Analysis
-
max time kernel
182s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24/11/2022, 03:54
Static task
static1
Behavioral task
behavioral1
Sample
c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe
Resource
win7-20221111-en
General
-
Target
c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe
-
Size
71KB
-
MD5
d5636669844f9c21098d84a7de0db519
-
SHA1
bc992f5c8c9a5380700a9181b02be857e18366d4
-
SHA256
c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed
-
SHA512
b3bfee419ae7e52d8bfcca6f389129dbb86963cb98cb15a5ab6bd648a77f59d392da095e0b2a31c6f004e3433bea3950da2f62806826e07b2e94230d11004e24
-
SSDEEP
1536:P27A7c3S43hr63yADDpwlytVup1NnEtEinQW6bX98/mBnDPg:PqNS481DdrUPnEtZH6bt8/mG
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winsdc32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsdc32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winsdc32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winsdc32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsdc32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsdc32.exe -
Executes dropped EXE 1 IoCs
pid Process 3376 winsdc32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsdc32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winsdc32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winsdc32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsdc32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsdc32.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 50 whatismyip.com 82 whatismyip.com 97 whatismyip.com 113 whatismyip.com -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70501645BB6D100973DE2D43928BE0BA_83ED4A2D0789256239FA7791E6FBAB81 winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_4183CE65C0E745BB7DFA898BB235C92C winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_4183CE65C0E745BB7DFA898BB235C92C winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_78D977680F0A854594CEEE125BC2E56E winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70501645BB6D100973DE2D43928BE0BA_83ED4A2D0789256239FA7791E6FBAB81 winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565 winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_78D977680F0A854594CEEE125BC2E56E winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565 winsdc32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft winsdc32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\winsdc32.exe c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe File opened for modification C:\Windows\winsdc32.exe c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" winsdc32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History winsdc32.exe Key created \REGISTRY\USER\.DEFAULT\Software winsdc32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft winsdc32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion winsdc32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ winsdc32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" winsdc32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" winsdc32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P winsdc32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing winsdc32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" winsdc32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows winsdc32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings winsdc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe"C:\Users\Admin\AppData\Local\Temp\c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe"1⤵
- Drops file in Windows directory
PID:2740
-
C:\Windows\winsdc32.exe"C:\Windows\winsdc32.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3376
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5d5636669844f9c21098d84a7de0db519
SHA1bc992f5c8c9a5380700a9181b02be857e18366d4
SHA256c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed
SHA512b3bfee419ae7e52d8bfcca6f389129dbb86963cb98cb15a5ab6bd648a77f59d392da095e0b2a31c6f004e3433bea3950da2f62806826e07b2e94230d11004e24
-
Filesize
71KB
MD5d5636669844f9c21098d84a7de0db519
SHA1bc992f5c8c9a5380700a9181b02be857e18366d4
SHA256c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed
SHA512b3bfee419ae7e52d8bfcca6f389129dbb86963cb98cb15a5ab6bd648a77f59d392da095e0b2a31c6f004e3433bea3950da2f62806826e07b2e94230d11004e24