05616859360e2d58e7e24dfba5b191b0ad6147bee21a1e08a506e7d6c97c0b9d

Analysis

max time kernel
28s
max time network
30s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
13/02/2023, 14:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MSPCManagerSetup.exe
Size

3.9MB
MD5

13a76d77615afba999b424f2d46c0cb9
SHA1

c3c064f05d15530f1be0c948b77223aaf9756e29
SHA256

05616859360e2d58e7e24dfba5b191b0ad6147bee21a1e08a506e7d6c97c0b9d
SHA512

293e12b65be00c5a0888bcc6f9035a9aa029ad9561188ba9c4c897695120de9dad5d9943e93463c91dfde95d100199c8967f9b06fd99ebb62bd0f32e96baa691
SSDEEP

98304:LTBBrFaqgQMGURSwKYxocRWG9gDTOuQp1zQVhO++FjuXlxOUq:LzFA9KG98auQMhf0uGr

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4076	powershell.exe
6	4564	powershell.exe
7	820	powershell.exe

Loads dropped DLL 7 IoCs

pid	Process
2496	MSPCManagerSetup.exe
2496	MSPCManagerSetup.exe
2496	MSPCManagerSetup.exe
2496	MSPCManagerSetup.exe
2496	MSPCManagerSetup.exe
2496	MSPCManagerSetup.exe
2496	MSPCManagerSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
820	powershell.exe
820	powershell.exe
820	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 4076	2496	MSPCManagerSetup.exe	66
PID 2496 wrote to memory of 4076	2496	MSPCManagerSetup.exe	66
PID 2496 wrote to memory of 4076	2496	MSPCManagerSetup.exe	66
PID 2496 wrote to memory of 4564	2496	MSPCManagerSetup.exe	68
PID 2496 wrote to memory of 4564	2496	MSPCManagerSetup.exe	68
PID 2496 wrote to memory of 4564	2496	MSPCManagerSetup.exe	68
PID 2496 wrote to memory of 820	2496	MSPCManagerSetup.exe	70
PID 2496 wrote to memory of 820	2496	MSPCManagerSetup.exe	70
PID 2496 wrote to memory of 820	2496	MSPCManagerSetup.exe	70

C:\Users\Admin\AppData\Local\Temp\MSPCManagerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MSPCManagerSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy RemoteSigned -Command ". 'C:\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\ListProcesses.ps1' "
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command ". 'C:\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\telemetry.ps1' -eventName wm_install_processes_info -keys HostId,ProductVersion,AppVersion,AppSource,ProductSource,ProcessInfo -values d0802387d092a0c0a107e02c42496a195d58f2c2c8bb2850f79099c73ddf1161,1.2.7.1,1.2.7.1,10000,10000,67_24_conhost_csrss_dllhost_dwm_explorer_fontdrvhost_Idle_lsass_MSPCManagerSetup_OfficeClickToRun_powershell_RuntimeBroker_SearchUI_services_ShellExperienceHost_sihost_smss_spoolsv_sppsvc_svchost_System_taskhostw_wininit_winlogonRR -iKey 9b9d4f82-ca80-c63d-9125-922d69161c3e -uri https://dc.applicationinsights.azure.cn/v2/track"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -Command ". 'C:\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\telemetry.ps1' -eventName wm_install_unsupported_windows_version -keys HostId,OSVersion,ProductVersion,AppVersion,AppSource,ProductSource -values d0802387d092a0c0a107e02c42496a195d58f2c2c8bb2850f79099c73ddf1161,15063,1.2.7.1,1.2.7.1,10000,10000 -iKey 9b9d4f82-ca80-c63d-9125-922d69161c3e -uri https://dc.applicationinsights.azure.cn/v2/track"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bee8016b638cd5046fc68bbb6051f398

SHA1
6a841d89028fcdf6eaf117fb654cd08c1aefcd28

SHA256
d4abf2eb78d7c827adc1981e51511a8c2aed2200081bda372a1f272cc028e53d

SHA512
81cedd6d94d09fe0995445a3e876431f0d12eb1412aae20227ff4f78e6415f6543db37ce2e9621291c62d5e51759cd840dc3e910356632bc6b0ef74aedc3ef33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\ListProcesses.ps1

Filesize
14KB

MD5
57964b962800cdd0eff14c637b429936

SHA1
85a53025f0e55e2f2d92ee475c4a214243dcac32

SHA256
be9aeea675407a2f82caab9b7094edff957c85ff4206c0fc9eb022a087cb7929

SHA512
3a707cf90348c70a75ee343570a7f218710ea79bc71d05749eb0af470a68aeafedaa2829727b2b1128317a88b59cf3cbbffebc84544cf94f64d94d1b45df8ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\telemetry.ps1

Filesize
16KB

MD5
9a1d6ce3aab9cb1062e0e6f37b0dcfd9

SHA1
b37a7ac2cebdee796c18f491ecbc9297938eb461

SHA256
f58c26a441c928779fe97f2a4c18721e1b2ed2989477c6a72ed6edafe020035e

SHA512
c0be07bf6da152d2196ccc7ca992b5630e1af45fc6c279add5b2dc4477aab77cf772186dd606b52cd44da0631bf840122fdc8c81640cd62406201f16d7db467e

Download Submit
\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\Crypto.dll

Filesize
3KB

MD5
59b7a89dbff790d69e01409dbc2a2788

SHA1
4ebbee3ebb35add8c1a0e436a4e4c9c5ba47c02a

SHA256
17b9038e66f3f45c4e775b32ad1bf076812d1ca4149198b47f4e0eda416859b1

SHA512
c202034bfbb7aca777326e7fb336e977e79cd9ba3bc7c17e5b6ec9c0222f6df2e1675b7d6bcb3de04a84e6226b193a5e0b81af950bc659fab83d12cd2fb84c04

Download Submit
\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\StdUtils.dll

Filesize
108KB

MD5
ba4cb9c96c371e6fb2ef753a63396ec7

SHA1
0a3c584153ecb4b311ca1d24bd820063e015e8b5

SHA256
5b97a7e7db5c6d529db9e12b31d7fe62fdba2a0335b8cf359a4eeb4e972b79fa

SHA512
beb30c5ee5206af32f3942cee00c30afe9421081fa72d781b75081688d8f80293557a005571d1cfdfbb92328c871fecfc60cb09fcae3fbdb761478a99720aa6a

Download Submit
\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\nsDuiSkin.dll

Filesize
716KB

MD5
7c8949de5afcb7ef28843d8f017aa5e5

SHA1
1ad6b06caa2e4d2978b0c968fa56b18f951d2fa3

SHA256
99a95c06004a234d2c99d602b5f0921eb83c7fbdbe83c5d98a6a5dee98b3308b

SHA512
c122ebbae7ea5f228e97387d506ded7021c2815a844752eb11201a80e9a937e8863636acda8cb2195eff8ea7c11c25ee09d3bdcf60d8a287126b20eb0c3d3b78

Download Submit
\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\nsDuiSkin.dll

Filesize
716KB

MD5
7c8949de5afcb7ef28843d8f017aa5e5

SHA1
1ad6b06caa2e4d2978b0c968fa56b18f951d2fa3

SHA256
99a95c06004a234d2c99d602b5f0921eb83c7fbdbe83c5d98a6a5dee98b3308b

SHA512
c122ebbae7ea5f228e97387d506ded7021c2815a844752eb11201a80e9a937e8863636acda8cb2195eff8ea7c11c25ee09d3bdcf60d8a287126b20eb0c3d3b78

Download Submit
\Users\Admin\AppData\Local\Temp\nshCDB6.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
memory/2496-165-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-126-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-131-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-132-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-133-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-134-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-135-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-136-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-137-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-138-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-139-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-140-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-141-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-142-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-143-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-144-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-145-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-146-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-147-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-148-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-149-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-150-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-151-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-152-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-153-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-154-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-155-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-157-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-129-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-159-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-128-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-160-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-161-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-162-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-163-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-117-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-127-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-166-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-167-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-168-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-170-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-130-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-169-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-172-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-118-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-119-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-120-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-121-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-123-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-122-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-125-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/2496-124-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-287-0x0000000009C60000-0x0000000009C7A000-memory.dmp

Filesize
104KB

Download
memory/4076-288-0x0000000009C80000-0x0000000009CA2000-memory.dmp

Filesize
136KB

Download
memory/4076-183-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-184-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-185-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-209-0x0000000004F80000-0x0000000004FB6000-memory.dmp

Filesize
216KB

Download
memory/4076-214-0x0000000007A10000-0x0000000008038000-memory.dmp

Filesize
6.2MB

Download
memory/4076-232-0x0000000008040000-0x0000000008062000-memory.dmp

Filesize
136KB

Download
memory/4076-181-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-235-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/4076-236-0x0000000008420000-0x0000000008770000-memory.dmp

Filesize
3.3MB

Download
memory/4076-239-0x00000000081B0000-0x00000000081CC000-memory.dmp

Filesize
112KB

Download
memory/4076-240-0x0000000008A80000-0x0000000008ACB000-memory.dmp

Filesize
300KB

Download
memory/4076-244-0x0000000008B90000-0x0000000008C06000-memory.dmp

Filesize
472KB

Download
memory/4076-182-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-180-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-234-0x00000000080E0000-0x0000000008146000-memory.dmp

Filesize
408KB

Download
memory/4076-286-0x0000000009D00000-0x0000000009D94000-memory.dmp

Filesize
592KB

Download
memory/4076-289-0x000000000A2A0000-0x000000000A79E000-memory.dmp

Filesize
5.0MB

Download
memory/4076-294-0x000000000AE20000-0x000000000B498000-memory.dmp

Filesize
6.5MB

Download
memory/4076-179-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-178-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-177-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-176-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-174-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-175-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-410-0x0000000007CC0000-0x0000000007D0B000-memory.dmp

Filesize
300KB

Download
memory/4564-407-0x0000000007890000-0x0000000007BE0000-memory.dmp

Filesize
3.3MB

Download
memory/4564-507-0x00000000093A0000-0x0000000009562000-memory.dmp

Filesize
1.8MB

Download
memory/4564-509-0x000000000A350000-0x000000000A87C000-memory.dmp

Filesize
5.2MB

Download