c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed

General

Target

c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe
Size

71KB
MD5

d5636669844f9c21098d84a7de0db519
SHA1

bc992f5c8c9a5380700a9181b02be857e18366d4
SHA256

c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed
SHA512

b3bfee419ae7e52d8bfcca6f389129dbb86963cb98cb15a5ab6bd648a77f59d392da095e0b2a31c6f004e3433bea3950da2f62806826e07b2e94230d11004e24
SSDEEP

1536:P27A7c3S43hr63yADDpwlytVup1NnEtEinQW6bX98/mBnDPg:PqNS481DdrUPnEtZH6bt8/mG

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

winsdc32.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winsdc32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winsdc32.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

winsdc32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsdc32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsdc32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsdc32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsdc32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsdc32.exe

Executes dropped EXE 1 IoCs

Processes:

winsdc32.exe

pid process

3376 winsdc32.exe

pid	process
3376	winsdc32.exe

Windows security modification 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

winsdc32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsdc32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsdc32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsdc32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsdc32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsdc32.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

50 whatismyip.com
82 whatismyip.com
97 whatismyip.com
113 whatismyip.com

flow	ioc
50	whatismyip.com
82	whatismyip.com
97	whatismyip.com
113	whatismyip.com

Drops file in System32 directory 17 IoCs

Processes:

winsdc32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70501645BB6D100973DE2D43928BE0BA_83ED4A2D0789256239FA7791E6FBAB81	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_4183CE65C0E745BB7DFA898BB235C92C	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_4183CE65C0E745BB7DFA898BB235C92C	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_78D977680F0A854594CEEE125BC2E56E	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70501645BB6D100973DE2D43928BE0BA_83ED4A2D0789256239FA7791E6FBAB81	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_78D977680F0A854594CEEE125BC2E56E	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565	winsdc32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	winsdc32.exe

Drops file in Windows directory 2 IoCs

Processes:

c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe

description	ioc	process
File created	C:\Windows\winsdc32.exe	c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe
File opened for modification	C:\Windows\winsdc32.exe	c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe

Modifies data under HKEY_USERS 13 IoCs

Processes:

winsdc32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	winsdc32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	winsdc32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	winsdc32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	winsdc32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	winsdc32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	winsdc32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	winsdc32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	winsdc32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	winsdc32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	winsdc32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	winsdc32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	winsdc32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	winsdc32.exe

C:\Users\Admin\AppData\Local\Temp\c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe
"C:\Users\Admin\AppData\Local\Temp\c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed.exe"
1⤵
- Drops file in Windows directory
PID:2740

C:\Windows\winsdc32.exe
"C:\Windows\winsdc32.exe"
1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\winsdc32.exe
Filesize
71KB

MD5
d5636669844f9c21098d84a7de0db519

SHA1
bc992f5c8c9a5380700a9181b02be857e18366d4

SHA256
c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed

SHA512
b3bfee419ae7e52d8bfcca6f389129dbb86963cb98cb15a5ab6bd648a77f59d392da095e0b2a31c6f004e3433bea3950da2f62806826e07b2e94230d11004e24

Download Submit
C:\Windows\winsdc32.exe
Filesize
71KB

MD5
d5636669844f9c21098d84a7de0db519

SHA1
bc992f5c8c9a5380700a9181b02be857e18366d4

SHA256
c17363a0412c05428562de8abacad662e0e05dddfa4502a890d204b7d629d0ed

SHA512
b3bfee419ae7e52d8bfcca6f389129dbb86963cb98cb15a5ab6bd648a77f59d392da095e0b2a31c6f004e3433bea3950da2f62806826e07b2e94230d11004e24

Download Submit
memory/2740-132-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2740-133-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2740-134-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2740-139-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3376-137-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3376-138-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3376-140-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads