Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2023, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
Muck Trainer Setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Muck Trainer Setup.exe
Resource
win10v2004-20230220-en
General
-
Target
Muck Trainer Setup.exe
-
Size
141KB
-
MD5
3dd47d8cf814ff53999e180235845c9b
-
SHA1
ac9ce8102250e43fdb1affbde5ad5c912f7c3a0d
-
SHA256
d5a5189d316e32de65535f17bbf55b372c3e9d4a504d198f180dfebaeaccb40d
-
SHA512
8d72f7b4e0778b496bc11b6aec2767390ded71ee491ff60d119dab7d6347a9fc65782858a97f568e2a0c58bbb9498e1312db3278e454525aecd2fa79f8d991ae
-
SSDEEP
3072:Bojm4ILlCI+4COHCyhaEtHZkOpk97oc4ILlCI+4TOHHSafx:Bd+bwaEtHLhiHt
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1328 WeMod-Setup-638180211139761853.exe 4464 Update.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wemod.com\NumberOfSubdomains = "1" Muck Trainer Setup.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total Muck Trainer Setup.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage Muck Trainer Setup.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wemod.com Muck Trainer Setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "35" Muck Trainer Setup.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\api.wemod.com Muck Trainer Setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\api.wemod.com\ = "35" Muck Trainer Setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\wemod.com\Total = "35" Muck Trainer Setup.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DOMStorage\wemod.com Muck Trainer Setup.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4644 Muck Trainer Setup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4644 Muck Trainer Setup.exe 4644 Muck Trainer Setup.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4644 wrote to memory of 1328 4644 Muck Trainer Setup.exe 92 PID 4644 wrote to memory of 1328 4644 Muck Trainer Setup.exe 92 PID 4644 wrote to memory of 1328 4644 Muck Trainer Setup.exe 92 PID 1328 wrote to memory of 4464 1328 WeMod-Setup-638180211139761853.exe 93 PID 1328 wrote to memory of 4464 1328 WeMod-Setup-638180211139761853.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe"C:\Users\Admin\AppData\Local\Temp\Muck Trainer Setup.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe"C:\Users\Admin\AppData\Local\Temp\WeMod-Setup-638180211139761853.exe" --silent2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . --silent3⤵
- Executes dropped EXE
PID:4464
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5b43e5cf21598243f3078d787159d7bef
SHA1dbe552b5455966b2cc59e6786dac21610cbbea0e
SHA25636fd9d2415858e7010345d3fc16536349a689f9d75ed005151cb4ff5e1d0cb80
SHA5128c41abd147c334fbff93871f08eb878e60c7be3e26487c601d741dfaa7a047d85e3d21ef10f47fafd65c569e90e9d1b32cad74fc4065e3c16728681f6c5df9be
-
Filesize
1.8MB
MD5b43e5cf21598243f3078d787159d7bef
SHA1dbe552b5455966b2cc59e6786dac21610cbbea0e
SHA25636fd9d2415858e7010345d3fc16536349a689f9d75ed005151cb4ff5e1d0cb80
SHA5128c41abd147c334fbff93871f08eb878e60c7be3e26487c601d741dfaa7a047d85e3d21ef10f47fafd65c569e90e9d1b32cad74fc4065e3c16728681f6c5df9be
-
Filesize
59.9MB
MD593783e5cabf93a846258b4c26ba946eb
SHA160edcd657e40972af038f727a2bc79ce868884d4
SHA2564f6d19344d333591b683cc97719eef9f8c72af9a0ec5a1c61a00b385ebff0adf
SHA512a5e2ef394695dda6fb5a5775f39a2fcf9c4365a4b2c0e1f94a45c6df55b4271ccd1e272bb2f87cedea8e11b852d838a8c0e25f70867eda74408d61eea723182c
-
Filesize
60.9MB
MD502b4ad20729a5de71f1f52c0fd52f7b7
SHA1d0504a3e9f73ee44284d9011e364ab91d698ffc4
SHA25614e1988f1d85a44485712faf1673fbedf87889961b0059c6cc888ce7fbeafb77
SHA51269a74e2f8b5710f70d98577d75dc524bbc844ad55986321813089e3cb78869180bb820c2dd3cb5dcc233064ab04f2652ab00c7269093cb8818e26fbc283a379d