Overview

overview

8

Static

static

1

MBSetup.exe

windows10-1703-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows10-1703_x64
  • resource
    win10-20231020-en
  • resource tags

    arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12-11-2023 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MBSetup.exe

  • Size

    2.5MB

  • MD5

    1e885823577394ea61ea89438ffe2954

  • SHA1

    e53e96f7374790bdad8a614949b398b055c3a27b

  • SHA256

    7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c

  • SHA512

    73f600833dad0047b6444110d722dc95237b38bb486abc7fc8e4f59b69e2154c885fb46d65f488d5139a0b6e76ebde33ea72711c7f58436650ef992fb8995627

  • SSDEEP

    49152:Lw3ye9SPQ1sjDAVj+JeRanStQyfvE0Z3R0nxiIq2ddAsuysSiSF:4yeoCVj+c6KtQRq2ADSiSF

Score
8/10
discovery

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\MBSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\MBSetup.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:4444
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.0.998028049\394224118" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1724 -prefsLen 20858 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94e881e9-8189-4b0a-889b-957b9459d5a8} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 1812 1a4754d0158 gpu
        3⤵
          PID:3496
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.1.1322815676\1141465448" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20939 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cee6d843-86ad-463f-9649-36ec2b0b0bf5} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 2168 1a474fe4858 socket
          3⤵
            PID:4588
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.2.570813068\1860379734" -childID 1 -isForBrowser -prefsHandle 2708 -prefMapHandle 1620 -prefsLen 21042 -prefMapSize 232645 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72e7e573-1fc9-404e-8ef6-bfb948e0789d} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 2864 1a47546b158 tab
            3⤵
              PID:4292
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.3.1141257309\269908303" -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 26402 -prefMapSize 232645 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {051d3579-dd21-4f94-8b37-18b6f8112acd} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 3696 1a477ada358 tab
              3⤵
                PID:2936
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.4.530634394\2082723432" -childID 3 -isForBrowser -prefsHandle 4016 -prefMapHandle 4012 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b21ed1d-0d25-46ac-82f4-888a386ed317} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 4044 1a47a751d58 tab
                3⤵
                  PID:296
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.5.182885893\1222848637" -childID 4 -isForBrowser -prefsHandle 4316 -prefMapHandle 4796 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {069925e4-13b4-4a3d-af54-64ed2452996e} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 4780 1a47b3e9b58 tab
                  3⤵
                    PID:2532
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.7.450434698\1324586290" -childID 6 -isForBrowser -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c2a0758-d5b0-468e-8b76-8a56b52aea33} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 4744 1a47b3e7758 tab
                    3⤵
                      PID:2552
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.6.972460442\1894953556" -childID 5 -isForBrowser -prefsHandle 4880 -prefMapHandle 4756 -prefsLen 26461 -prefMapSize 232645 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {880c133f-7f27-4759-83a0-57ff8f74defd} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 4868 1a47b3e6e58 tab
                      3⤵
                        PID:1904
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.8.1581340033\557718293" -childID 7 -isForBrowser -prefsHandle 5316 -prefMapHandle 2636 -prefsLen 26964 -prefMapSize 232645 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1d8a051-bc66-4ccb-a4b6-31ee3f8a9d71} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 1560 1a47933a758 tab
                        3⤵
                          PID:436
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.9.521829297\1304262283" -childID 8 -isForBrowser -prefsHandle 4056 -prefMapHandle 1560 -prefsLen 27275 -prefMapSize 232645 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da336726-d8c7-44d2-a1f8-f2e48ec1cc46} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 4472 1a47b3e6558 tab
                          3⤵
                            PID:3952

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1foor6be.default-release\activity-stream.discovery_stream.json.tmp
                        Filesize

                        22KB

                        MD5

                        a1e1d7b0802f11cd7f06e533557bff89

                        SHA1

                        043292686648d68cc487de4db0104f9b958dcb57

                        SHA256

                        36db7d08a3fff402e4ef31e703343691748c2bfc2af72a3b90abb8146ee2af0c

                        SHA512

                        2acdaaefedb04129e8a55298713c7956e9e75d41df1d612bee3ad5265be3225f7c94618634b20687e8e44cafe7f226a90487ed77ea5cb864a864419084903880

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1foor6be.default-release\cache2\doomed\21070
                        Filesize

                        19KB

                        MD5

                        c4906b48e4928bb93c4be00c21da117e

                        SHA1

                        89593eaf3276ccbe61345b8c0599e5ff9789c69f

                        SHA256

                        4ba94810aad99d8d3b59214d1093c05a95d7e8f1e1bb591ebc337ba18fec254f

                        SHA512

                        a843cfbe72ed8318787c75058398c21c9107691568a21300ab7fb93b36e496543f1690ea22c92436cdf4fa660d12ca5c36a12fe16cd76399ae9ec0cbb81733ed

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1foor6be.default-release\cache2\doomed\27002
                        Filesize

                        9KB

                        MD5

                        80c01abf70b9ce6dea512a0e2d4f37ff

                        SHA1

                        d404f831176fa9a1144db2fe999502fa0bae8c40

                        SHA256

                        5d87fa0ee8e22ac8ccf70cb13d931ab3fcdc2dc24307e8a3c5ef0e8870fc2f68

                        SHA512

                        a33cba31878d4ab2fae88a6abb682229bd2236c224c3a1d6a935a8295a26c503c57cbd74371e2557394d9fffd01b0f65051c60903e60bce2a271b32b1129751c

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1foor6be.default-release\thumbnails\69276abfa6a2a13e9542d15bf8c94890.png
                        Filesize

                        42KB

                        MD5

                        3da71138432ae3d5574caa9a2dd97ea2

                        SHA1

                        83393fe2aa4ce703702c98b8fb6340e0504fc6a9

                        SHA256

                        11b259b095ec4df022fa479dafafc613ef952a15d1b7a46680d3a4dc768aebb9

                        SHA512

                        2c6f9f491e2b537e8cd8449644b60947a0fac9b1aba5273fdce5f840c84a8f87a4fccd4325440e88299674bf4248ecc8d6590e61a625cccf9f1a57b18c25c6df

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        56b8556ac3ee4581ed22a8e9b4f9b3a8

                        SHA1

                        94f9c64b19fe167c3786b1baa01034af0a67cea0

                        SHA256

                        42d5c901222b47fb4d2a5653b78bc4bf26d377a751cc24dbe1ddd10868d6d3d8

                        SHA512

                        a697952c11480c58c638b5f671b89ac824e7135bd4989b56cef63eefa1d4fa18ebaf16208e9e42c61e2e9b81cb71059dd0a2f9958bfdfa67d58d3694bfac02dd

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\prefs-1.js
                        Filesize

                        6KB

                        MD5

                        d98a7cee930215d9b81abc20c5c8850f

                        SHA1

                        a8527bcdc42494318705d3f27611358633894f1f

                        SHA256

                        64c3a4f64c8ebdcf6fa216218a47932f6938292fc82e25a44080ebe239c2e1e0

                        SHA512

                        ea8b7cc01b1969fcdae1bc6f20b821c8b666dc0e1321880e9aa263ddd81209ae205db0e4f246cec997e9d6680ea0d8dec4792bd111ca61972b06befcab9ba612

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        bd6e75c748b617d25f0a7958dfb8cb1e

                        SHA1

                        d6e5f805201505f5a14643ec65d3d449c6b7f21f

                        SHA256

                        bac92b687d5a936062cf38f0214a3dfff5acc0dcad32c403e048a4569bbde5fa

                        SHA512

                        47e8b71e4df317618fc6940ca3309e06f3c9ea2f039ea6cfab4f975a94b6ad8a3926abe04c00bfc724cc5f5df6159e1b5437742aa7dcce29c76f6b31153ed9d1

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        503de2999e09f7c1fe95e5cd5c7f71db

                        SHA1

                        debacfe147d8f8902892f1362ba3da892bdefb5a

                        SHA256

                        cb82bced9958947f1f53528943d9c3f9d67d7bd136bb764edfd4d310ffc3515e

                        SHA512

                        9c637e2aef8a5262a537d1e9bad34aa0911c651c771c8f3521c4f161a6fdc7bf5a034328a19e37e7b26b7e182b51f015f62d4b8efa064b42dab4c8b98cff1ff5

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        f5b872046c865445e5bceb60d68c78f0

                        SHA1

                        103595e443c69bdd0542c6279a9acb17026bb3ba

                        SHA256

                        d4b695453ab3d275b9da6a59e074ffd943aac0bccb7cd0c91b2c5ad87bca4167

                        SHA512

                        4973e2bf56fae4ed4fd79f1f1960ba4fa0d6d05db19280fa80490ce6abfea99e2e2c5bdd495e8971d9b740dc03b1ae1223d444cd64de2426dbf0bb5e8387dd96

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        6918b76e8d5ae363cd0f690540cf5d83

                        SHA1

                        3272ad96699cec0198ff1b54bfb1c4b93589afc0

                        SHA256

                        72c4cae9d85bd36830a7292e487b894b3bbadc6dd3028ad8319db2e5bd2982f1

                        SHA512

                        25b7a72f5fed9d2e0c149df74528c98a3c0db87d1916e38be3f48e541973b8b1edfef8d715eba22461443df096e3e19c232fcee6a41a73d8b519d21390e1a22b

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        6b995863d82db0505f176b34ca518dd5

                        SHA1

                        f837161360ca619128a55432ac0ad993984f6538

                        SHA256

                        04d5907a98098e7e86bc1c76d3036bcc8177082d9a1e1bde841dc1dac9df7f0e

                        SHA512

                        1e73d3310489323e18b9f6a2172e8b18d374e12c90dfec72f537fda8e3343485e9bec843d7c8a8d51c5276fca853ed67fc1b4037bdb38e8abe6efbe41a9ca91a

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        1KB

                        MD5

                        73beb9fd8d735251d90ba44bf79b675f

                        SHA1

                        5f3b2318ea744057cc7e2821f2b7cd0dd6879101

                        SHA256

                        775e17fa596e66a8b4ecc132c8ca5831ebb246fd497106e3999c1bcdaf954c31

                        SHA512

                        8cdfbba70de557a31ec1cc38fa81ba1dc9e7287fb919f8b662a6ec09e2d61f7ec4f6766da064a0aeea466b8b9069683207aab74013b0142d0a6240305b954c33

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        f970971d1fa0bee666609d3318fb63e1

                        SHA1

                        67a6defc91ee1dd983475856b99ece1f554a8767

                        SHA256

                        86849c2731dc1dde78509db7eb9aad41f60079ab396242c258139d7624e85877

                        SHA512

                        4296136819eedd1fcc0cf39f2cfa1bc24fbbe17e036749bbe453c74a59d0ac533b6f2f83960157365a0a7078aa89f8f6099a29aa84323d64040628bd52ecc169

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1foor6be.default-release\sessionstore-backups\recovery.jsonlz4
                        Filesize

                        3KB

                        MD5

                        65929d94a04ea38de6398b700dd3c5c5

                        SHA1

                        97e25db6a6310f5cb79a50fd06d5ae382e072081

                        SHA256

                        0c6acc6cc1ad774f12ee93dea279fa0b5eae20d31c85f50bd303d5461806507c

                        SHA512

                        6aba4cfa2bfb997dc6e30bc7d522b93bd047f7f219a64c8aa30420c4adce8b2b6097d3896e633718cf0b1416202e3531035de42f5c22e38f9100eb519d7c10b9

                        Download Submit