28a91c954c66714cda48b2ca4ce52459cdb191755f6825e02b00e430aaef67b9

Reason

Machine shutdown

General

Target

RCCService.exe
Size

5.2MB
MD5

c4641e109dbc33cf7d30ff17548b6dc0
SHA1

3c21a30dbc80e8fdceb413a41ceb2612ab134ddc
SHA256

28a91c954c66714cda48b2ca4ce52459cdb191755f6825e02b00e430aaef67b9
SHA512

b1ce2dc42829c379a0b50bcd69231b26996484cf8184351db023f759a48e952c531b427249cbedeb4a18cd9ffaa6504e8da2752b9f43fefd42028753cd6380ec
SSDEEP

98304:oQ9rjjcAka3x9vgdHHSmnFFSaxhsHHF/81eNApeap+/SX/b1/GmOPL:PaAz3x9OjnFFSaxgHedtp+6xQPL

Score

6^/10

ransomware

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
6	discord.com
12	discord.com
18	discord.com
3	discord.com
4	discord.com
19	discord.com
25	discord.com
26	discord.com
41	discord.com
9	discord.com
17	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpDC.tmp.png"	RCCService.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\Registry\User\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\NotificationData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings	control.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3012	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3080	RCCService.exe
Token: 33	3200	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3200	AUDIODG.EXE
Token: SeShutdownPrivilege	4012	control.exe
Token: SeCreatePagefilePrivilege	4012	control.exe
Token: SeShutdownPrivilege	3080	RCCService.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3012	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4860	MiniSearchHost.exe
3012	explorer.exe
3012	explorer.exe

C:\Users\Admin\AppData\Local\Temp\RCCService.exe
"C:\Users\Admin\AppData\Local\Temp\RCCService.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3472

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
ef020b32228484ecd76ef0b745fd609a

SHA1
fa9223657f99a51700629607b2f6c5bb1f3bfcb9

SHA256
592e90083df2192e2b94f57b0fc552f8870a862f78d546a01f96b2a8c0f838d7

SHA512
6bbba17be5998d6359b1ec1a2642857e85e601bf241f6a073679f5e8391fd960d5e56cd60e0acf4b109b5d7f1c42e8dfd20e6160f40c2a2f4c3f9eafc6356045

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
ca9707a81b4b5d527d0819546cfba565

SHA1
828bfd131cbabe331de0780f79e9bf2d76116665

SHA256
f4f31d127c1bed29b75ac8d17e2325115c7d6be40d0765f8b4fff44894faf6d8

SHA512
ed443f1e85889de836c6a8acd69d7ec920a42223ac1787e4e1823ddfcd5f9465f9cd417b4b649a961427c8ef75327414cdab0427d866cb429f9095859742b73a

Download Submit
memory/3080-0-0x00007FFA39B73000-0x00007FFA39B75000-memory.dmp

Filesize
8KB

Download
memory/3080-1-0x000002107AFF0000-0x000002107B530000-memory.dmp

Filesize
5.2MB

Download
memory/3080-2-0x000002107DC30000-0x000002107DDF2000-memory.dmp

Filesize
1.8MB

Download
memory/3080-3-0x00007FFA39B70000-0x00007FFA3A632000-memory.dmp

Filesize
10.8MB

Download
memory/3080-4-0x000002107EFB0000-0x000002107F4D8000-memory.dmp

Filesize
5.2MB

Download
memory/3080-5-0x000002107DF00000-0x000002107DFAA000-memory.dmp

Filesize
680KB

Download
memory/3080-6-0x00007FFA39B70000-0x00007FFA3A632000-memory.dmp

Filesize
10.8MB

Download
memory/3080-10-0x00007FFA39B70000-0x00007FFA3A632000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads