Analysis
-
max time kernel
170s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:39
Behavioral task
behavioral1
Sample
b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe
Resource
win7-20220414-en
General
-
Target
b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe
-
Size
252KB
-
MD5
b780e5c2aa4465ca48aa5f41ce4adf7f
-
SHA1
efda9481424c4d88f2c4a78742db1cf5b05ff8a2
-
SHA256
b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7
-
SHA512
1bfe4bcd73cb1ce0681da7e6fc58757b1e5c024d3cffbbc4d58f8976d724b9850ab9b0445541d6f114109f74d683d73836a3c9f511ee7ad54a9b8cb31b0d9367
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe" b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1460 msdcsc.exe -
Processes:
resource yara_rule C:\Windows\MSDCSC\msdcsc.exe upx C:\Windows\MSDCSC\msdcsc.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe -
Drops file in Windows directory 3 IoCs
Processes:
b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exedescription ioc process File opened for modification C:\Windows\MSDCSC\ b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe File created C:\Windows\MSDCSC\msdcsc.exe b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe File opened for modification C:\Windows\MSDCSC\msdcsc.exe b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1460 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeSecurityPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeTakeOwnershipPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeLoadDriverPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeSystemProfilePrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeSystemtimePrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeProfSingleProcessPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeIncBasePriorityPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeCreatePagefilePrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeBackupPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeRestorePrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeShutdownPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeDebugPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeSystemEnvironmentPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeChangeNotifyPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeRemoteShutdownPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeUndockPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeManageVolumePrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeImpersonatePrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeCreateGlobalPrivilege 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: 33 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: 34 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: 35 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: 36 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe Token: SeIncreaseQuotaPrivilege 1460 msdcsc.exe Token: SeSecurityPrivilege 1460 msdcsc.exe Token: SeTakeOwnershipPrivilege 1460 msdcsc.exe Token: SeLoadDriverPrivilege 1460 msdcsc.exe Token: SeSystemProfilePrivilege 1460 msdcsc.exe Token: SeSystemtimePrivilege 1460 msdcsc.exe Token: SeProfSingleProcessPrivilege 1460 msdcsc.exe Token: SeIncBasePriorityPrivilege 1460 msdcsc.exe Token: SeCreatePagefilePrivilege 1460 msdcsc.exe Token: SeBackupPrivilege 1460 msdcsc.exe Token: SeRestorePrivilege 1460 msdcsc.exe Token: SeShutdownPrivilege 1460 msdcsc.exe Token: SeDebugPrivilege 1460 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1460 msdcsc.exe Token: SeChangeNotifyPrivilege 1460 msdcsc.exe Token: SeRemoteShutdownPrivilege 1460 msdcsc.exe Token: SeUndockPrivilege 1460 msdcsc.exe Token: SeManageVolumePrivilege 1460 msdcsc.exe Token: SeImpersonatePrivilege 1460 msdcsc.exe Token: SeCreateGlobalPrivilege 1460 msdcsc.exe Token: 33 1460 msdcsc.exe Token: 34 1460 msdcsc.exe Token: 35 1460 msdcsc.exe Token: 36 1460 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1460 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.execmd.execmd.exemsdcsc.exedescription pid process target process PID 1076 wrote to memory of 3376 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe cmd.exe PID 1076 wrote to memory of 3376 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe cmd.exe PID 1076 wrote to memory of 3376 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe cmd.exe PID 1076 wrote to memory of 3404 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe cmd.exe PID 1076 wrote to memory of 3404 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe cmd.exe PID 1076 wrote to memory of 3404 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe cmd.exe PID 3376 wrote to memory of 792 3376 cmd.exe attrib.exe PID 3376 wrote to memory of 792 3376 cmd.exe attrib.exe PID 3376 wrote to memory of 792 3376 cmd.exe attrib.exe PID 3404 wrote to memory of 64 3404 cmd.exe attrib.exe PID 3404 wrote to memory of 64 3404 cmd.exe attrib.exe PID 3404 wrote to memory of 64 3404 cmd.exe attrib.exe PID 1076 wrote to memory of 1460 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe msdcsc.exe PID 1076 wrote to memory of 1460 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe msdcsc.exe PID 1076 wrote to memory of 1460 1076 b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe msdcsc.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe PID 1460 wrote to memory of 1356 1460 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 792 attrib.exe 64 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe"C:\Users\Admin\AppData\Local\Temp\b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\MSDCSC\msdcsc.exe"C:\Windows\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
252KB
MD5b780e5c2aa4465ca48aa5f41ce4adf7f
SHA1efda9481424c4d88f2c4a78742db1cf5b05ff8a2
SHA256b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7
SHA5121bfe4bcd73cb1ce0681da7e6fc58757b1e5c024d3cffbbc4d58f8976d724b9850ab9b0445541d6f114109f74d683d73836a3c9f511ee7ad54a9b8cb31b0d9367
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
252KB
MD5b780e5c2aa4465ca48aa5f41ce4adf7f
SHA1efda9481424c4d88f2c4a78742db1cf5b05ff8a2
SHA256b12ebd9263108e9344610b6f3b458744f9dd1bc365bbf72b753a4d2e459587e7
SHA5121bfe4bcd73cb1ce0681da7e6fc58757b1e5c024d3cffbbc4d58f8976d724b9850ab9b0445541d6f114109f74d683d73836a3c9f511ee7ad54a9b8cb31b0d9367
-
memory/64-133-0x0000000000000000-mapping.dmp
-
memory/792-132-0x0000000000000000-mapping.dmp
-
memory/1356-137-0x0000000000000000-mapping.dmp
-
memory/1460-134-0x0000000000000000-mapping.dmp
-
memory/3376-130-0x0000000000000000-mapping.dmp
-
memory/3404-131-0x0000000000000000-mapping.dmp