Overview

overview

8

Static

static

1

MBSetup.exe

windows7-x64

8

MBSetup.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-02-2024 02:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MBSetup.exe

  • Size

    2.5MB

  • MD5

    7ce024e6e2248ee891248469894d8a9c

  • SHA1

    13db96c5e8d67b7f1141d22567741cd45d659c1a

  • SHA256

    377ac497bdeb20e13ea84ca1eab709946535b77d4231007a7646509386a4af33

  • SHA512

    ce5b6e7b7da5d3d00ad1df64006c24c291e24cb63e855855375e52e7a18ea7b3d283fababb79046a59533bcd80d8c18f604d9ace64af7e712f18020e5b351eff

  • SSDEEP

    49152:YXrcUh6gxrxD0Xc3StQyfvE0Z3R0nxiIq2ddIAuSF:4rNRxrxA6KtQRq2SSF

Score
8/10
discovery

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\MBSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\MBSetup.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:4660
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1596.0.2052535137\919991497" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7dd11d3-9e6f-4af5-af28-8cc7be76f0e1} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" 1996 1e8c24ef458 gpu
        3⤵
          PID:3460
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1596.1.668282491\1930540360" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d43897d4-0e6b-4650-bb09-17dd8d1d246a} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" 2392 1e8c1fe4458 socket
          3⤵
          • Checks processor information in registry
          PID:2420
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1596.2.1576357391\306834714" -childID 1 -isForBrowser -prefsHandle 1644 -prefMapHandle 3236 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b90d93fe-b7e0-4e9f-b04c-2b874e2f68ef} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" 2972 1e8c619e058 tab
          3⤵
            PID:2820
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1596.3.726284669\1701759668" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57e358dc-572a-4247-9f8e-947bfe2c3262} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" 3628 1e8b5860d58 tab
            3⤵
              PID:2568
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1596.4.1736207255\992389320" -childID 3 -isForBrowser -prefsHandle 4564 -prefMapHandle 3932 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a0c1b76-fffe-4a63-a56f-84aa4d42f410} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" 4592 1e8c83da458 tab
              3⤵
                PID:3228
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1596.7.1615030409\1195783095" -childID 6 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d13754c-8092-468a-acea-c3c61cd77d72} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" 5356 1e8c87ea058 tab
                3⤵
                  PID:4280
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1596.6.171510550\136871124" -childID 5 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77ba09fd-ec2c-422f-8afc-546409a1513a} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" 5256 1e8c871eb58 tab
                  3⤵
                    PID:2180
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1596.5.1481335314\1000791373" -childID 4 -isForBrowser -prefsHandle 5020 -prefMapHandle 5016 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d27de1db-b0ab-46b1-9f78-d273a592d8a5} 1596 "\\.\pipe\gecko-crash-server-pipe.1596" 5032 1e8c614d858 tab
                    3⤵
                      PID:5112

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  9KB

                  MD5

                  d804a6cce65057fb4e56288ff79749a0

                  SHA1

                  15ae776afb407dc84b05bae4d99135e96bb4db7f

                  SHA256

                  b7937463608bf184343817196b5be86ae4db81d92ec92c15245bab319a7764eb

                  SHA512

                  af5e1ab66240dab6956842bcf125cd491ae6fdff9974731d0e53185fd7a877343b34fad4ba25926ea3ecf125185c9dc61dd68d5083a6bc4163af3cb0e3f8309a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\datareporting\glean\pending_pings\3aa4f6aa-c109-4997-8748-3ed206fc5e64
                  Filesize

                  734B

                  MD5

                  6619302088546383f7c06faffd889348

                  SHA1

                  bfcfbcc5f2cf75cafbf5406111bd3f853d06d64b

                  SHA256

                  d78388f404745848aac38f7ee1b5a03ba6042c88891edf74e0fc0dce4e9cd232

                  SHA512

                  1d71b65b576014e0ebf760568a7d8ce92469a40d6fe5b2d1d90d2e9896457a4be18f14d5ba9596b3dcfc8675a7dc4ae9da6324c63acf74c7327a42220764aa53

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  202faf9f9c7d97f8952c36665b493c49

                  SHA1

                  6b33d4e98f5b8825f6cffb0a74357bfe25b9f589

                  SHA256

                  83951b1ed830f97964f30270960844fb95aecee12b718ad9d931e81179fc2f73

                  SHA512

                  a64c1402ffa7b13b1b0a9769c20380fe8c245877620d892db997d8ad27c0c6fe564a2b928d909170cd06dc2df29b3336445bcd8201a244633fe7806cfbe50cb8

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\prefs.js
                  Filesize

                  6KB

                  MD5

                  918326a620d9a35ef10455806412e638

                  SHA1

                  3e5631403392ad9524a3c5b9d403c8a729a235e0

                  SHA256

                  99b5594018ca1d7860228db5c4a6d5a3fb458da5a71b863777a14107c572e02e

                  SHA512

                  f4f42d23fb375fd83cbaee49fdc9da3d925df7d6d43db566cd94a8836703b65004034fcfcacbf89bd80482e62813ab97750db30593fdf88c8f0709a8056511ab

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\sessionstore.jsonlz4
                  Filesize

                  883B

                  MD5

                  c97907332e25e0a6391f7a619994bf10

                  SHA1

                  d8eecb64e8127ae321b279470e059b63c9b7faf0

                  SHA256

                  80ce8ab442a0d1afffa35a99a8e31fceec6a14c8a9d8bf09b3942bf397fef398

                  SHA512

                  bbd0482520ceed240616efe3b54458572d9a665a69b6d3d252dc9619905243c26b0509bcad8614cb8da628ffb92bac4ed6db01aef0f16f48670eaf7ac2fe3261

                  Download Submit