377ac497bdeb20e13ea84ca1eab709946535b77d4231007a7646509386a4af33

Analysis

max time kernel
28s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MBSetup-4.4.exe
Size

2.5MB
MD5

7ce024e6e2248ee891248469894d8a9c
SHA1

13db96c5e8d67b7f1141d22567741cd45d659c1a
SHA256

377ac497bdeb20e13ea84ca1eab709946535b77d4231007a7646509386a4af33
SHA512

ce5b6e7b7da5d3d00ad1df64006c24c291e24cb63e855855375e52e7a18ea7b3d283fababb79046a59533bcd80d8c18f604d9ace64af7e712f18020e5b351eff
SSDEEP

49152:YXrcUh6gxrxD0Xc3StQyfvE0Z3R0nxiIq2ddIAuSF:4rNRxrxA6KtQRq2SSF

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup-4.4.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup-4.4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup-4.4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\mbamtestfile.dat	MBSetup-4.4.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2256	MBSetup-4.4.exe
2256	MBSetup-4.4.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2256	MBSetup-4.4.exe
4700	firefox.exe
4700	firefox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4700	firefox.exe
4700	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4700	firefox.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 4700	3856	firefox.exe	87
PID 3856 wrote to memory of 4700	3856	firefox.exe	87
PID 3856 wrote to memory of 4700	3856	firefox.exe	87
PID 3856 wrote to memory of 4700	3856	firefox.exe	87
PID 3856 wrote to memory of 4700	3856	firefox.exe	87
PID 3856 wrote to memory of 4700	3856	firefox.exe	87
PID 3856 wrote to memory of 4700	3856	firefox.exe	87
PID 3856 wrote to memory of 4700	3856	firefox.exe	87
PID 3856 wrote to memory of 4700	3856	firefox.exe	87
PID 3856 wrote to memory of 4700	3856	firefox.exe	87
PID 3856 wrote to memory of 4700	3856	firefox.exe	87
PID 4700 wrote to memory of 1828	4700	firefox.exe	90
PID 4700 wrote to memory of 1828	4700	firefox.exe	90
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91
PID 4700 wrote to memory of 2004	4700	firefox.exe	91

C:\Users\Admin\AppData\Local\Temp\MBSetup-4.4.exe
"C:\Users\Admin\AppData\Local\Temp\MBSetup-4.4.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.0.1953736711\558673801" -parentBuildID 20221007134813 -prefsHandle 1908 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c24cc0a1-6299-4268-984f-c805b4c7007f} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 1988 239d97db558 gpu
    3⤵
    PID:1828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.1.1495100264\673280843" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2368 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fe7b572-2d5c-4678-bbae-495cb21dda4a} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 2380 239d96fae58 socket
    3⤵
    PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads