91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39

Analysis

max time kernel
189s
max time network
198s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 11:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39.exe
Size

21KB
MD5

3c920e23e7c1e2a7b42d690beefeb58c
SHA1

b4dc8b650b82fbc11fda3df63758bbec7f274af6
SHA256

91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39
SHA512

4770cc8aaf08a1a4cc43e0c812d073a1d537b19ea9a3de379e23e151aee386ed3f4d51d3a47f02a46d8d1c17d4e540b4bf735085199e3a19f9ad88022e4d3be8
SSDEEP

384:c7+KhRpHZ9R7MklXPeJdVMdOeY6hvnQE9+F5XRrA:g5/WVCO8fr0

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\MgicRc.sys	91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39.exe
File opened for modification	C:\Windows\SysWOW64\drivers\MgicRc.sys	svchost.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\winsys.dll"	91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39.exe

Loads dropped DLL 2 IoCs

pid	Process
940	91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39.exe
1368	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winsys.dll	91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39.exe
File opened for modification	C:\Windows\SysWOW64\winsys.dll	91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
940	91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39.exe
940	91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39.exe
1368	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
460	Process not Found
460	Process not Found

C:\Users\Admin\AppData\Local\Temp\91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39.exe
"C:\Users\Admin\AppData\Local\Temp\91b176a2c492d04af1d901b5d90c552f9b67392e7eee3b464e0d4969b6b60c39.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\MgicRc.sys

Filesize
2KB

MD5
058bf2e0728e3d36308bf49ca10b9072

SHA1
ed9ca10d9ca36c94f065401c0c6ee5573a7f7de6

SHA256
9a5ae5bf51913d9c8e84dae09636d09b83359547cc9efd7acaa5e13ec6e9bf70

SHA512
e3ceadf9a09c2df7af451a7bc53c8d2419e3c94e478ad02436fbdec661304713a86c86780a6361a01ee2afece1917b92e5043580e2e697eaf05a73fb18fd26c2

Download Submit
\??\c:\windows\SysWOW64\winsys.dll

Filesize
22KB

MD5
5cbbe7ab97a96d555391d42f753f3afb

SHA1
5ab0ab20c92c7af85f1eadeafdb4790598fadb6b

SHA256
e953d8bf0536a9f45498c8083ff5df6dcd8ef720ce0f93efd3daa799b3b244e5

SHA512
b33fd62fa6610c27dd1386f2b37dcc94f7f802229be89a446b498f69515eb84cab4ebf5081f7746c11b280597f3541b97686baa473b766ac8e9a6fec3bba1acd

Download Submit
\Users\Admin\AppData\Local\Temp\dll161.dll

Filesize
22KB

MD5
5cbbe7ab97a96d555391d42f753f3afb

SHA1
5ab0ab20c92c7af85f1eadeafdb4790598fadb6b

SHA256
e953d8bf0536a9f45498c8083ff5df6dcd8ef720ce0f93efd3daa799b3b244e5

SHA512
b33fd62fa6610c27dd1386f2b37dcc94f7f802229be89a446b498f69515eb84cab4ebf5081f7746c11b280597f3541b97686baa473b766ac8e9a6fec3bba1acd

Download Submit
\Windows\SysWOW64\winsys.dll

Filesize
22KB

MD5
5cbbe7ab97a96d555391d42f753f3afb

SHA1
5ab0ab20c92c7af85f1eadeafdb4790598fadb6b

SHA256
e953d8bf0536a9f45498c8083ff5df6dcd8ef720ce0f93efd3daa799b3b244e5

SHA512
b33fd62fa6610c27dd1386f2b37dcc94f7f802229be89a446b498f69515eb84cab4ebf5081f7746c11b280597f3541b97686baa473b766ac8e9a6fec3bba1acd

Download Submit
memory/940-54-0x0000000000400000-0x000000000040C1B2-memory.dmp

Filesize
48KB

Download
memory/940-59-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download