Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2024, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
a31d59e190008f0a3a2abc334c6ce9f9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a31d59e190008f0a3a2abc334c6ce9f9.exe
Resource
win10v2004-20240221-en
General
-
Target
a31d59e190008f0a3a2abc334c6ce9f9.exe
-
Size
828KB
-
MD5
a31d59e190008f0a3a2abc334c6ce9f9
-
SHA1
37456e8559512dff814b09f9ca3710517148f8f2
-
SHA256
27e663cc439cf3ff7b2f66260a851c8cf0ea5292d259bd1c22171685017dbd4c
-
SHA512
47bdeb93ec8e8b659d3279c43524b4410bb91fc8b96e6f3a8044f189d91269b9e0d3fa236063f2fc05c12cf73777079f6e84f4b935e8122c095e85e525b49d75
-
SSDEEP
24576:Gqv5LEymyQvPvS8cZTouk1wRhZ2Bq8aChQ:GqBL1AXvA0B1lw8/hQ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a31d59e190008f0a3a2abc334c6ce9f9.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Control Panel\International\Geo\Nation a31d59e190008f0a3a2abc334c6ce9f9.exe -
Executes dropped EXE 3 IoCs
pid Process 4952 msdcsc.exe 4836 msdcsc.exe 1976 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" a31d59e190008f0a3a2abc334c6ce9f9.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 a31d59e190008f0a3a2abc334c6ce9f9.exe File opened for modification \??\PhysicalDrive0 msdcsc.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 380 set thread context of 4400 380 a31d59e190008f0a3a2abc334c6ce9f9.exe 90 PID 4400 set thread context of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4952 set thread context of 4836 4952 msdcsc.exe 95 PID 4836 set thread context of 1976 4836 msdcsc.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeSecurityPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeTakeOwnershipPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeLoadDriverPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeSystemProfilePrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeSystemtimePrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeProfSingleProcessPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeIncBasePriorityPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeCreatePagefilePrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeBackupPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeRestorePrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeShutdownPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeDebugPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeSystemEnvironmentPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeChangeNotifyPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeRemoteShutdownPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeUndockPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeManageVolumePrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeImpersonatePrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeCreateGlobalPrivilege 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: 33 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: 34 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: 35 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: 36 400 a31d59e190008f0a3a2abc334c6ce9f9.exe Token: SeIncreaseQuotaPrivilege 1976 msdcsc.exe Token: SeSecurityPrivilege 1976 msdcsc.exe Token: SeTakeOwnershipPrivilege 1976 msdcsc.exe Token: SeLoadDriverPrivilege 1976 msdcsc.exe Token: SeSystemProfilePrivilege 1976 msdcsc.exe Token: SeSystemtimePrivilege 1976 msdcsc.exe Token: SeProfSingleProcessPrivilege 1976 msdcsc.exe Token: SeIncBasePriorityPrivilege 1976 msdcsc.exe Token: SeCreatePagefilePrivilege 1976 msdcsc.exe Token: SeBackupPrivilege 1976 msdcsc.exe Token: SeRestorePrivilege 1976 msdcsc.exe Token: SeShutdownPrivilege 1976 msdcsc.exe Token: SeDebugPrivilege 1976 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1976 msdcsc.exe Token: SeChangeNotifyPrivilege 1976 msdcsc.exe Token: SeRemoteShutdownPrivilege 1976 msdcsc.exe Token: SeUndockPrivilege 1976 msdcsc.exe Token: SeManageVolumePrivilege 1976 msdcsc.exe Token: SeImpersonatePrivilege 1976 msdcsc.exe Token: SeCreateGlobalPrivilege 1976 msdcsc.exe Token: 33 1976 msdcsc.exe Token: 34 1976 msdcsc.exe Token: 35 1976 msdcsc.exe Token: 36 1976 msdcsc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 380 a31d59e190008f0a3a2abc334c6ce9f9.exe 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 4952 msdcsc.exe 4836 msdcsc.exe 1976 msdcsc.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 380 wrote to memory of 4400 380 a31d59e190008f0a3a2abc334c6ce9f9.exe 90 PID 380 wrote to memory of 4400 380 a31d59e190008f0a3a2abc334c6ce9f9.exe 90 PID 380 wrote to memory of 4400 380 a31d59e190008f0a3a2abc334c6ce9f9.exe 90 PID 380 wrote to memory of 4400 380 a31d59e190008f0a3a2abc334c6ce9f9.exe 90 PID 380 wrote to memory of 4400 380 a31d59e190008f0a3a2abc334c6ce9f9.exe 90 PID 380 wrote to memory of 4400 380 a31d59e190008f0a3a2abc334c6ce9f9.exe 90 PID 380 wrote to memory of 4400 380 a31d59e190008f0a3a2abc334c6ce9f9.exe 90 PID 380 wrote to memory of 4400 380 a31d59e190008f0a3a2abc334c6ce9f9.exe 90 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 4400 wrote to memory of 400 4400 a31d59e190008f0a3a2abc334c6ce9f9.exe 91 PID 400 wrote to memory of 4952 400 a31d59e190008f0a3a2abc334c6ce9f9.exe 92 PID 400 wrote to memory of 4952 400 a31d59e190008f0a3a2abc334c6ce9f9.exe 92 PID 400 wrote to memory of 4952 400 a31d59e190008f0a3a2abc334c6ce9f9.exe 92 PID 4952 wrote to memory of 4836 4952 msdcsc.exe 95 PID 4952 wrote to memory of 4836 4952 msdcsc.exe 95 PID 4952 wrote to memory of 4836 4952 msdcsc.exe 95 PID 4952 wrote to memory of 4836 4952 msdcsc.exe 95 PID 4952 wrote to memory of 4836 4952 msdcsc.exe 95 PID 4952 wrote to memory of 4836 4952 msdcsc.exe 95 PID 4952 wrote to memory of 4836 4952 msdcsc.exe 95 PID 4952 wrote to memory of 4836 4952 msdcsc.exe 95 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96 PID 4836 wrote to memory of 1976 4836 msdcsc.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"C:\Users\Admin\AppData\Local\Temp\a31d59e190008f0a3a2abc334c6ce9f9.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
828KB
MD5a31d59e190008f0a3a2abc334c6ce9f9
SHA137456e8559512dff814b09f9ca3710517148f8f2
SHA25627e663cc439cf3ff7b2f66260a851c8cf0ea5292d259bd1c22171685017dbd4c
SHA51247bdeb93ec8e8b659d3279c43524b4410bb91fc8b96e6f3a8044f189d91269b9e0d3fa236063f2fc05c12cf73777079f6e84f4b935e8122c095e85e525b49d75