Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:16
Behavioral task
behavioral1
Sample
287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
Resource
win10v2004-20220414-en
General
-
Target
287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe
-
Size
349KB
-
MD5
2c0d429589bc6ff62344c943b0db8def
-
SHA1
602c64345157856e174eb001d2a2b81346117094
-
SHA256
287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287
-
SHA512
c661e141a6492369ca45911af5740ce1bb7d85117f3f113da07cf22d83bef911036c7d06b4a5cbacca738e73075b09e476bdca16fa0a9beb5d471bcf9f48f649
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 4020 msdcsc.exe -
Processes:
resource yara_rule C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeSecurityPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeTakeOwnershipPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeLoadDriverPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeSystemProfilePrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeSystemtimePrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeProfSingleProcessPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeIncBasePriorityPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeCreatePagefilePrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeBackupPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeRestorePrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeShutdownPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeDebugPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeSystemEnvironmentPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeChangeNotifyPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeRemoteShutdownPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeUndockPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeManageVolumePrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeImpersonatePrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeCreateGlobalPrivilege 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: 33 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: 34 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: 35 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: 36 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe Token: SeIncreaseQuotaPrivilege 4020 msdcsc.exe Token: SeSecurityPrivilege 4020 msdcsc.exe Token: SeTakeOwnershipPrivilege 4020 msdcsc.exe Token: SeLoadDriverPrivilege 4020 msdcsc.exe Token: SeSystemProfilePrivilege 4020 msdcsc.exe Token: SeSystemtimePrivilege 4020 msdcsc.exe Token: SeProfSingleProcessPrivilege 4020 msdcsc.exe Token: SeIncBasePriorityPrivilege 4020 msdcsc.exe Token: SeCreatePagefilePrivilege 4020 msdcsc.exe Token: SeBackupPrivilege 4020 msdcsc.exe Token: SeRestorePrivilege 4020 msdcsc.exe Token: SeShutdownPrivilege 4020 msdcsc.exe Token: SeDebugPrivilege 4020 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4020 msdcsc.exe Token: SeChangeNotifyPrivilege 4020 msdcsc.exe Token: SeRemoteShutdownPrivilege 4020 msdcsc.exe Token: SeUndockPrivilege 4020 msdcsc.exe Token: SeManageVolumePrivilege 4020 msdcsc.exe Token: SeImpersonatePrivilege 4020 msdcsc.exe Token: SeCreateGlobalPrivilege 4020 msdcsc.exe Token: 33 4020 msdcsc.exe Token: 34 4020 msdcsc.exe Token: 35 4020 msdcsc.exe Token: 36 4020 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 4020 msdcsc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exedescription pid process target process PID 2300 wrote to memory of 4020 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe msdcsc.exe PID 2300 wrote to memory of 4020 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe msdcsc.exe PID 2300 wrote to memory of 4020 2300 287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe"C:\Users\Admin\AppData\Local\Temp\287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
349KB
MD52c0d429589bc6ff62344c943b0db8def
SHA1602c64345157856e174eb001d2a2b81346117094
SHA256287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287
SHA512c661e141a6492369ca45911af5740ce1bb7d85117f3f113da07cf22d83bef911036c7d06b4a5cbacca738e73075b09e476bdca16fa0a9beb5d471bcf9f48f649
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
349KB
MD52c0d429589bc6ff62344c943b0db8def
SHA1602c64345157856e174eb001d2a2b81346117094
SHA256287fe2a88eaa68427924f8cd4204bd39cdc5a1d61140bf6c0e4779636445d287
SHA512c661e141a6492369ca45911af5740ce1bb7d85117f3f113da07cf22d83bef911036c7d06b4a5cbacca738e73075b09e476bdca16fa0a9beb5d471bcf9f48f649
-
memory/4020-130-0x0000000000000000-mapping.dmp