Analysis
-
max time kernel
307s -
max time network
294s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
666.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
666.exe
Resource
win10v2004-20220812-en
General
-
Target
666.exe
-
Size
1.3MB
-
MD5
c851a86c7c3bb02fe25dd5a870974cdb
-
SHA1
cad352db9acd07832c9f5a39cf1803723ed97e52
-
SHA256
17d64950e0e39ca106e5a5a51b1cc211a0a83d484ab21038e3fe963f490c6cc2
-
SHA512
934ed272e8392796dc608a1bf2b55bd4059b163e03e7262b4d25a005a3530b11045e7be1f2c22e8d410b09a5b9874be01035a8906939aa236dac190b0972897e
-
SSDEEP
24576:CFClbBTLTOBg6bV1vwQjtD7O6yEinJLHFHXwCaCMkhjWViv+21R:iClROqUVBjHvyEiZFHXw4nhjkC
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
666.exeMoUSO.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 666.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MoUSO.exe -
Executes dropped EXE 1 IoCs
Processes:
MoUSO.exepid process 4480 MoUSO.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
666.exeMoUSO.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 666.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 666.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MoUSO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MoUSO.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
666.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 666.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
666.exeMoUSO.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine 666.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine MoUSO.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
666.exeMoUSO.exepid process 1512 666.exe 4480 MoUSO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
666.exeMoUSO.exepid process 1512 666.exe 1512 666.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe 4480 MoUSO.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
666.exedescription pid process target process PID 1512 wrote to memory of 220 1512 666.exe schtasks.exe PID 1512 wrote to memory of 220 1512 666.exe schtasks.exe PID 1512 wrote to memory of 220 1512 666.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\666.exe"C:\Users\Admin\AppData\Local\Temp\666.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD5c851a86c7c3bb02fe25dd5a870974cdb
SHA1cad352db9acd07832c9f5a39cf1803723ed97e52
SHA25617d64950e0e39ca106e5a5a51b1cc211a0a83d484ab21038e3fe963f490c6cc2
SHA512934ed272e8392796dc608a1bf2b55bd4059b163e03e7262b4d25a005a3530b11045e7be1f2c22e8d410b09a5b9874be01035a8906939aa236dac190b0972897e
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD5c851a86c7c3bb02fe25dd5a870974cdb
SHA1cad352db9acd07832c9f5a39cf1803723ed97e52
SHA25617d64950e0e39ca106e5a5a51b1cc211a0a83d484ab21038e3fe963f490c6cc2
SHA512934ed272e8392796dc608a1bf2b55bd4059b163e03e7262b4d25a005a3530b11045e7be1f2c22e8d410b09a5b9874be01035a8906939aa236dac190b0972897e
-
memory/220-138-0x0000000000000000-mapping.dmp
-
memory/1512-140-0x0000000077D20000-0x0000000077EC3000-memory.dmpFilesize
1.6MB
-
memory/1512-133-0x0000000077D20000-0x0000000077EC3000-memory.dmpFilesize
1.6MB
-
memory/1512-137-0x0000000000710000-0x0000000000A7E000-memory.dmpFilesize
3.4MB
-
memory/1512-135-0x0000000000710000-0x0000000000A7E000-memory.dmpFilesize
3.4MB
-
memory/1512-139-0x0000000000710000-0x0000000000A7E000-memory.dmpFilesize
3.4MB
-
memory/1512-132-0x0000000000710000-0x0000000000A7E000-memory.dmpFilesize
3.4MB
-
memory/1512-134-0x0000000000710000-0x0000000000A7E000-memory.dmpFilesize
3.4MB
-
memory/1512-136-0x0000000077D20000-0x0000000077EC3000-memory.dmpFilesize
1.6MB
-
memory/4480-143-0x00000000006D0000-0x0000000000A3E000-memory.dmpFilesize
3.4MB
-
memory/4480-144-0x0000000077D20000-0x0000000077EC3000-memory.dmpFilesize
1.6MB
-
memory/4480-145-0x00000000006D0000-0x0000000000A3E000-memory.dmpFilesize
3.4MB
-
memory/4480-146-0x00000000006D0000-0x0000000000A3E000-memory.dmpFilesize
3.4MB
-
memory/4480-147-0x0000000077D20000-0x0000000077EC3000-memory.dmpFilesize
1.6MB
-
memory/4480-148-0x00000000006D0000-0x0000000000A3E000-memory.dmpFilesize
3.4MB