Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:33
Behavioral task
behavioral1
Sample
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe
Resource
win10v2004-20220414-en
General
-
Target
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe
-
Size
2.9MB
-
MD5
fa42ccd6f594bffeddd05814c6b2aa1b
-
SHA1
59c19db02b4e6bc28089b38a517c78e555f8ef3a
-
SHA256
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f
-
SHA512
49f7ce75180996d409eb4864854340fe8cc8a1e4031f0e3082d7918a758e3dc21c289285b97f8db63c18f5a36928d98436281e583e1c277dd4f6bec2e8798edb
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1156 msdcsc.exe -
Processes:
resource yara_rule \Users\Admin\Documents\MSDCSC\msdcsc.exe upx \Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Loads dropped DLL 2 IoCs
Processes:
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exepid process 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeSecurityPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeTakeOwnershipPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeLoadDriverPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeSystemProfilePrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeSystemtimePrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeProfSingleProcessPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeIncBasePriorityPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeCreatePagefilePrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeBackupPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeRestorePrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeShutdownPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeDebugPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeSystemEnvironmentPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeChangeNotifyPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeRemoteShutdownPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeUndockPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeManageVolumePrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeImpersonatePrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeCreateGlobalPrivilege 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: 33 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: 34 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: 35 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeIncreaseQuotaPrivilege 1156 msdcsc.exe Token: SeSecurityPrivilege 1156 msdcsc.exe Token: SeTakeOwnershipPrivilege 1156 msdcsc.exe Token: SeLoadDriverPrivilege 1156 msdcsc.exe Token: SeSystemProfilePrivilege 1156 msdcsc.exe Token: SeSystemtimePrivilege 1156 msdcsc.exe Token: SeProfSingleProcessPrivilege 1156 msdcsc.exe Token: SeIncBasePriorityPrivilege 1156 msdcsc.exe Token: SeCreatePagefilePrivilege 1156 msdcsc.exe Token: SeBackupPrivilege 1156 msdcsc.exe Token: SeRestorePrivilege 1156 msdcsc.exe Token: SeShutdownPrivilege 1156 msdcsc.exe Token: SeDebugPrivilege 1156 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1156 msdcsc.exe Token: SeChangeNotifyPrivilege 1156 msdcsc.exe Token: SeRemoteShutdownPrivilege 1156 msdcsc.exe Token: SeUndockPrivilege 1156 msdcsc.exe Token: SeManageVolumePrivilege 1156 msdcsc.exe Token: SeImpersonatePrivilege 1156 msdcsc.exe Token: SeCreateGlobalPrivilege 1156 msdcsc.exe Token: 33 1156 msdcsc.exe Token: 34 1156 msdcsc.exe Token: 35 1156 msdcsc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1504 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1156 msdcsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exemsdcsc.exedescription pid process target process PID 1944 wrote to memory of 1156 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe msdcsc.exe PID 1944 wrote to memory of 1156 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe msdcsc.exe PID 1944 wrote to memory of 1156 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe msdcsc.exe PID 1944 wrote to memory of 1156 1944 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe msdcsc.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe PID 1156 wrote to memory of 896 1156 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe"C:\Users\Admin\AppData\Local\Temp\0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\JV.PNGFilesize
2.3MB
MD53ddd4bd37047963db1be074117829bec
SHA10782172a8ff7ce01095cded15fca83d8e2bc938e
SHA256b8434cadb214a571d4e08d295d1f89c51731ef30c8f9dcd37e866774c9faa390
SHA512cc500878f77dd1a70afead58c39a67fa4489a14be888c51922ed31a0b91e106b2008d053e3e70ed94e2bff8e9c396f2c5995c319659ef31b7230d693ba55d2cd
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.9MB
MD5fa42ccd6f594bffeddd05814c6b2aa1b
SHA159c19db02b4e6bc28089b38a517c78e555f8ef3a
SHA2560edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f
SHA51249f7ce75180996d409eb4864854340fe8cc8a1e4031f0e3082d7918a758e3dc21c289285b97f8db63c18f5a36928d98436281e583e1c277dd4f6bec2e8798edb
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.9MB
MD5fa42ccd6f594bffeddd05814c6b2aa1b
SHA159c19db02b4e6bc28089b38a517c78e555f8ef3a
SHA2560edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f
SHA51249f7ce75180996d409eb4864854340fe8cc8a1e4031f0e3082d7918a758e3dc21c289285b97f8db63c18f5a36928d98436281e583e1c277dd4f6bec2e8798edb
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.9MB
MD5fa42ccd6f594bffeddd05814c6b2aa1b
SHA159c19db02b4e6bc28089b38a517c78e555f8ef3a
SHA2560edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f
SHA51249f7ce75180996d409eb4864854340fe8cc8a1e4031f0e3082d7918a758e3dc21c289285b97f8db63c18f5a36928d98436281e583e1c277dd4f6bec2e8798edb
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.9MB
MD5fa42ccd6f594bffeddd05814c6b2aa1b
SHA159c19db02b4e6bc28089b38a517c78e555f8ef3a
SHA2560edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f
SHA51249f7ce75180996d409eb4864854340fe8cc8a1e4031f0e3082d7918a758e3dc21c289285b97f8db63c18f5a36928d98436281e583e1c277dd4f6bec2e8798edb
-
memory/896-62-0x0000000000000000-mapping.dmp
-
memory/1156-58-0x0000000000000000-mapping.dmp
-
memory/1944-54-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB