Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:33
Behavioral task
behavioral1
Sample
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe
Resource
win10v2004-20220414-en
General
-
Target
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe
-
Size
2.9MB
-
MD5
fa42ccd6f594bffeddd05814c6b2aa1b
-
SHA1
59c19db02b4e6bc28089b38a517c78e555f8ef3a
-
SHA256
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f
-
SHA512
49f7ce75180996d409eb4864854340fe8cc8a1e4031f0e3082d7918a758e3dc21c289285b97f8db63c18f5a36928d98436281e583e1c277dd4f6bec2e8798edb
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4700 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeSecurityPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeTakeOwnershipPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeLoadDriverPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeSystemProfilePrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeSystemtimePrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeProfSingleProcessPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeIncBasePriorityPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeCreatePagefilePrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeBackupPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeRestorePrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeShutdownPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeDebugPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeSystemEnvironmentPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeChangeNotifyPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeRemoteShutdownPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeUndockPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeManageVolumePrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeImpersonatePrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeCreateGlobalPrivilege 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: 33 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: 34 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: 35 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: 36 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe Token: SeIncreaseQuotaPrivilege 4700 msdcsc.exe Token: SeSecurityPrivilege 4700 msdcsc.exe Token: SeTakeOwnershipPrivilege 4700 msdcsc.exe Token: SeLoadDriverPrivilege 4700 msdcsc.exe Token: SeSystemProfilePrivilege 4700 msdcsc.exe Token: SeSystemtimePrivilege 4700 msdcsc.exe Token: SeProfSingleProcessPrivilege 4700 msdcsc.exe Token: SeIncBasePriorityPrivilege 4700 msdcsc.exe Token: SeCreatePagefilePrivilege 4700 msdcsc.exe Token: SeBackupPrivilege 4700 msdcsc.exe Token: SeRestorePrivilege 4700 msdcsc.exe Token: SeShutdownPrivilege 4700 msdcsc.exe Token: SeDebugPrivilege 4700 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4700 msdcsc.exe Token: SeChangeNotifyPrivilege 4700 msdcsc.exe Token: SeRemoteShutdownPrivilege 4700 msdcsc.exe Token: SeUndockPrivilege 4700 msdcsc.exe Token: SeManageVolumePrivilege 4700 msdcsc.exe Token: SeImpersonatePrivilege 4700 msdcsc.exe Token: SeCreateGlobalPrivilege 4700 msdcsc.exe Token: 33 4700 msdcsc.exe Token: 34 4700 msdcsc.exe Token: 35 4700 msdcsc.exe Token: 36 4700 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 4700 msdcsc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exemsdcsc.exedescription pid process target process PID 996 wrote to memory of 4700 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe msdcsc.exe PID 996 wrote to memory of 4700 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe msdcsc.exe PID 996 wrote to memory of 4700 996 0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe msdcsc.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe PID 4700 wrote to memory of 2320 4700 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe"C:\Users\Admin\AppData\Local\Temp\0edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.9MB
MD5fa42ccd6f594bffeddd05814c6b2aa1b
SHA159c19db02b4e6bc28089b38a517c78e555f8ef3a
SHA2560edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f
SHA51249f7ce75180996d409eb4864854340fe8cc8a1e4031f0e3082d7918a758e3dc21c289285b97f8db63c18f5a36928d98436281e583e1c277dd4f6bec2e8798edb
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
2.9MB
MD5fa42ccd6f594bffeddd05814c6b2aa1b
SHA159c19db02b4e6bc28089b38a517c78e555f8ef3a
SHA2560edfdfc0c5e35db4ea163ad41db66ffc1bce6362f26f9144950cc0df7db9db8f
SHA51249f7ce75180996d409eb4864854340fe8cc8a1e4031f0e3082d7918a758e3dc21c289285b97f8db63c18f5a36928d98436281e583e1c277dd4f6bec2e8798edb
-
memory/2320-133-0x0000000000000000-mapping.dmp
-
memory/4700-130-0x0000000000000000-mapping.dmp