9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd

General

Target

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
Size

12KB
MD5

e82a922eb20993329e9c640994a28c97
SHA1

a3d65dd0f9f24e23008cfb121200b26c425c3281
SHA256

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd
SHA512

05b4bae7c0e164ebe4fd7503ac0ce08194becd817ba38240e61412dc825c10f21ffde53fa49329d9a06d871c6e29016a63baca145f0b7ab75de97c62f73b8a12
SSDEEP

384:nc5HKiTs1X7YnByiOWzP7SREdxPPHDfaEoY:cJKxCnBywfPdFj+Y

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\MgicRc.sys	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\MgicRc.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\winsys.dll"	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1528 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exesvchost.exe

pid process

2016 9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
1632 svchost.exe

pid	process
1528	cmd.exe

Drops file in System32 directory 2 IoCs

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\winsys.dll	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
File created	C:\Windows\SysWOW64\winsys.dll	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exesvchost.exe

pid	process
2016	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
2016	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
1632	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

460
460

pid	process
460
460

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1528	2016	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe	cmd.exe
PID 2016 wrote to memory of 1528	2016	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe	cmd.exe
PID 2016 wrote to memory of 1528	2016	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe	cmd.exe
PID 2016 wrote to memory of 1528	2016	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
"C:\Users\Admin\AppData\Local\Temp\9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7083724.bat" "
2⤵
- Deletes itself
PID:1528

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7083724.bat

Filesize
293B

MD5
a7f11330d9862218514d97096f068cce

SHA1
f388b572c76897ca7db4f13da5f9afb1ffe18cf1

SHA256
c0e2e7036baab7b23e7650f03a4f6747b114d03f8a1aaf26f04688381383c4a7

SHA512
5b2db987c65086c42cafb1d4e30235b4a9f76ca888fa2aea5fd8f9c728ed6400ce7262a910fb3bafb5d183db2e5aa329a8529cbd3933625321a4783de3b2af3f

Download Submit
C:\Windows\SysWOW64\drivers\MgicRc.sys

Filesize
2KB

MD5
058bf2e0728e3d36308bf49ca10b9072

SHA1
ed9ca10d9ca36c94f065401c0c6ee5573a7f7de6

SHA256
9a5ae5bf51913d9c8e84dae09636d09b83359547cc9efd7acaa5e13ec6e9bf70

SHA512
e3ceadf9a09c2df7af451a7bc53c8d2419e3c94e478ad02436fbdec661304713a86c86780a6361a01ee2afece1917b92e5043580e2e697eaf05a73fb18fd26c2

Download Submit
\??\c:\windows\SysWOW64\winsys.dll

Filesize
22KB

MD5
1d5d3d0305f133fa6f05cf8535e231ca

SHA1
2ffd16f9050177dadff23af903582bae3ca7ae49

SHA256
ae74331f4f0d3df0f4848532cfd1d9893c527127e8f85c4248bd252b9bb68486

SHA512
5fe0b48dff9c428702ac5bce319170a708eb253ec74f5f03a9209ffc76150e51cb7b98eccfb44f94d4b52580af360a5c5444da2e1e68051fb8c57d74951d14f5

Download Submit
\Users\Admin\AppData\Local\Temp\dll985.dll

Filesize
22KB

MD5
1d5d3d0305f133fa6f05cf8535e231ca

SHA1
2ffd16f9050177dadff23af903582bae3ca7ae49

SHA256
ae74331f4f0d3df0f4848532cfd1d9893c527127e8f85c4248bd252b9bb68486

SHA512
5fe0b48dff9c428702ac5bce319170a708eb253ec74f5f03a9209ffc76150e51cb7b98eccfb44f94d4b52580af360a5c5444da2e1e68051fb8c57d74951d14f5

Download Submit
\Windows\SysWOW64\winsys.dll

Filesize
22KB

MD5
1d5d3d0305f133fa6f05cf8535e231ca

SHA1
2ffd16f9050177dadff23af903582bae3ca7ae49

SHA256
ae74331f4f0d3df0f4848532cfd1d9893c527127e8f85c4248bd252b9bb68486

SHA512
5fe0b48dff9c428702ac5bce319170a708eb253ec74f5f03a9209ffc76150e51cb7b98eccfb44f94d4b52580af360a5c5444da2e1e68051fb8c57d74951d14f5

Download Submit
memory/1528-59-0x0000000000000000-mapping.dmp

Download
memory/2016-58-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads