msdcsc.exe Token: SeSystemtimePrivilege 1700 msdcsc.exe Token: SeProfSingleProcessPrivilege 1700 msdcsc.exe Token: SeIncBasePriorityPrivilege 1700 msdcsc.exe Token: SeCreatePagefilePrivilege 1700 msdcsc.exe Token: SeBackupPrivilege 1700 msdcsc.exe Token: SeRestorePrivilege 1700 msdcsc.exe Token: SeShutdownPrivilege 1700 msdcsc.exe Token: SeDebugPrivilege 1700 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1700 msdcsc.exe Token: SeChangeNotifyPrivilege 1700 msdcsc.exe Token: SeRemoteShutdownPrivilege 1700 msdcsc.exe Token: SeUndockPrivilege 1700 msdcsc.exe Token: SeManageVolumePrivilege 1700 msdcsc.exe Token: SeImpersonatePrivilege 1700 msdcsc.exe Token: SeCreateGlobalPrivilege 1700 msdcsc.exe Token: 33 1700 msdcsc.exe Token: 34 1700 msdcsc.exe Token: 35 1700 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1356 wrote to memory of 1972 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 1356 wrote to memory of 1972 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 1356 wrote to memory of 1972 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 1356 wrote to memory of 1972 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 1356 wrote to memory of 1364 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 1356 wrote to memory of 1364 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 1356 wrote to memory of 1364 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 1356 wrote to memory of 1364 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 1972 wrote to memory of 1188 1972 cmd.exe attrib.exe PID 1972 wrote to memory of 1188 1972 cmd.exe attrib.exe PID 1972 wrote to memory of 1188 1972 cmd.exe attrib.exe PID 1972 wrote to memory of 1188 1972 cmd.exe attrib.exe PID 1364 wrote to memory of 1264 1364 cmd.exe attrib.exe PID 1364 wrote to memory of 1264 1364 cmd.exe attrib.exe PID 1364 wrote to memory of 1264 1364 cmd.exe attrib.exe PID 1364 wrote to memory of 1264 1364 cmd.exe attrib.exe PID 1356 wrote to memory of 1700 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe msdcsc.exe PID 1356 wrote to memory of 1700 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe msdcsc.exe PID 1356 wrote to memory of 1700 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe msdcsc.exe PID 1356 wrote to memory of 1700 1356 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe msdcsc.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe PID 1700 wrote to memory of 1816 1700 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1188 attrib.exe 1264 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe"C:\Users\Admin\AppData\Local\Temp\2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\MSDCSC\msdcsc.exe"C:\Windows\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
253KB
MD58042e161f29f7611e479358616ebce90
SHA19e66839a0b7175ed89cc3f415979aa20f13caf71
SHA2562b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0
SHA5120d473b8ef9e8e3ab14aca1bd7ac18cd61be22ee8d6ef59feceff8028a34319afd80c20b8efcd965692e4b12353c62d685680bb2af20b5de9fe45cbce3e6b5e2d
-
\Windows\MSDCSC\msdcsc.exeFilesize
253KB
MD58042e161f29f7611e479358616ebce90
SHA19e66839a0b7175ed89cc3f415979aa20f13caf71
SHA2562b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0
SHA5120d473b8ef9e8e3ab14aca1bd7ac18cd61be22ee8d6ef59feceff8028a34319afd80c20b8efcd965692e4b12353c62d685680bb2af20b5de9fe45cbce3e6b5e2d
-
\Windows\MSDCSC\msdcsc.exeFilesize
253KB
MD58042e161f29f7611e479358616ebce90
SHA19e66839a0b7175ed89cc3f415979aa20f13caf71
SHA2562b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0
SHA5120d473b8ef9e8e3ab14aca1bd7ac18cd61be22ee8d6ef59feceff8028a34319afd80c20b8efcd965692e4b12353c62d685680bb2af20b5de9fe45cbce3e6b5e2d
-
memory/1188-57-0x0000000000000000-mapping.dmp
-
memory/1264-58-0x0000000000000000-mapping.dmp
-
memory/1356-54-0x0000000075541000-0x0000000075543000-memory.dmpFilesize
8KB
-
memory/1364-56-0x0000000000000000-mapping.dmp
-
memory/1700-61-0x0000000000000000-mapping.dmp
-
memory/1816-64-0x0000000000000000-mapping.dmp
-
memory/1972-55-0x0000000000000000-mapping.dmp