Analysis
-
max time kernel
151s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:39
Behavioral task
behavioral1
Sample
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe
Resource
win7-20220414-en
General
-
Target
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe
-
Size
349KB
-
MD5
8bb1d40020267fd6a8778c710b4f7976
-
SHA1
d0c9aa6ee06e72c6c383ab0cd15f1951b961b9d4
-
SHA256
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac
-
SHA512
4e99185e84cbdd3bf7086e30f6076965de2c103336cb7be9b55fb46c9365924c61bbda620eab763ecef446e3ea90b4b9e80e4674c908583b9fd7310bfa58e557
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1780 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Loads dropped DLL 2 IoCs
Processes:
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exepid process 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1780 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeSecurityPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeTakeOwnershipPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeLoadDriverPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeSystemProfilePrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeSystemtimePrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeProfSingleProcessPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeIncBasePriorityPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeCreatePagefilePrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeBackupPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeRestorePrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeShutdownPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeDebugPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeSystemEnvironmentPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeChangeNotifyPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeRemoteShutdownPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeUndockPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeManageVolumePrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeImpersonatePrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeCreateGlobalPrivilege 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: 33 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: 34 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: 35 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeIncreaseQuotaPrivilege 1780 msdcsc.exe Token: SeSecurityPrivilege 1780 msdcsc.exe Token: SeTakeOwnershipPrivilege 1780 msdcsc.exe Token: SeLoadDriverPrivilege 1780 msdcsc.exe Token: SeSystemProfilePrivilege 1780 msdcsc.exe Token: SeSystemtimePrivilege 1780 msdcsc.exe Token: SeProfSingleProcessPrivilege 1780 msdcsc.exe Token: SeIncBasePriorityPrivilege 1780 msdcsc.exe Token: SeCreatePagefilePrivilege 1780 msdcsc.exe Token: SeBackupPrivilege 1780 msdcsc.exe Token: SeRestorePrivilege 1780 msdcsc.exe Token: SeShutdownPrivilege 1780 msdcsc.exe Token: SeDebugPrivilege 1780 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1780 msdcsc.exe Token: SeChangeNotifyPrivilege 1780 msdcsc.exe Token: SeRemoteShutdownPrivilege 1780 msdcsc.exe Token: SeUndockPrivilege 1780 msdcsc.exe Token: SeManageVolumePrivilege 1780 msdcsc.exe Token: SeImpersonatePrivilege 1780 msdcsc.exe Token: SeCreateGlobalPrivilege 1780 msdcsc.exe Token: 33 1780 msdcsc.exe Token: 34 1780 msdcsc.exe Token: 35 1780 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1780 msdcsc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.execmd.execmd.exemsdcsc.exedescription pid process target process PID 976 wrote to memory of 1924 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 976 wrote to memory of 1924 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 976 wrote to memory of 1924 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 976 wrote to memory of 1924 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 976 wrote to memory of 1744 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 976 wrote to memory of 1744 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 976 wrote to memory of 1744 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 976 wrote to memory of 1744 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 1924 wrote to memory of 1748 1924 cmd.exe attrib.exe PID 1924 wrote to memory of 1748 1924 cmd.exe attrib.exe PID 1924 wrote to memory of 1748 1924 cmd.exe attrib.exe PID 1924 wrote to memory of 1748 1924 cmd.exe attrib.exe PID 1744 wrote to memory of 1424 1744 cmd.exe attrib.exe PID 1744 wrote to memory of 1424 1744 cmd.exe attrib.exe PID 1744 wrote to memory of 1424 1744 cmd.exe attrib.exe PID 1744 wrote to memory of 1424 1744 cmd.exe attrib.exe PID 976 wrote to memory of 1780 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe msdcsc.exe PID 976 wrote to memory of 1780 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe msdcsc.exe PID 976 wrote to memory of 1780 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe msdcsc.exe PID 976 wrote to memory of 1780 976 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe msdcsc.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe PID 1780 wrote to memory of 1788 1780 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1748 attrib.exe 1424 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe"C:\Users\Admin\AppData\Local\Temp\4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
349KB
MD58bb1d40020267fd6a8778c710b4f7976
SHA1d0c9aa6ee06e72c6c383ab0cd15f1951b961b9d4
SHA2564ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac
SHA5124e99185e84cbdd3bf7086e30f6076965de2c103336cb7be9b55fb46c9365924c61bbda620eab763ecef446e3ea90b4b9e80e4674c908583b9fd7310bfa58e557
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
349KB
MD58bb1d40020267fd6a8778c710b4f7976
SHA1d0c9aa6ee06e72c6c383ab0cd15f1951b961b9d4
SHA2564ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac
SHA5124e99185e84cbdd3bf7086e30f6076965de2c103336cb7be9b55fb46c9365924c61bbda620eab763ecef446e3ea90b4b9e80e4674c908583b9fd7310bfa58e557
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
349KB
MD58bb1d40020267fd6a8778c710b4f7976
SHA1d0c9aa6ee06e72c6c383ab0cd15f1951b961b9d4
SHA2564ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac
SHA5124e99185e84cbdd3bf7086e30f6076965de2c103336cb7be9b55fb46c9365924c61bbda620eab763ecef446e3ea90b4b9e80e4674c908583b9fd7310bfa58e557
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
349KB
MD58bb1d40020267fd6a8778c710b4f7976
SHA1d0c9aa6ee06e72c6c383ab0cd15f1951b961b9d4
SHA2564ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac
SHA5124e99185e84cbdd3bf7086e30f6076965de2c103336cb7be9b55fb46c9365924c61bbda620eab763ecef446e3ea90b4b9e80e4674c908583b9fd7310bfa58e557
-
memory/976-54-0x00000000752D1000-0x00000000752D3000-memory.dmpFilesize
8KB
-
memory/1424-58-0x0000000000000000-mapping.dmp
-
memory/1744-56-0x0000000000000000-mapping.dmp
-
memory/1748-57-0x0000000000000000-mapping.dmp
-
memory/1780-61-0x0000000000000000-mapping.dmp
-
memory/1788-65-0x0000000000000000-mapping.dmp
-
memory/1924-55-0x0000000000000000-mapping.dmp