Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:54
Behavioral task
behavioral1
Sample
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe
Resource
win7-20220414-en
General
-
Target
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe
-
Size
253KB
-
MD5
8042e161f29f7611e479358616ebce90
-
SHA1
9e66839a0b7175ed89cc3f415979aa20f13caf71
-
SHA256
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0
-
SHA512
0d473b8ef9e8e3ab14aca1bd7ac18cd61be22ee8d6ef59feceff8028a34319afd80c20b8efcd965692e4b12353c62d685680bb2af20b5de9fe45cbce3e6b5e2d
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe" 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1848 msdcsc.exe -
Processes:
resource yara_rule C:\Windows\MSDCSC\msdcsc.exe upx C:\Windows\MSDCSC\msdcsc.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe -
Drops file in Windows directory 3 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exedescription ioc process File opened for modification C:\Windows\MSDCSC\msdcsc.exe 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe File opened for modification C:\Windows\MSDCSC\ 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe File created C:\Windows\MSDCSC\msdcsc.exe 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1848 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeSecurityPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeTakeOwnershipPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeLoadDriverPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeSystemProfilePrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeSystemtimePrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeProfSingleProcessPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeIncBasePriorityPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeCreatePagefilePrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeBackupPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeRestorePrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeShutdownPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeDebugPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeSystemEnvironmentPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeChangeNotifyPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeRemoteShutdownPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeUndockPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeManageVolumePrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeImpersonatePrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeCreateGlobalPrivilege 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: 33 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: 34 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: 35 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: 36 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe Token: SeIncreaseQuotaPrivilege 1848 msdcsc.exe Token: SeSecurityPrivilege 1848 msdcsc.exe Token: SeTakeOwnershipPrivilege 1848 msdcsc.exe Token: SeLoadDriverPrivilege 1848 msdcsc.exe Token: SeSystemProfilePrivilege 1848 msdcsc.exe Token: SeSystemtimePrivilege 1848 msdcsc.exe Token: SeProfSingleProcessPrivilege 1848 msdcsc.exe Token: SeIncBasePriorityPrivilege 1848 msdcsc.exe Token: SeCreatePagefilePrivilege 1848 msdcsc.exe Token: SeBackupPrivilege 1848 msdcsc.exe Token: SeRestorePrivilege 1848 msdcsc.exe Token: SeShutdownPrivilege 1848 msdcsc.exe Token: SeDebugPrivilege 1848 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1848 msdcsc.exe Token: SeChangeNotifyPrivilege 1848 msdcsc.exe Token: SeRemoteShutdownPrivilege 1848 msdcsc.exe Token: SeUndockPrivilege 1848 msdcsc.exe Token: SeManageVolumePrivilege 1848 msdcsc.exe Token: SeImpersonatePrivilege 1848 msdcsc.exe Token: SeCreateGlobalPrivilege 1848 msdcsc.exe Token: 33 1848 msdcsc.exe Token: 34 1848 msdcsc.exe Token: 35 1848 msdcsc.exe Token: 36 1848 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.execmd.execmd.exemsdcsc.exedescription pid process target process PID 2176 wrote to memory of 2084 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 2176 wrote to memory of 2084 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 2176 wrote to memory of 2084 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 2176 wrote to memory of 4412 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 2176 wrote to memory of 4412 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 2176 wrote to memory of 4412 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe cmd.exe PID 2084 wrote to memory of 5088 2084 cmd.exe attrib.exe PID 2084 wrote to memory of 5088 2084 cmd.exe attrib.exe PID 2084 wrote to memory of 5088 2084 cmd.exe attrib.exe PID 4412 wrote to memory of 3516 4412 cmd.exe attrib.exe PID 4412 wrote to memory of 3516 4412 cmd.exe attrib.exe PID 4412 wrote to memory of 3516 4412 cmd.exe attrib.exe PID 2176 wrote to memory of 1848 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe msdcsc.exe PID 2176 wrote to memory of 1848 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe msdcsc.exe PID 2176 wrote to memory of 1848 2176 2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe msdcsc.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe PID 1848 wrote to memory of 4716 1848 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 5088 attrib.exe 3516 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe"C:\Users\Admin\AppData\Local\Temp\2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\2b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\MSDCSC\msdcsc.exe"C:\Windows\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
253KB
MD58042e161f29f7611e479358616ebce90
SHA19e66839a0b7175ed89cc3f415979aa20f13caf71
SHA2562b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0
SHA5120d473b8ef9e8e3ab14aca1bd7ac18cd61be22ee8d6ef59feceff8028a34319afd80c20b8efcd965692e4b12353c62d685680bb2af20b5de9fe45cbce3e6b5e2d
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
253KB
MD58042e161f29f7611e479358616ebce90
SHA19e66839a0b7175ed89cc3f415979aa20f13caf71
SHA2562b4a79e25992395c0aefec0702088ec365f731dfeaf42a61fb910e2012f396d0
SHA5120d473b8ef9e8e3ab14aca1bd7ac18cd61be22ee8d6ef59feceff8028a34319afd80c20b8efcd965692e4b12353c62d685680bb2af20b5de9fe45cbce3e6b5e2d
-
memory/1848-134-0x0000000000000000-mapping.dmp
-
memory/2084-130-0x0000000000000000-mapping.dmp
-
memory/3516-133-0x0000000000000000-mapping.dmp
-
memory/4412-131-0x0000000000000000-mapping.dmp
-
memory/4716-137-0x0000000000000000-mapping.dmp
-
memory/5088-132-0x0000000000000000-mapping.dmp