7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c

General

Target

MBSetup.exe
Size

2.5MB
MD5

1e885823577394ea61ea89438ffe2954
SHA1

e53e96f7374790bdad8a614949b398b055c3a27b
SHA256

7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c
SHA512

73f600833dad0047b6444110d722dc95237b38bb486abc7fc8e4f59b69e2154c885fb46d65f488d5139a0b6e76ebde33ea72711c7f58436650ef992fb8995627
SSDEEP

49152:Lw3ye9SPQ1sjDAVj+JeRanStQyfvE0Z3R0nxiIq2ddAsuysSiSF:4yeoCVj+c6KtQRq2ADSiSF

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

MBSetup.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat MBSetup.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exe

description	ioc	process
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

Processes:

MBSetup.exe

description	ioc	process
File created	C:\Program Files (x86)\mbamtestfile.dat	MBSetup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\bcac55e0-c4eb-483c-a3a9-c1ef6f783f2d	MBSetup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MBSetup.exe

pid process

4360 MBSetup.exe
4360 MBSetup.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

unregmp2.exe

description pid process

Token: SeShutdownPrivilege 1692 unregmp2.exe
Token: SeCreatePagefilePrivilege 1692 unregmp2.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

MBSetup.exe

pid process

4360 MBSetup.exe
4360 MBSetup.exe

pid	process
4360	MBSetup.exe
4360	MBSetup.exe

description	pid	process
Token: SeShutdownPrivilege	1692	unregmp2.exe
Token: SeCreatePagefilePrivilege	1692	unregmp2.exe

pid	process
4360	MBSetup.exe
4360	MBSetup.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

wmplayer.exeunregmp2.exe

description	pid	process	target process
PID 4192 wrote to memory of 604	4192	wmplayer.exe	setup_wm.exe
PID 4192 wrote to memory of 604	4192	wmplayer.exe	setup_wm.exe
PID 4192 wrote to memory of 604	4192	wmplayer.exe	setup_wm.exe
PID 4192 wrote to memory of 4796	4192	wmplayer.exe	unregmp2.exe
PID 4192 wrote to memory of 4796	4192	wmplayer.exe	unregmp2.exe
PID 4192 wrote to memory of 4796	4192	wmplayer.exe	unregmp2.exe
PID 4796 wrote to memory of 1692	4796	unregmp2.exe	unregmp2.exe
PID 4796 wrote to memory of 1692	4796	unregmp2.exe	unregmp2.exe

C:\Users\Admin\AppData\Local\Temp\MBSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MBSetup.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4360

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3632

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
2⤵
PID:604

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\System32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
64KB

MD5
0cd928aab5e139b88446f85a7682911d

SHA1
6038d5be6ef3f3ae468d911eed0f872708dc6383

SHA256
50b37603003e477c28770f1f4636a59530f9622966bd03f87a0d6446d991f57a

SHA512
3d449c10d53fc06639337afd6df700bc776cd5900a48de9e88deef3308b1bca5d4cfe739ecb4bba9fc621f8e09776995615e133eabb19316cf00ddeffd500e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
6ebb7da7b58959fcb2c869cc4d7869dd

SHA1
6ecd40348455b6c2a35d1888e5f2c439291e4d95

SHA256
7313c149f0881b854f3eb438985d80807cfd69be33d4a2d8ff75ed3aabfe0293

SHA512
ce365d97fa69fcc1df4effebf26d8e2d024062a6a0d5954e7297a521b628f18703b59219eba3607e5fddaa6138af8fe4afc7b0ae52287a6cf35d66d0deb72902

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads