ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315

General

Target

ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe
Size

344KB
MD5

2208438b211ccae1c2d790d4c9c140ca
SHA1

0d0968fc9dc02d1f6eb9da82efad1051fc55f67f
SHA256

ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315
SHA512

2a41ff11938cadda6ec9878ab828395fa279acdd5bd9a123861dca92d0c162d60224ca3d0fc1db6ab62e11b61fe65c120533f79762ae12bcc2eba82e0b336cbf
SSDEEP

6144:5VtRNV51UBow3Dz6Qp/eGQyeIohhyKf/snpoXDTC1AO8:1HtEz6NyeIoiKfEnWzTC1A

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exeMoUSO.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MoUSO.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

setup.exeMoUSO.exe

pid process

1100 setup.exe
1992 MoUSO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MoUSO.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exeMoUSO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MoUSO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MoUSO.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

MoUSO.exesetup.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Wine	MoUSO.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Wine	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup.exeMoUSO.exe

pid process

1100 setup.exe
1992 MoUSO.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe

description	pid	process	target process
PID 1788 set thread context of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1744 schtasks.exe

pid	process
1744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exeMoUSO.exe

pid	process
1100	setup.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe
1992	MoUSO.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exeRegSvcs.exesetup.exetaskeng.exe

description	pid	process	target process
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1788 wrote to memory of 1960	1788	ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe	RegSvcs.exe
PID 1960 wrote to memory of 1100	1960	RegSvcs.exe	setup.exe
PID 1960 wrote to memory of 1100	1960	RegSvcs.exe	setup.exe
PID 1960 wrote to memory of 1100	1960	RegSvcs.exe	setup.exe
PID 1960 wrote to memory of 1100	1960	RegSvcs.exe	setup.exe
PID 1960 wrote to memory of 1100	1960	RegSvcs.exe	setup.exe
PID 1960 wrote to memory of 1100	1960	RegSvcs.exe	setup.exe
PID 1960 wrote to memory of 1100	1960	RegSvcs.exe	setup.exe
PID 1100 wrote to memory of 1744	1100	setup.exe	schtasks.exe
PID 1100 wrote to memory of 1744	1100	setup.exe	schtasks.exe
PID 1100 wrote to memory of 1744	1100	setup.exe	schtasks.exe
PID 1100 wrote to memory of 1744	1100	setup.exe	schtasks.exe
PID 1584 wrote to memory of 1992	1584	taskeng.exe	MoUSO.exe
PID 1584 wrote to memory of 1992	1584	taskeng.exe	MoUSO.exe
PID 1584 wrote to memory of 1992	1584	taskeng.exe	MoUSO.exe
PID 1584 wrote to memory of 1992	1584	taskeng.exe	MoUSO.exe

C:\Users\Admin\AppData\Local\Temp\ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe
"C:\Users\Admin\AppData\Local\Temp\ee7bcd123bdf13062144079e96a17187314210ae04a562142d5db42ba87ea315.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
4⤵
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\taskeng.exe
taskeng.exe {3E8925E8-D97A-4DB6-8C9B-C8DA42CC6BCC} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
c3d75f76b3d2f5297fd91dd72f9746c2

SHA1
f263be96dc76a675dfdcaf5ae6be3c9955dcf90b

SHA256
e1588e6da1d3861922ff188e533a8f6f3212cf5cbcfe9da93b9a16fdda07597d

SHA512
b5943e2f9d74d8fb28a90a60fce5a4ab769359110ccf6145594a9fb0d967e2cf1bc8d8e5509e710b5227dfd4acc13e8d76d839a4d3ca49d4e683f2d54a0eacf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
438B

MD5
4577c7328aedc570abc8872c38f63cc2

SHA1
2b2123ee7623a29fe3a2d99b2ffd9762683d97b6

SHA256
3b8ca6879da9564f05f284c3235cdf5f607c964cc932f3bd3f4773836b02a117

SHA512
c21d90232ea02a39968a01bb0768ecfae078a12c28ccf19abc2bbe2cf4ddf5c42ebb32856778e61dac86ed5a49c0188acea5726ddcfb60907ce4d96932b22c4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
19fb493049a30df289e61faa0581e5e4

SHA1
f289e684d4bc738d778fb8b8432a3cf38d8b762d

SHA256
f109f5c844c7a67bdc2549db52afd8150e740b2b16ed4e7a44e61abaca2a2ea2

SHA512
0f1f1a55edcb29ff75f715612db14a5e77e5d9a191aff981139a7b42003fde0286fef972dbd02844d2565f5fcc5a78170d578a40387c91fb739174d09f1d9506

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
Filesize
1.3MB

MD5
2d6153e8a40769cd739eb79300337522

SHA1
969b1faf9926a3a68a7c18d117f2dd6931a1ca7d

SHA256
7c1df5f1c62db80febbdfee35ceb800df85bcbc1fa6de062f069cebc109b18e9

SHA512
606ae72de064fbe10190261abd08c900a893131cd47702dae565fe73c3e4650f125a95be0d2984995237bc731b058a33a89d18d47a487b75a1271d2930c5a91b

Download Submit
memory/1100-82-0x0000000000860000-0x0000000000BC1000-memory.dmp

Filesize
3.4MB

Download
memory/1100-74-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1100-83-0x0000000077660000-0x00000000777E0000-memory.dmp

Filesize
1.5MB

Download
memory/1100-80-0x0000000000860000-0x0000000000BC1000-memory.dmp

Filesize
3.4MB

Download
memory/1100-79-0x0000000077660000-0x00000000777E0000-memory.dmp

Filesize
1.5MB

Download
memory/1100-71-0x0000000000000000-mapping.dmp

Download
memory/1100-75-0x0000000000860000-0x0000000000BC1000-memory.dmp

Filesize
3.4MB

Download
memory/1744-81-0x0000000000000000-mapping.dmp

Download
memory/1960-59-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1960-54-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1960-64-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1960-62-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1960-60-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1960-65-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1960-70-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1960-69-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1960-68-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1960-63-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1960-66-0x0000000140003E0C-mapping.dmp

Download
memory/1960-57-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1960-55-0x0000000140000000-0x0000000140022000-memory.dmp

Filesize
136KB

Download
memory/1992-85-0x0000000000000000-mapping.dmp

Download
memory/1992-87-0x00000000011A0000-0x0000000001501000-memory.dmp

Filesize
3.4MB

Download
memory/1992-89-0x0000000077660000-0x00000000777E0000-memory.dmp

Filesize
1.5MB

Download
memory/1992-90-0x00000000011A0000-0x0000000001501000-memory.dmp

Filesize
3.4MB

Download
memory/1992-91-0x00000000011A0000-0x0000000001501000-memory.dmp

Filesize
3.4MB

Download
memory/1992-92-0x0000000077660000-0x00000000777E0000-memory.dmp

Filesize
1.5MB

Download
memory/1992-93-0x00000000011A0000-0x0000000001501000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads