b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f

General

Target

b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe
Size

344KB
MD5

930e1d08274335cfa68cc418b2b77ba8
SHA1

3b3d5eb936b2ac28acb9effebf9b4e6684dac255
SHA256

b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f
SHA512

d64f550b75b362e25f7d4dffa4a6310ef9a4e7f6f2a29673e2f7cef060888df66816055d695bdfeda557b83b17c7677d6f1b8e2682da603fb04825cbc8dc6cce
SSDEEP

6144:PVtRNV51UBow3Dz6Qp/ezQyeIohuPkvhONffuOlmbP/:HHtEz6KyeIoA3Ni

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exeMoUSO.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MoUSO.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

setup.exeMoUSO.exe

pid process

1732 setup.exe
1080 MoUSO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exeMoUSO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

MoUSO.exesetup.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine	MoUSO.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup.exeMoUSO.exe

pid process

1732 setup.exe
1080 MoUSO.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe

description	pid	process	target process
PID 2020 set thread context of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1252 schtasks.exe

pid	process
1252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

setup.exeMoUSO.exe

pid	process
1732	setup.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe
1080	MoUSO.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exeRegSvcs.exesetup.exetaskeng.exe

description	pid	process	target process
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 2020 wrote to memory of 1968	2020	b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe	RegSvcs.exe
PID 1968 wrote to memory of 1732	1968	RegSvcs.exe	setup.exe
PID 1968 wrote to memory of 1732	1968	RegSvcs.exe	setup.exe
PID 1968 wrote to memory of 1732	1968	RegSvcs.exe	setup.exe
PID 1968 wrote to memory of 1732	1968	RegSvcs.exe	setup.exe
PID 1968 wrote to memory of 1732	1968	RegSvcs.exe	setup.exe
PID 1968 wrote to memory of 1732	1968	RegSvcs.exe	setup.exe
PID 1968 wrote to memory of 1732	1968	RegSvcs.exe	setup.exe
PID 1732 wrote to memory of 1252	1732	setup.exe	schtasks.exe
PID 1732 wrote to memory of 1252	1732	setup.exe	schtasks.exe
PID 1732 wrote to memory of 1252	1732	setup.exe	schtasks.exe
PID 1732 wrote to memory of 1252	1732	setup.exe	schtasks.exe
PID 268 wrote to memory of 1080	268	taskeng.exe	MoUSO.exe
PID 268 wrote to memory of 1080	268	taskeng.exe	MoUSO.exe
PID 268 wrote to memory of 1080	268	taskeng.exe	MoUSO.exe
PID 268 wrote to memory of 1080	268	taskeng.exe	MoUSO.exe

C:\Users\Admin\AppData\Local\Temp\b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe
"C:\Users\Admin\AppData\Local\Temp\b5fcaaf6b6e2be5f74d2d0b28b459e240e7c3c3e6fb0f25414759da31a28074f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
4⤵
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\taskeng.exe
taskeng.exe {71E5B5D4-96E2-41EF-AD4A-1B1DFDF16104} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
c3d75f76b3d2f5297fd91dd72f9746c2

SHA1
f263be96dc76a675dfdcaf5ae6be3c9955dcf90b

SHA256
e1588e6da1d3861922ff188e533a8f6f3212cf5cbcfe9da93b9a16fdda07597d

SHA512
b5943e2f9d74d8fb28a90a60fce5a4ab769359110ccf6145594a9fb0d967e2cf1bc8d8e5509e710b5227dfd4acc13e8d76d839a4d3ca49d4e683f2d54a0eacf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
1cb5f4e250ca49edda890ecddecbe080

SHA1
a9c23027ba52b0c5a767abc2ed6dc7cf3c2b2405

SHA256
36573e3ab3d3ef0cad8b5a922a5d65bac735704029a5d0763ab97d291b1b1a68

SHA512
cbe8ded427bf3286fecab756cd0dcb49cea679877317af23cd55d0c91bf3322bba53dd6718516f7a4772b6c2bfb4e4e490d7ffeecea883ac6f7619c7c29d8c13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
127673e1906f34c79075348d1373a2b2

SHA1
7cda8f9d0f4dd025c01455053c8f753b50d6da91

SHA256
5b13cc37c63660d9c35fbc4d5dab06ed251abde212ab90b7d6b487fd59712bad

SHA512
b544b6c950bf927c3249991cbe7be7c99c95ff9c06ae2be949df93adc90f77ee4990a720c024441c2361affff40d7a4a3be6c4095c64fd05c77bc88111eed243

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
memory/1080-91-0x0000000000C20000-0x0000000000F81000-memory.dmp

Filesize
3.4MB

Download
memory/1080-85-0x0000000000000000-mapping.dmp

Download
memory/1080-87-0x0000000000C20000-0x0000000000F81000-memory.dmp

Filesize
3.4MB

Download
memory/1080-89-0x0000000077C20000-0x0000000077DA0000-memory.dmp

Filesize
1.5MB

Download
memory/1080-90-0x0000000000C20000-0x0000000000F81000-memory.dmp

Filesize
3.4MB

Download
memory/1080-92-0x0000000077C20000-0x0000000077DA0000-memory.dmp

Filesize
1.5MB

Download
memory/1080-93-0x0000000000C20000-0x0000000000F81000-memory.dmp

Filesize
3.4MB

Download
memory/1252-81-0x0000000000000000-mapping.dmp

Download
memory/1732-82-0x00000000010D0000-0x0000000001431000-memory.dmp

Filesize
3.4MB

Download
memory/1732-74-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1732-75-0x00000000010D0000-0x0000000001431000-memory.dmp

Filesize
3.4MB

Download
memory/1732-76-0x0000000077C20000-0x0000000077DA0000-memory.dmp

Filesize
1.5MB

Download
memory/1732-77-0x00000000010D0000-0x0000000001431000-memory.dmp

Filesize
3.4MB

Download
memory/1732-71-0x0000000000000000-mapping.dmp

Download
memory/1732-83-0x0000000077C20000-0x0000000077DA0000-memory.dmp

Filesize
1.5MB

Download
memory/1968-54-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1968-68-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1968-69-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1968-70-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1968-66-0x0000000140003E0C-mapping.dmp

Download
memory/1968-65-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1968-64-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1968-63-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1968-62-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1968-60-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1968-59-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1968-57-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1968-55-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads