Analysis
-
max time kernel
325s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
666.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
666.exe
Resource
win10v2004-20220812-en
General
-
Target
666.exe
-
Size
1.3MB
-
MD5
c851a86c7c3bb02fe25dd5a870974cdb
-
SHA1
cad352db9acd07832c9f5a39cf1803723ed97e52
-
SHA256
17d64950e0e39ca106e5a5a51b1cc211a0a83d484ab21038e3fe963f490c6cc2
-
SHA512
934ed272e8392796dc608a1bf2b55bd4059b163e03e7262b4d25a005a3530b11045e7be1f2c22e8d410b09a5b9874be01035a8906939aa236dac190b0972897e
-
SSDEEP
24576:CFClbBTLTOBg6bV1vwQjtD7O6yEinJLHFHXwCaCMkhjWViv+21R:iClROqUVBjHvyEiZFHXw4nhjkC
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
666.exeMoUSO.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 666.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MoUSO.exe -
Executes dropped EXE 1 IoCs
Processes:
MoUSO.exepid process 1736 MoUSO.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
666.exeMoUSO.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 666.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 666.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MoUSO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MoUSO.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
666.exeMoUSO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine 666.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine MoUSO.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
666.exeMoUSO.exepid process 1432 666.exe 1736 MoUSO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
666.exeMoUSO.exepid process 1432 666.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe 1736 MoUSO.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
666.exetaskeng.exedescription pid process target process PID 1432 wrote to memory of 1524 1432 666.exe schtasks.exe PID 1432 wrote to memory of 1524 1432 666.exe schtasks.exe PID 1432 wrote to memory of 1524 1432 666.exe schtasks.exe PID 1432 wrote to memory of 1524 1432 666.exe schtasks.exe PID 1204 wrote to memory of 1736 1204 taskeng.exe MoUSO.exe PID 1204 wrote to memory of 1736 1204 taskeng.exe MoUSO.exe PID 1204 wrote to memory of 1736 1204 taskeng.exe MoUSO.exe PID 1204 wrote to memory of 1736 1204 taskeng.exe MoUSO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\666.exe"C:\Users\Admin\AppData\Local\Temp\666.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {1A13FE7A-D5A5-4480-8E49-4E85615F8375} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD5c851a86c7c3bb02fe25dd5a870974cdb
SHA1cad352db9acd07832c9f5a39cf1803723ed97e52
SHA25617d64950e0e39ca106e5a5a51b1cc211a0a83d484ab21038e3fe963f490c6cc2
SHA512934ed272e8392796dc608a1bf2b55bd4059b163e03e7262b4d25a005a3530b11045e7be1f2c22e8d410b09a5b9874be01035a8906939aa236dac190b0972897e
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD5c851a86c7c3bb02fe25dd5a870974cdb
SHA1cad352db9acd07832c9f5a39cf1803723ed97e52
SHA25617d64950e0e39ca106e5a5a51b1cc211a0a83d484ab21038e3fe963f490c6cc2
SHA512934ed272e8392796dc608a1bf2b55bd4059b163e03e7262b4d25a005a3530b11045e7be1f2c22e8d410b09a5b9874be01035a8906939aa236dac190b0972897e
-
memory/1432-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1432-55-0x0000000000FC0000-0x000000000132E000-memory.dmpFilesize
3.4MB
-
memory/1432-56-0x0000000077640000-0x00000000777C0000-memory.dmpFilesize
1.5MB
-
memory/1432-58-0x0000000000FC0000-0x000000000132E000-memory.dmpFilesize
3.4MB
-
memory/1432-59-0x0000000077640000-0x00000000777C0000-memory.dmpFilesize
1.5MB
-
memory/1524-57-0x0000000000000000-mapping.dmp
-
memory/1736-61-0x0000000000000000-mapping.dmp
-
memory/1736-64-0x0000000001150000-0x00000000014BE000-memory.dmpFilesize
3.4MB
-
memory/1736-65-0x0000000001150000-0x00000000014BE000-memory.dmpFilesize
3.4MB