Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:31
Static task
static1
Behavioral task
behavioral1
Sample
89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe
Resource
win10v2004-20220414-en
General
-
Target
89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe
-
Size
235KB
-
MD5
c59db4ec885ca9531c44c6a2efc30d6b
-
SHA1
ba38b0c7a46992d2ae0540a9bc2e89dacd31b834
-
SHA256
89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710
-
SHA512
9ca82da3e8ec092b0beec4ff5be0d21c7046f0c6a8e24ea3524258242fd9f2e0db4988b1ee742d1428aca29b3e94812829bc1f7530d8ad9b72a84aa6a38800a4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1252 msdcsc.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2008 notepad.exe -
Loads dropped DLL 2 IoCs
Processes:
89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exepid process 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1252 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeSecurityPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeTakeOwnershipPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeLoadDriverPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeSystemProfilePrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeSystemtimePrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeProfSingleProcessPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeIncBasePriorityPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeCreatePagefilePrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeBackupPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeRestorePrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeShutdownPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeDebugPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeSystemEnvironmentPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeChangeNotifyPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeRemoteShutdownPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeUndockPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeManageVolumePrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeImpersonatePrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeCreateGlobalPrivilege 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: 33 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: 34 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: 35 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe Token: SeIncreaseQuotaPrivilege 1252 msdcsc.exe Token: SeSecurityPrivilege 1252 msdcsc.exe Token: SeTakeOwnershipPrivilege 1252 msdcsc.exe Token: SeLoadDriverPrivilege 1252 msdcsc.exe Token: SeSystemProfilePrivilege 1252 msdcsc.exe Token: SeSystemtimePrivilege 1252 msdcsc.exe Token: SeProfSingleProcessPrivilege 1252 msdcsc.exe Token: SeIncBasePriorityPrivilege 1252 msdcsc.exe Token: SeCreatePagefilePrivilege 1252 msdcsc.exe Token: SeBackupPrivilege 1252 msdcsc.exe Token: SeRestorePrivilege 1252 msdcsc.exe Token: SeShutdownPrivilege 1252 msdcsc.exe Token: SeDebugPrivilege 1252 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1252 msdcsc.exe Token: SeChangeNotifyPrivilege 1252 msdcsc.exe Token: SeRemoteShutdownPrivilege 1252 msdcsc.exe Token: SeUndockPrivilege 1252 msdcsc.exe Token: SeManageVolumePrivilege 1252 msdcsc.exe Token: SeImpersonatePrivilege 1252 msdcsc.exe Token: SeCreateGlobalPrivilege 1252 msdcsc.exe Token: 33 1252 msdcsc.exe Token: 34 1252 msdcsc.exe Token: 35 1252 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1252 msdcsc.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1708 wrote to memory of 1552 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe cmd.exe PID 1708 wrote to memory of 1552 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe cmd.exe PID 1708 wrote to memory of 1552 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe cmd.exe PID 1708 wrote to memory of 1552 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe cmd.exe PID 1708 wrote to memory of 2016 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe cmd.exe PID 1708 wrote to memory of 2016 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe cmd.exe PID 1708 wrote to memory of 2016 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe cmd.exe PID 1708 wrote to memory of 2016 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe cmd.exe PID 2016 wrote to memory of 1852 2016 cmd.exe attrib.exe PID 2016 wrote to memory of 1852 2016 cmd.exe attrib.exe PID 2016 wrote to memory of 1852 2016 cmd.exe attrib.exe PID 2016 wrote to memory of 1852 2016 cmd.exe attrib.exe PID 1552 wrote to memory of 2012 1552 cmd.exe attrib.exe PID 1552 wrote to memory of 2012 1552 cmd.exe attrib.exe PID 1552 wrote to memory of 2012 1552 cmd.exe attrib.exe PID 1552 wrote to memory of 2012 1552 cmd.exe attrib.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 2008 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe notepad.exe PID 1708 wrote to memory of 1252 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe msdcsc.exe PID 1708 wrote to memory of 1252 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe msdcsc.exe PID 1708 wrote to memory of 1252 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe msdcsc.exe PID 1708 wrote to memory of 1252 1708 89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe msdcsc.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe PID 1252 wrote to memory of 560 1252 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2012 attrib.exe 1852 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe"C:\Users\Admin\AppData\Local\Temp\89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\89d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
235KB
MD5c59db4ec885ca9531c44c6a2efc30d6b
SHA1ba38b0c7a46992d2ae0540a9bc2e89dacd31b834
SHA25689d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710
SHA5129ca82da3e8ec092b0beec4ff5be0d21c7046f0c6a8e24ea3524258242fd9f2e0db4988b1ee742d1428aca29b3e94812829bc1f7530d8ad9b72a84aa6a38800a4
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
235KB
MD5c59db4ec885ca9531c44c6a2efc30d6b
SHA1ba38b0c7a46992d2ae0540a9bc2e89dacd31b834
SHA25689d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710
SHA5129ca82da3e8ec092b0beec4ff5be0d21c7046f0c6a8e24ea3524258242fd9f2e0db4988b1ee742d1428aca29b3e94812829bc1f7530d8ad9b72a84aa6a38800a4
-
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
235KB
MD5c59db4ec885ca9531c44c6a2efc30d6b
SHA1ba38b0c7a46992d2ae0540a9bc2e89dacd31b834
SHA25689d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710
SHA5129ca82da3e8ec092b0beec4ff5be0d21c7046f0c6a8e24ea3524258242fd9f2e0db4988b1ee742d1428aca29b3e94812829bc1f7530d8ad9b72a84aa6a38800a4
-
\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exeFilesize
235KB
MD5c59db4ec885ca9531c44c6a2efc30d6b
SHA1ba38b0c7a46992d2ae0540a9bc2e89dacd31b834
SHA25689d15a3ee44dbbd97956a37f4434c5f8e67a1684655b48b2f51375af7ad3e710
SHA5129ca82da3e8ec092b0beec4ff5be0d21c7046f0c6a8e24ea3524258242fd9f2e0db4988b1ee742d1428aca29b3e94812829bc1f7530d8ad9b72a84aa6a38800a4
-
memory/560-67-0x0000000000000000-mapping.dmp
-
memory/1252-63-0x0000000000000000-mapping.dmp
-
memory/1552-55-0x0000000000000000-mapping.dmp
-
memory/1708-54-0x00000000758D1000-0x00000000758D3000-memory.dmpFilesize
8KB
-
memory/1852-57-0x0000000000000000-mapping.dmp
-
memory/2008-59-0x0000000000000000-mapping.dmp
-
memory/2012-58-0x0000000000000000-mapping.dmp
-
memory/2016-56-0x0000000000000000-mapping.dmp