d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe
Size

184KB
MD5

84a6f085d72c992bf7b0266c33699a30
SHA1

aa0fad8b2e9e8785339d256f37f19e88aed4da2f
SHA256

d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4
SHA512

9e5b3ccb718cec66f7d2e780f47dce5c8e253073101a284045266a71ffdfa795f5b99e8a47312d7a6e0e2de5c60474fddd03a3d6594bedc905be761e0563b911
SSDEEP

3072:cDGXZ6yu7o897rl2Y4HpRSQ8nsl8Koay6Vs68:9zulF8HpRpAKoahVsZ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	mbxius.exe

Executes dropped EXE 1 IoCs

pid	Process
1652	mbxius.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe
2020	d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /e"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /c"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /o"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /y"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /i"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /j"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /h"	mbxius.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /r"	d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /z"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /f"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /d"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /k"	mbxius.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /a"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /x"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /b"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /w"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /p"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /l"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /q"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /r"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /n"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /t"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /s"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /v"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /g"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /u"	mbxius.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\mbxius = "C:\\Users\\Admin\\mbxius.exe /m"	mbxius.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe
1652	mbxius.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2020	d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe
1652	mbxius.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1652	2020	d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe	26
PID 2020 wrote to memory of 1652	2020	d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe	26
PID 2020 wrote to memory of 1652	2020	d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe	26
PID 2020 wrote to memory of 1652	2020	d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe	26

C:\Users\Admin\AppData\Local\Temp\d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe
"C:\Users\Admin\AppData\Local\Temp\d2703ace4f8000bd9c7c322db5ab99c6358e5e3db0f6156710407079f20bceb4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\mbxius.exe
  "C:\Users\Admin\mbxius.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\mbxius.exe

Filesize
184KB

MD5
e5aee4aa7bb133867b8ef57b47bab3d7

SHA1
129f1e874c5656c441e6e80b3764d02299d01d65

SHA256
775ac7270c688ed732a8f5c00d4a40da44931a5a55acb5f7f91c2a461d31dd0e

SHA512
8485ab1e94f18c9ca1c5fe95b270ac036f9e981d2e609727eddfc20d90a1b06c8d71e1691cef396f8fad46158bd20192d3f0b1efc49b74f5868e3a0411b7b9e1

Download Submit
C:\Users\Admin\mbxius.exe

Filesize
184KB

MD5
e5aee4aa7bb133867b8ef57b47bab3d7

SHA1
129f1e874c5656c441e6e80b3764d02299d01d65

SHA256
775ac7270c688ed732a8f5c00d4a40da44931a5a55acb5f7f91c2a461d31dd0e

SHA512
8485ab1e94f18c9ca1c5fe95b270ac036f9e981d2e609727eddfc20d90a1b06c8d71e1691cef396f8fad46158bd20192d3f0b1efc49b74f5868e3a0411b7b9e1

Download Submit
\Users\Admin\mbxius.exe

Filesize
184KB

MD5
e5aee4aa7bb133867b8ef57b47bab3d7

SHA1
129f1e874c5656c441e6e80b3764d02299d01d65

SHA256
775ac7270c688ed732a8f5c00d4a40da44931a5a55acb5f7f91c2a461d31dd0e

SHA512
8485ab1e94f18c9ca1c5fe95b270ac036f9e981d2e609727eddfc20d90a1b06c8d71e1691cef396f8fad46158bd20192d3f0b1efc49b74f5868e3a0411b7b9e1

Download Submit
\Users\Admin\mbxius.exe

Filesize
184KB

MD5
e5aee4aa7bb133867b8ef57b47bab3d7

SHA1
129f1e874c5656c441e6e80b3764d02299d01d65

SHA256
775ac7270c688ed732a8f5c00d4a40da44931a5a55acb5f7f91c2a461d31dd0e

SHA512
8485ab1e94f18c9ca1c5fe95b270ac036f9e981d2e609727eddfc20d90a1b06c8d71e1691cef396f8fad46158bd20192d3f0b1efc49b74f5868e3a0411b7b9e1

Download Submit
memory/2020-56-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download