Analysis
-
max time kernel
83s -
max time network
61s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 11:43
Behavioral task
behavioral1
Sample
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
Resource
win10v2004-20220812-en
General
-
Target
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe
-
Size
285KB
-
MD5
4c4b6cd307cd62ff89d28a5aa750d4c4
-
SHA1
46d2345b3d46b7561e48bae5fb229681dcff0c59
-
SHA256
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1
-
SHA512
f1c66bb92f0bd8891b0fd9f6189673580629316d5a289be93d1ecf4bc7751f9552bb5d7326aa27d75dbe3d38a883be2cbd2e143690611ecbd465f09ee16c7183
-
SSDEEP
6144:Tlb6SDOiIN4o2cOMayarS0IjX7n6wXmzbBFXPE:T0Siiu2cOMayaZerXXmhFXPE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\mshhdcsc.exe" dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe -
Executes dropped EXE 1 IoCs
Processes:
mshhdcsc.exepid process 592 mshhdcsc.exe -
Processes:
resource yara_rule \Users\Admin\Documents\MSDCSC\mshhdcsc.exe upx \Users\Admin\Documents\MSDCSC\mshhdcsc.exe upx C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exe upx behavioral1/memory/1004-60-0x0000000000400000-0x00000000004C9000-memory.dmp upx C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exe upx behavioral1/memory/592-62-0x0000000000400000-0x00000000004C9000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exepid process 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdateii = "C:\\Users\\Admin\\Documents\\MSDCSC\\mshhdcsc.exe" dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mshhdcsc.exedescription pid process target process PID 592 set thread context of 1908 592 mshhdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exemshhdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeSecurityPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeTakeOwnershipPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeLoadDriverPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeSystemProfilePrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeSystemtimePrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeProfSingleProcessPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeIncBasePriorityPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeCreatePagefilePrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeBackupPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeRestorePrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeShutdownPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeDebugPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeSystemEnvironmentPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeChangeNotifyPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeRemoteShutdownPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeUndockPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeManageVolumePrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeImpersonatePrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeCreateGlobalPrivilege 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: 33 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: 34 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: 35 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe Token: SeIncreaseQuotaPrivilege 592 mshhdcsc.exe Token: SeSecurityPrivilege 592 mshhdcsc.exe Token: SeTakeOwnershipPrivilege 592 mshhdcsc.exe Token: SeLoadDriverPrivilege 592 mshhdcsc.exe Token: SeSystemProfilePrivilege 592 mshhdcsc.exe Token: SeSystemtimePrivilege 592 mshhdcsc.exe Token: SeProfSingleProcessPrivilege 592 mshhdcsc.exe Token: SeIncBasePriorityPrivilege 592 mshhdcsc.exe Token: SeCreatePagefilePrivilege 592 mshhdcsc.exe Token: SeBackupPrivilege 592 mshhdcsc.exe Token: SeRestorePrivilege 592 mshhdcsc.exe Token: SeShutdownPrivilege 592 mshhdcsc.exe Token: SeDebugPrivilege 592 mshhdcsc.exe Token: SeSystemEnvironmentPrivilege 592 mshhdcsc.exe Token: SeChangeNotifyPrivilege 592 mshhdcsc.exe Token: SeRemoteShutdownPrivilege 592 mshhdcsc.exe Token: SeUndockPrivilege 592 mshhdcsc.exe Token: SeManageVolumePrivilege 592 mshhdcsc.exe Token: SeImpersonatePrivilege 592 mshhdcsc.exe Token: SeCreateGlobalPrivilege 592 mshhdcsc.exe Token: 33 592 mshhdcsc.exe Token: 34 592 mshhdcsc.exe Token: 35 592 mshhdcsc.exe Token: SeIncreaseQuotaPrivilege 1908 iexplore.exe Token: SeSecurityPrivilege 1908 iexplore.exe Token: SeTakeOwnershipPrivilege 1908 iexplore.exe Token: SeLoadDriverPrivilege 1908 iexplore.exe Token: SeSystemProfilePrivilege 1908 iexplore.exe Token: SeSystemtimePrivilege 1908 iexplore.exe Token: SeProfSingleProcessPrivilege 1908 iexplore.exe Token: SeIncBasePriorityPrivilege 1908 iexplore.exe Token: SeCreatePagefilePrivilege 1908 iexplore.exe Token: SeBackupPrivilege 1908 iexplore.exe Token: SeRestorePrivilege 1908 iexplore.exe Token: SeShutdownPrivilege 1908 iexplore.exe Token: SeDebugPrivilege 1908 iexplore.exe Token: SeSystemEnvironmentPrivilege 1908 iexplore.exe Token: SeChangeNotifyPrivilege 1908 iexplore.exe Token: SeRemoteShutdownPrivilege 1908 iexplore.exe Token: SeUndockPrivilege 1908 iexplore.exe Token: SeManageVolumePrivilege 1908 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1908 iexplore.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exemshhdcsc.exedescription pid process target process PID 1004 wrote to memory of 592 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe mshhdcsc.exe PID 1004 wrote to memory of 592 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe mshhdcsc.exe PID 1004 wrote to memory of 592 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe mshhdcsc.exe PID 1004 wrote to memory of 592 1004 dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe mshhdcsc.exe PID 592 wrote to memory of 1908 592 mshhdcsc.exe iexplore.exe PID 592 wrote to memory of 1908 592 mshhdcsc.exe iexplore.exe PID 592 wrote to memory of 1908 592 mshhdcsc.exe iexplore.exe PID 592 wrote to memory of 1908 592 mshhdcsc.exe iexplore.exe PID 592 wrote to memory of 1908 592 mshhdcsc.exe iexplore.exe PID 592 wrote to memory of 1908 592 mshhdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe"C:\Users\Admin\AppData\Local\Temp\dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exe"C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exeFilesize
285KB
MD54c4b6cd307cd62ff89d28a5aa750d4c4
SHA146d2345b3d46b7561e48bae5fb229681dcff0c59
SHA256dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1
SHA512f1c66bb92f0bd8891b0fd9f6189673580629316d5a289be93d1ecf4bc7751f9552bb5d7326aa27d75dbe3d38a883be2cbd2e143690611ecbd465f09ee16c7183
-
C:\Users\Admin\Documents\MSDCSC\mshhdcsc.exeFilesize
285KB
MD54c4b6cd307cd62ff89d28a5aa750d4c4
SHA146d2345b3d46b7561e48bae5fb229681dcff0c59
SHA256dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1
SHA512f1c66bb92f0bd8891b0fd9f6189673580629316d5a289be93d1ecf4bc7751f9552bb5d7326aa27d75dbe3d38a883be2cbd2e143690611ecbd465f09ee16c7183
-
\Users\Admin\Documents\MSDCSC\mshhdcsc.exeFilesize
285KB
MD54c4b6cd307cd62ff89d28a5aa750d4c4
SHA146d2345b3d46b7561e48bae5fb229681dcff0c59
SHA256dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1
SHA512f1c66bb92f0bd8891b0fd9f6189673580629316d5a289be93d1ecf4bc7751f9552bb5d7326aa27d75dbe3d38a883be2cbd2e143690611ecbd465f09ee16c7183
-
\Users\Admin\Documents\MSDCSC\mshhdcsc.exeFilesize
285KB
MD54c4b6cd307cd62ff89d28a5aa750d4c4
SHA146d2345b3d46b7561e48bae5fb229681dcff0c59
SHA256dd51300809df5d583b25262f6bd85a490d78375a85bee027270c585da13c09e1
SHA512f1c66bb92f0bd8891b0fd9f6189673580629316d5a289be93d1ecf4bc7751f9552bb5d7326aa27d75dbe3d38a883be2cbd2e143690611ecbd465f09ee16c7183
-
memory/592-57-0x0000000000000000-mapping.dmp
-
memory/592-62-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/1004-54-0x0000000075881000-0x0000000075883000-memory.dmpFilesize
8KB
-
memory/1004-60-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB