Analysis
-
max time kernel
272s -
max time network
197s -
platform
windows10-1703_x64 -
resource
win10-20231129-es -
resource tags
arch:x64arch:x86image:win10-20231129-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
04-12-2023 09:11
Static task
static1
Behavioral task
behavioral1
Sample
MBSetup.exe
Resource
win10-20231129-es
General
-
Target
MBSetup.exe
-
Size
2.5MB
-
MD5
1e885823577394ea61ea89438ffe2954
-
SHA1
e53e96f7374790bdad8a614949b398b055c3a27b
-
SHA256
7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c
-
SHA512
73f600833dad0047b6444110d722dc95237b38bb486abc7fc8e4f59b69e2154c885fb46d65f488d5139a0b6e76ebde33ea72711c7f58436650ef992fb8995627
-
SSDEEP
49152:Lw3ye9SPQ1sjDAVj+JeRanStQyfvE0Z3R0nxiIq2ddAsuysSiSF:4yeoCVj+c6KtQRq2ADSiSF
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
MBSetup.exedescription ioc process File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat MBSetup.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MBSetup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MBSetup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate MBSetup.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
unregmp2.exedescription ioc process File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 2 IoCs
Processes:
MBSetup.exedescription ioc process File created C:\Program Files (x86)\mbamtestfile.dat MBSetup.exe File created C:\Program Files\Malwarebytes\Anti-Malware\bcac55e0-c4eb-483c-a3a9-c1ef6f783f2d MBSetup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MBSetup.exepid process 4360 MBSetup.exe 4360 MBSetup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
unregmp2.exedescription pid process Token: SeShutdownPrivilege 1692 unregmp2.exe Token: SeCreatePagefilePrivilege 1692 unregmp2.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
MBSetup.exepid process 4360 MBSetup.exe 4360 MBSetup.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wmplayer.exeunregmp2.exedescription pid process target process PID 4192 wrote to memory of 604 4192 wmplayer.exe setup_wm.exe PID 4192 wrote to memory of 604 4192 wmplayer.exe setup_wm.exe PID 4192 wrote to memory of 604 4192 wmplayer.exe setup_wm.exe PID 4192 wrote to memory of 4796 4192 wmplayer.exe unregmp2.exe PID 4192 wrote to memory of 4796 4192 wmplayer.exe unregmp2.exe PID 4192 wrote to memory of 4796 4192 wmplayer.exe unregmp2.exe PID 4796 wrote to memory of 1692 4796 unregmp2.exe unregmp2.exe PID 4796 wrote to memory of 1692 4796 unregmp2.exe unregmp2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MBSetup.exe"C:\Users\Admin\AppData\Local\Temp\MBSetup.exe"1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4360
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s fdPHost1⤵PID:608
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3632
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵PID:604
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\System32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
64KB
MD50cd928aab5e139b88446f85a7682911d
SHA16038d5be6ef3f3ae468d911eed0f872708dc6383
SHA25650b37603003e477c28770f1f4636a59530f9622966bd03f87a0d6446d991f57a
SHA5123d449c10d53fc06639337afd6df700bc776cd5900a48de9e88deef3308b1bca5d4cfe739ecb4bba9fc621f8e09776995615e133eabb19316cf00ddeffd500e19
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bakFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Temp\wmsetup.logFilesize
1KB
MD56ebb7da7b58959fcb2c869cc4d7869dd
SHA16ecd40348455b6c2a35d1888e5f2c439291e4d95
SHA2567313c149f0881b854f3eb438985d80807cfd69be33d4a2d8ff75ed3aabfe0293
SHA512ce365d97fa69fcc1df4effebf26d8e2d024062a6a0d5954e7297a521b628f18703b59219eba3607e5fddaa6138af8fe4afc7b0ae52287a6cf35d66d0deb72902