3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055

General

Target

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe
Size

344KB
MD5

b9844cb9509f6252dcb12d4898f48624
SHA1

d2f377a1c8c070cb1884bf0b308e6fdf21067b73
SHA256

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055
SHA512

a7d5b004a42a215452b3e89e5804a717325c5caaee65b08da6c0a73ca6d05f03dfbfc7242e1481d332f5d3fe8d1dbe48c2bbb3977c4f7ab54c6011952b0ba354
SSDEEP

6144:kq6LFGh9VxSaYmn9EqgJ/kQ4yuooheHRfcu+FM9m4P6u270ufmjrlRWz:knwnW4EqNyuooxu+ysAl24cex

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

MoUSO.exesetup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MoUSO.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

setup.exeMoUSO.exe

pid process

1588 setup.exe
1056 MoUSO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MoUSO.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

setup.exeMoUSO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine	setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine	MoUSO.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup.exeMoUSO.exe

pid process

1588 setup.exe
1056 MoUSO.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe

description	pid	process	target process
PID 240 set thread context of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1176 schtasks.exe

pid	process
1176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exeMoUSO.exe

pid	process
1588	setup.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe
1056	MoUSO.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exeRegSvcs.exesetup.exetaskeng.exe

description	pid	process	target process
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 240 wrote to memory of 992	240	3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe	RegSvcs.exe
PID 992 wrote to memory of 1588	992	RegSvcs.exe	setup.exe
PID 992 wrote to memory of 1588	992	RegSvcs.exe	setup.exe
PID 992 wrote to memory of 1588	992	RegSvcs.exe	setup.exe
PID 992 wrote to memory of 1588	992	RegSvcs.exe	setup.exe
PID 992 wrote to memory of 1588	992	RegSvcs.exe	setup.exe
PID 992 wrote to memory of 1588	992	RegSvcs.exe	setup.exe
PID 992 wrote to memory of 1588	992	RegSvcs.exe	setup.exe
PID 1588 wrote to memory of 1176	1588	setup.exe	schtasks.exe
PID 1588 wrote to memory of 1176	1588	setup.exe	schtasks.exe
PID 1588 wrote to memory of 1176	1588	setup.exe	schtasks.exe
PID 1588 wrote to memory of 1176	1588	setup.exe	schtasks.exe
PID 1716 wrote to memory of 1056	1716	taskeng.exe	MoUSO.exe
PID 1716 wrote to memory of 1056	1716	taskeng.exe	MoUSO.exe
PID 1716 wrote to memory of 1056	1716	taskeng.exe	MoUSO.exe
PID 1716 wrote to memory of 1056	1716	taskeng.exe	MoUSO.exe

C:\Users\Admin\AppData\Local\Temp\3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe
"C:\Users\Admin\AppData\Local\Temp\3ab8365f091655f7130f0df091e082379400d3528361e83b9627e722154ec055.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
4⤵
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\taskeng.exe
taskeng.exe {145D83D5-49A1-4BDF-A172-2CD931BCAC2E} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
2f72537f636dc6eee43878bc859a4ec0

SHA1
5dcd85434721902b906d4e06907873844760d348

SHA256
39702baf633ce7008b7be66ed67aec862ac6d2b6a4ed975cafaa9e5e6aba2a89

SHA512
675553a3e6f33a2f2e98488ced3e01be15a65ea9b46c4976be590b2683b99162684318d926e5f605d51febbf460f845345968b14786b8b6d199a539439007f43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
7bb219b7edc0d3bef1c44a876fe670b5

SHA1
121a2c4441ecd7dbe3031d45e44b8b7de094dd6b

SHA256
9f78b1576c7eefab9d659c3bfd838fc5dad266e81653f37cc364b8be693bbef6

SHA512
4a42eedd5b9de23a45466be3dcb5e08403608fac54e17e7d3ce3d52576cab7f5190eac12195014749479996ac7a7950abe18c9b82681dae8f333869474b5ebfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
a666dd1ac3218c95008d35f26c5ebf7b

SHA1
0aff87a86e8fc6d717690e284b6168aba9eeae60

SHA256
fb4e38496462cef7e1cb0708e0ed7e78a0efb0a2fbaa00f18cc80867231470fd

SHA512
cfc05fbade4b68299d44864fb83ef6fa3a7c0d73aef02208be058247becfc209fffe7a928427794649643db50e70073f5acf8caddf6940de77a161f1fbb02dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
memory/992-62-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/992-66-0x0000000140003E0C-mapping.dmp

Download
memory/992-65-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/992-68-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/992-69-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/992-70-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/992-64-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/992-63-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/992-60-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/992-54-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/992-59-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/992-57-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/992-55-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1056-93-0x00000000010D0000-0x0000000001431000-memory.dmp

Filesize
3.4MB

Download
memory/1056-91-0x00000000010D0000-0x0000000001431000-memory.dmp

Filesize
3.4MB

Download
memory/1056-90-0x00000000010D0000-0x0000000001431000-memory.dmp

Filesize
3.4MB

Download
memory/1056-89-0x00000000770D0000-0x0000000077250000-memory.dmp

Filesize
1.5MB

Download
memory/1056-87-0x00000000010D0000-0x0000000001431000-memory.dmp

Filesize
3.4MB

Download
memory/1056-92-0x00000000770D0000-0x0000000077250000-memory.dmp

Filesize
1.5MB

Download
memory/1056-85-0x0000000000000000-mapping.dmp

Download
memory/1176-80-0x0000000000000000-mapping.dmp

Download
memory/1588-74-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1588-83-0x00000000770D0000-0x0000000077250000-memory.dmp

Filesize
1.5MB

Download
memory/1588-82-0x0000000000040000-0x00000000003A1000-memory.dmp

Filesize
3.4MB

Download
memory/1588-81-0x0000000000040000-0x00000000003A1000-memory.dmp

Filesize
3.4MB

Download
memory/1588-79-0x00000000770D0000-0x0000000077250000-memory.dmp

Filesize
1.5MB

Download
memory/1588-75-0x0000000000040000-0x00000000003A1000-memory.dmp

Filesize
3.4MB

Download
memory/1588-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads