Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:39
Behavioral task
behavioral1
Sample
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe
Resource
win7-20220414-en
General
-
Target
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe
-
Size
349KB
-
MD5
8bb1d40020267fd6a8778c710b4f7976
-
SHA1
d0c9aa6ee06e72c6c383ab0cd15f1951b961b9d4
-
SHA256
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac
-
SHA512
4e99185e84cbdd3bf7086e30f6076965de2c103336cb7be9b55fb46c9365924c61bbda620eab763ecef446e3ea90b4b9e80e4674c908583b9fd7310bfa58e557
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1660 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1660 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeSecurityPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeTakeOwnershipPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeLoadDriverPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeSystemProfilePrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeSystemtimePrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeProfSingleProcessPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeIncBasePriorityPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeCreatePagefilePrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeBackupPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeRestorePrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeShutdownPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeDebugPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeSystemEnvironmentPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeChangeNotifyPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeRemoteShutdownPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeUndockPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeManageVolumePrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeImpersonatePrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeCreateGlobalPrivilege 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: 33 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: 34 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: 35 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: 36 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe Token: SeIncreaseQuotaPrivilege 1660 msdcsc.exe Token: SeSecurityPrivilege 1660 msdcsc.exe Token: SeTakeOwnershipPrivilege 1660 msdcsc.exe Token: SeLoadDriverPrivilege 1660 msdcsc.exe Token: SeSystemProfilePrivilege 1660 msdcsc.exe Token: SeSystemtimePrivilege 1660 msdcsc.exe Token: SeProfSingleProcessPrivilege 1660 msdcsc.exe Token: SeIncBasePriorityPrivilege 1660 msdcsc.exe Token: SeCreatePagefilePrivilege 1660 msdcsc.exe Token: SeBackupPrivilege 1660 msdcsc.exe Token: SeRestorePrivilege 1660 msdcsc.exe Token: SeShutdownPrivilege 1660 msdcsc.exe Token: SeDebugPrivilege 1660 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1660 msdcsc.exe Token: SeChangeNotifyPrivilege 1660 msdcsc.exe Token: SeRemoteShutdownPrivilege 1660 msdcsc.exe Token: SeUndockPrivilege 1660 msdcsc.exe Token: SeManageVolumePrivilege 1660 msdcsc.exe Token: SeImpersonatePrivilege 1660 msdcsc.exe Token: SeCreateGlobalPrivilege 1660 msdcsc.exe Token: 33 1660 msdcsc.exe Token: 34 1660 msdcsc.exe Token: 35 1660 msdcsc.exe Token: 36 1660 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1660 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.execmd.execmd.exemsdcsc.exedescription pid process target process PID 2640 wrote to memory of 4576 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 2640 wrote to memory of 4576 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 2640 wrote to memory of 4576 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 2640 wrote to memory of 4560 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 2640 wrote to memory of 4560 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 2640 wrote to memory of 4560 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe cmd.exe PID 4576 wrote to memory of 1028 4576 cmd.exe attrib.exe PID 4576 wrote to memory of 1028 4576 cmd.exe attrib.exe PID 4576 wrote to memory of 1028 4576 cmd.exe attrib.exe PID 4560 wrote to memory of 2352 4560 cmd.exe attrib.exe PID 4560 wrote to memory of 2352 4560 cmd.exe attrib.exe PID 4560 wrote to memory of 2352 4560 cmd.exe attrib.exe PID 2640 wrote to memory of 1660 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe msdcsc.exe PID 2640 wrote to memory of 1660 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe msdcsc.exe PID 2640 wrote to memory of 1660 2640 4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe msdcsc.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe PID 1660 wrote to memory of 1912 1660 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1028 attrib.exe 2352 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe"C:\Users\Admin\AppData\Local\Temp\4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\4ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
349KB
MD58bb1d40020267fd6a8778c710b4f7976
SHA1d0c9aa6ee06e72c6c383ab0cd15f1951b961b9d4
SHA2564ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac
SHA5124e99185e84cbdd3bf7086e30f6076965de2c103336cb7be9b55fb46c9365924c61bbda620eab763ecef446e3ea90b4b9e80e4674c908583b9fd7310bfa58e557
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
349KB
MD58bb1d40020267fd6a8778c710b4f7976
SHA1d0c9aa6ee06e72c6c383ab0cd15f1951b961b9d4
SHA2564ad10741fc2da2b3e001f01f04400973f743f3041dd188c7b136b0821460d9ac
SHA5124e99185e84cbdd3bf7086e30f6076965de2c103336cb7be9b55fb46c9365924c61bbda620eab763ecef446e3ea90b4b9e80e4674c908583b9fd7310bfa58e557
-
memory/1028-132-0x0000000000000000-mapping.dmp
-
memory/1660-134-0x0000000000000000-mapping.dmp
-
memory/1912-137-0x0000000000000000-mapping.dmp
-
memory/2352-133-0x0000000000000000-mapping.dmp
-
memory/4560-131-0x0000000000000000-mapping.dmp
-
memory/4576-130-0x0000000000000000-mapping.dmp