9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd

General

Target

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
Size

12KB
MD5

e82a922eb20993329e9c640994a28c97
SHA1

a3d65dd0f9f24e23008cfb121200b26c425c3281
SHA256

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd
SHA512

05b4bae7c0e164ebe4fd7503ac0ce08194becd817ba38240e61412dc825c10f21ffde53fa49329d9a06d871c6e29016a63baca145f0b7ab75de97c62f73b8a12
SSDEEP

384:nc5HKiTs1X7YnByiOWzP7SREdxPPHDfaEoY:cJKxCnBywfPdFj+Y

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\MgicRc.sys	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\MgicRc.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\winsys.dll"	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

Loads dropped DLL 2 IoCs

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exesvchost.exe

pid process

4708 9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
4900 svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winsys.dll	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
File opened for modification	C:\Windows\SysWOW64\winsys.dll	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exesvchost.exe

pid	process
4708	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
4708	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
4708	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
4708	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
4900	svchost.exe
4900	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe

description	pid	process	target process
PID 4708 wrote to memory of 2256	4708	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe	cmd.exe
PID 4708 wrote to memory of 2256	4708	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe	cmd.exe
PID 4708 wrote to memory of 2256	4708	9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe
"C:\Users\Admin\AppData\Local\Temp\9cd9bc2c5b2e5438b11d3beb811edaab0fb39717450fa6553a1b10e6b9c54cdd.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240565796.bat" "
2⤵
PID:2256

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240565796.bat

Filesize
295B

MD5
77df77afbfe6cbe20b031aaf68fd3a2b

SHA1
5e7c1b0d59ce60c64993d39e6be00fe30f361a7f

SHA256
115fa1c8628021b14da5edaedbe8a6a1ec86fb3f3bf91333d28b63d293946eb9

SHA512
09094c33d765b9dc468eae4b197b0ad7b36226acf0eee33afd2f74487112fe09207f7b6a2b16f6130a393180c67caf365525f7f44d3228862e4ebdc1f56e065f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll593.dll

Filesize
22KB

MD5
1d5d3d0305f133fa6f05cf8535e231ca

SHA1
2ffd16f9050177dadff23af903582bae3ca7ae49

SHA256
ae74331f4f0d3df0f4848532cfd1d9893c527127e8f85c4248bd252b9bb68486

SHA512
5fe0b48dff9c428702ac5bce319170a708eb253ec74f5f03a9209ffc76150e51cb7b98eccfb44f94d4b52580af360a5c5444da2e1e68051fb8c57d74951d14f5

Download Submit
C:\Windows\SysWOW64\drivers\MgicRc.sys

Filesize
2KB

MD5
058bf2e0728e3d36308bf49ca10b9072

SHA1
ed9ca10d9ca36c94f065401c0c6ee5573a7f7de6

SHA256
9a5ae5bf51913d9c8e84dae09636d09b83359547cc9efd7acaa5e13ec6e9bf70

SHA512
e3ceadf9a09c2df7af451a7bc53c8d2419e3c94e478ad02436fbdec661304713a86c86780a6361a01ee2afece1917b92e5043580e2e697eaf05a73fb18fd26c2

Download Submit
C:\Windows\SysWOW64\winsys.dll

Filesize
22KB

MD5
1d5d3d0305f133fa6f05cf8535e231ca

SHA1
2ffd16f9050177dadff23af903582bae3ca7ae49

SHA256
ae74331f4f0d3df0f4848532cfd1d9893c527127e8f85c4248bd252b9bb68486

SHA512
5fe0b48dff9c428702ac5bce319170a708eb253ec74f5f03a9209ffc76150e51cb7b98eccfb44f94d4b52580af360a5c5444da2e1e68051fb8c57d74951d14f5

Download Submit
\??\c:\windows\SysWOW64\winsys.dll

Filesize
22KB

MD5
1d5d3d0305f133fa6f05cf8535e231ca

SHA1
2ffd16f9050177dadff23af903582bae3ca7ae49

SHA256
ae74331f4f0d3df0f4848532cfd1d9893c527127e8f85c4248bd252b9bb68486

SHA512
5fe0b48dff9c428702ac5bce319170a708eb253ec74f5f03a9209ffc76150e51cb7b98eccfb44f94d4b52580af360a5c5444da2e1e68051fb8c57d74951d14f5

Download Submit
memory/2256-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads