Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 04:10
Behavioral task
behavioral1
Sample
MOL.EXE.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
MOL.EXE.exe
Resource
win10v2004-20230220-en
General
-
Target
MOL.EXE.exe
-
Size
3.4MB
-
MD5
588cd06833601b361f843c87056fd5a9
-
SHA1
36fd19550588e46b7ae12639421e9768f6172f0a
-
SHA256
ccfd30e42f2dbb38fa3ad9528c74c6ecf6cc45ab167838200331ecf903230db1
-
SHA512
74ca11d07f98dcbae852fb94fd3fa5fb641a73917c6e85b1e2e0f49c5e8f604a14ea3deaf146ce23d4814f3daf2082d3c90d72d2759507d51cf45284f50fc979
-
SSDEEP
98304:cPMHpHh81TVkOjPdBx425wr7MARYza/PnrHT86b4GGsVJxz:cUrkTiOjPn76hCa/PrHlrVJxz
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
MOL.EXE.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MOL.EXE.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MOL.EXE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MOL.EXE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MOL.EXE.exe -
Processes:
resource yara_rule behavioral2/memory/3432-133-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-134-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-135-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-136-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-137-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-138-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-139-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-140-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-141-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-147-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-148-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-149-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-150-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-151-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-152-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-153-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-154-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-155-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-156-0x00000000001C0000-0x00000000009A5000-memory.dmp themida behavioral2/memory/3432-157-0x00000000001C0000-0x00000000009A5000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
MOL.EXE.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run MOL.EXE.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JYEVXV = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft.exe\"" MOL.EXE.exe -
Processes:
MOL.EXE.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MOL.EXE.exe -
AutoIT Executable 19 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3432-134-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-135-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-136-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-137-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-138-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-139-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-140-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-141-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-147-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-148-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-149-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-150-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-151-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-152-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-153-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-154-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-155-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-156-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe behavioral2/memory/3432-157-0x00000000001C0000-0x00000000009A5000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
MOL.EXE.exepid process 3432 MOL.EXE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
Processes:
MOL.EXE.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2 MOL.EXE.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MOL.EXE.exepid process 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe 3432 MOL.EXE.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MOL.EXE.exepid process 3432 MOL.EXE.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
MOL.EXE.exedescription pid process target process PID 3432 wrote to memory of 4288 3432 MOL.EXE.exe WSCript.exe PID 3432 wrote to memory of 4288 3432 MOL.EXE.exe WSCript.exe PID 3432 wrote to memory of 4288 3432 MOL.EXE.exe WSCript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MOL.EXE.exe"C:\Users\Admin\AppData\Local\Temp\MOL.EXE.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WSCript.exeWSCript C:\Users\Admin\AppData\Local\Temp\JYEVXV.vbs2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\JYEVXV.vbsFilesize
834B
MD541cbe0d9975656e04c44d1925ddc4aa2
SHA16c98a427fe13daf8215c8963ca7357aa864a5746
SHA256e0c484c3b99a84e3566e5b83c988c83379f88945af715ec852a7572ad744ccc2
SHA512d98747ee673126be0fe34e0036855ca5238934c0dc61be6b03dbd87652f7c2ce34a881c91ac7a6fe192dfffbada177384405ae231950ad1610f81afe03a0a2d4
-
memory/3432-147-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-155-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-136-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-137-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-138-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-139-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-140-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-148-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-157-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-135-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-141-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-149-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-150-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-151-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-152-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-153-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-154-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-133-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-156-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB
-
memory/3432-134-0x00000000001C0000-0x00000000009A5000-memory.dmpFilesize
7.9MB