579da36c31cc4e5d556f6298ee204184a357a3bdeeb8b94586ae217900408c72

Analysis

max time kernel
482s
max time network
491s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2022 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReleasePlusStackTrace/mboxview.exe
Size

3.0MB
MD5

bc059e0bb31595a59fb7a854919e58df
SHA1

490e31fbedc656cb4a81e218d9287fb8caeb1eec
SHA256

25676bc846fdc0ed87b9ef1b6e6d426674d2f4499c472477f016d3bce2ab1542
SHA512

d794e8ecab8b3140aa4f2776cb368023f43d028fa4f2c72ac44adbc4b3816c29a4fb418d7f9edf2e95f0a1973e828e155f4db31639f03097d25ec3f911e4e1e3
SSDEEP

49152:EYWhMADg4iGopsHrwnUB8ajXDaMHzYTgUqFCPHJk1Cx0LIu+s5jw0XpIvS:BW41psHr/aaTDaMTYTgPCPHJ8h5

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 64 IoCs

Processes:

mboxview.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\symbols\dll\advapi32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\winmm.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\DRV\winspool.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\oledlg.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\msimg32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\ole32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\version.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\wkernelbase.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\wsspicli.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wntdll.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\combase.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\wwin32u.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\winspool.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\wuser32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\shcore.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\msimg32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\wrpcrt4.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\advapi32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\sechost.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\wwin32u.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\oleaut32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\oleaut32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\version.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\comdlg32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\shlwapi.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\ole32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\wuser32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dbghelp.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\ws2_32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wimm32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\wkernelbase.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shcore.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\winmm.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\oleacc.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\winmm.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\oledlg.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\wsspicli.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\oleacc.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\combase.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wUxTheme.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\wimm32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\gdiplus.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\DLL\wkernel32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32full.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\apphelp.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msimg32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wuser32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcp_win.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\wimm32.pdb	mboxview.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\oledlg.pdb	mboxview.exe

Drops file in Windows directory 64 IoCs

Processes:

mboxview.exe

description	ioc	process
File opened for modification	C:\Windows\wrpcrt4.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\shcore.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\comctl32.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\version.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\ucrtbase.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\wUxTheme.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\ws2_32.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\wuser32.pdb	mboxview.exe
File opened for modification	C:\Windows\bcryptprimitives.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\ucrtbase.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\msvcrt.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\shell32.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\wUxTheme.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\advapi32.pdb	mboxview.exe
File opened for modification	C:\Windows\winspool.pdb	mboxview.exe
File opened for modification	C:\Windows\ole32.pdb	mboxview.exe
File opened for modification	C:\Windows\apphelp.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\msvcrt.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\ole32.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\dbghelp.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\bcryptprimitives.pdb	mboxview.exe
File opened for modification	C:\Windows\DLL\wkernel32.pdb	mboxview.exe
File opened for modification	C:\Windows\dbghelp.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\wkernelbase.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\wntdll.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\shell32.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\sechost.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\gdiplus.pdb	mboxview.exe
File opened for modification	C:\Windows\wkernelbase.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\wgdi32.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\wgdi32full.pdb	mboxview.exe
File opened for modification	C:\Windows\comctl32.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\oleaut32.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\gdiplus.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\oledlg.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\ws2_32.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\DLL\wkernel32.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\wkernelbase.pdb	mboxview.exe
File opened for modification	C:\Windows\ws2_32.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\ole32.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\shcore.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\comctl32.pdb	mboxview.exe
File opened for modification	C:\Windows\wkernel32.pdb	mboxview.exe
File opened for modification	C:\Windows\wuser32.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\version.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\winmm.pdb	mboxview.exe
File opened for modification	C:\Windows\wgdi32full.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\msvcp_win.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\shlwapi.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\oleacc.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\wsspicli.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\wuser32.pdb	mboxview.exe
File opened for modification	C:\Windows\shlwapi.pdb	mboxview.exe
File opened for modification	C:\Windows\gdiplus.pdb	mboxview.exe
File opened for modification	C:\Windows\oledlg.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\wrpcrt4.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\DRV\winspool.pdb	mboxview.exe
File opened for modification	C:\Windows\oleaut32.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\oleaut32.pdb	mboxview.exe
File opened for modification	C:\Windows\shcore.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\oledlg.pdb	mboxview.exe
File opened for modification	C:\Windows\dll\wwin32u.pdb	mboxview.exe
File opened for modification	C:\Windows\advapi32.pdb	mboxview.exe
File opened for modification	C:\Windows\symbols\dll\advapi32.pdb	mboxview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2056 3636 WerFault.exe

pid	pid_target	process	target process
2056	3636	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mboxview.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	mboxview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mboxview.exe = "11001"	mboxview.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	mboxview.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mboxview.exe = "11001"	mboxview.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mboxview.exe

pid process

216 mboxview.exe
216 mboxview.exe
216 mboxview.exe
216 mboxview.exe

pid	process
216	mboxview.exe
216	mboxview.exe
216	mboxview.exe
216	mboxview.exe

C:\Users\Admin\AppData\Local\Temp\ReleasePlusStackTrace\mboxview.exe
"C:\Users\Admin\AppData\Local\Temp\ReleasePlusStackTrace\mboxview.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 176 -p 3636 -ip 3636
1⤵
PID:1372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3636 -s 1756
1⤵
- Program crash
PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads