Analysis
-
max time kernel
176s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:53
Behavioral task
behavioral1
Sample
39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe
Resource
win7-20220414-en
General
-
Target
39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe
-
Size
252KB
-
MD5
feed791679eb25e2ceb17ef7bcf86f59
-
SHA1
7c7107ca75819e7155440319b8cee889947ce494
-
SHA256
39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240
-
SHA512
3c458c1c9b072256e55b03de3c67d312383969de36118fcf729a1c800c8d05d810dd6f31f59958523c7053b718752b8666c6ed21c5d629173001a5736ac9e423
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4264 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe upx C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 4264 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeSecurityPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeTakeOwnershipPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeLoadDriverPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeSystemProfilePrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeSystemtimePrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeProfSingleProcessPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeIncBasePriorityPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeCreatePagefilePrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeBackupPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeRestorePrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeShutdownPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeDebugPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeSystemEnvironmentPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeChangeNotifyPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeRemoteShutdownPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeUndockPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeManageVolumePrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeImpersonatePrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeCreateGlobalPrivilege 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: 33 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: 34 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: 35 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: 36 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe Token: SeIncreaseQuotaPrivilege 4264 msdcsc.exe Token: SeSecurityPrivilege 4264 msdcsc.exe Token: SeTakeOwnershipPrivilege 4264 msdcsc.exe Token: SeLoadDriverPrivilege 4264 msdcsc.exe Token: SeSystemProfilePrivilege 4264 msdcsc.exe Token: SeSystemtimePrivilege 4264 msdcsc.exe Token: SeProfSingleProcessPrivilege 4264 msdcsc.exe Token: SeIncBasePriorityPrivilege 4264 msdcsc.exe Token: SeCreatePagefilePrivilege 4264 msdcsc.exe Token: SeBackupPrivilege 4264 msdcsc.exe Token: SeRestorePrivilege 4264 msdcsc.exe Token: SeShutdownPrivilege 4264 msdcsc.exe Token: SeDebugPrivilege 4264 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4264 msdcsc.exe Token: SeChangeNotifyPrivilege 4264 msdcsc.exe Token: SeRemoteShutdownPrivilege 4264 msdcsc.exe Token: SeUndockPrivilege 4264 msdcsc.exe Token: SeManageVolumePrivilege 4264 msdcsc.exe Token: SeImpersonatePrivilege 4264 msdcsc.exe Token: SeCreateGlobalPrivilege 4264 msdcsc.exe Token: 33 4264 msdcsc.exe Token: 34 4264 msdcsc.exe Token: 35 4264 msdcsc.exe Token: 36 4264 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 4264 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.execmd.execmd.exemsdcsc.exedescription pid process target process PID 4928 wrote to memory of 4372 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe cmd.exe PID 4928 wrote to memory of 4372 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe cmd.exe PID 4928 wrote to memory of 4372 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe cmd.exe PID 4928 wrote to memory of 2064 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe cmd.exe PID 4928 wrote to memory of 2064 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe cmd.exe PID 4928 wrote to memory of 2064 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe cmd.exe PID 4372 wrote to memory of 2560 4372 cmd.exe attrib.exe PID 4372 wrote to memory of 2560 4372 cmd.exe attrib.exe PID 4372 wrote to memory of 2560 4372 cmd.exe attrib.exe PID 2064 wrote to memory of 4484 2064 cmd.exe attrib.exe PID 2064 wrote to memory of 4484 2064 cmd.exe attrib.exe PID 2064 wrote to memory of 4484 2064 cmd.exe attrib.exe PID 4928 wrote to memory of 4264 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe msdcsc.exe PID 4928 wrote to memory of 4264 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe msdcsc.exe PID 4928 wrote to memory of 4264 4928 39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe msdcsc.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe PID 4264 wrote to memory of 4248 4264 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2560 attrib.exe 4484 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe"C:\Users\Admin\AppData\Local\Temp\39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\39c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
252KB
MD5feed791679eb25e2ceb17ef7bcf86f59
SHA17c7107ca75819e7155440319b8cee889947ce494
SHA25639c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240
SHA5123c458c1c9b072256e55b03de3c67d312383969de36118fcf729a1c800c8d05d810dd6f31f59958523c7053b718752b8666c6ed21c5d629173001a5736ac9e423
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
252KB
MD5feed791679eb25e2ceb17ef7bcf86f59
SHA17c7107ca75819e7155440319b8cee889947ce494
SHA25639c1e6b2be52d7021d682e6eb9bcf94808e43104dd82317cd7724ba83c923240
SHA5123c458c1c9b072256e55b03de3c67d312383969de36118fcf729a1c800c8d05d810dd6f31f59958523c7053b718752b8666c6ed21c5d629173001a5736ac9e423
-
memory/2064-131-0x0000000000000000-mapping.dmp
-
memory/2560-132-0x0000000000000000-mapping.dmp
-
memory/4248-137-0x0000000000000000-mapping.dmp
-
memory/4264-134-0x0000000000000000-mapping.dmp
-
memory/4372-130-0x0000000000000000-mapping.dmp
-
memory/4484-133-0x0000000000000000-mapping.dmp