0f9765f58fc4389dcd7541172a4454c0f646dbec174e828a64abc9aa19de4990

Analysis

max time kernel
291s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Muse_Hub.exe
Size

38.2MB
MD5

113b0b7cfcaf7b11d541d6860534ce2c
SHA1

443a0f24974652fd2d081b952061a5e0f386e71a
SHA256

0f9765f58fc4389dcd7541172a4454c0f646dbec174e828a64abc9aa19de4990
SHA512

78f09c46d202d73194f7c648effd03c250a20dc280e07bddb9380128c6077ce86d78da1ce22be1fcc14024a09aa35bd23f9288f1a650d66233b21ddaaa93c9e4
SSDEEP

786432:mt+ooIxXSZFxfPfRLtX630iml6R/YwsNnoPv7pAMVUZ4HG04Rgrk:mt+ooIJsxn1tq30iu6R/vsNnCVUZ4Hl4

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 4 IoCs

Processes:

Muse.Service.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Muse.Service\Muse.Service_Url_zmbqaeottvmi12bkaynsf5cuhyatvbia\eh2pgvne.tmp	Muse.Service.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Muse.Service\Muse.Service_Url_zmbqaeottvmi12bkaynsf5cuhyatvbia\eh2pgvne.newcfg	Muse.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\AppCenter\0fe14c56-ee53-4d93-a380-1e06e7e4cb71\Logs.db	Muse.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\AppCenter\0fe14c56-ee53-4d93-a380-1e06e7e4cb71\Logs.db-journal	Muse.Service.exe

Executes dropped EXE 1 IoCs

Processes:

EXE_NETCORECHECK.EXE

pid process

1876 EXE_NETCORECHECK.EXE

pid	process
1876	EXE_NETCORECHECK.EXE

Modifies data under HKEY_USERS 5 IoCs

Processes:

Muse.Service.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Muse.Service.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Muse.Service.exe

pid process

928 Muse.Service.exe
928 Muse.Service.exe
928 Muse.Service.exe
928 Muse.Service.exe
928 Muse.Service.exe
928 Muse.Service.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Muse.Service.exe

description pid process

Token: SeDebugPrivilege 928 Muse.Service.exe
Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

Muse.exeMuse.exeMuse.exe

pid process

3128 Muse.exe
3128 Muse.exe
3128 Muse.exe
3308 Muse.exe
3308 Muse.exe
3308 Muse.exe
4988 Muse.exe
4988 Muse.exe
4988 Muse.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Muse.exeMuse.exeMuse.exe

pid process

3128 Muse.exe
3128 Muse.exe
3308 Muse.exe
3308 Muse.exe
4988 Muse.exe
4988 Muse.exe

pid	process
928	Muse.Service.exe
928	Muse.Service.exe
928	Muse.Service.exe
928	Muse.Service.exe
928	Muse.Service.exe
928	Muse.Service.exe

description	pid	process
Token: SeDebugPrivilege	928	Muse.Service.exe

pid	process
3128	Muse.exe
3128	Muse.exe
3128	Muse.exe
3308	Muse.exe
3308	Muse.exe
3308	Muse.exe
4988	Muse.exe
4988	Muse.exe
4988	Muse.exe

pid	process
3128	Muse.exe
3128	Muse.exe
3308	Muse.exe
3308	Muse.exe
4988	Muse.exe
4988	Muse.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Muse_Hub.exe

description	pid	process	target process
PID 3388 wrote to memory of 1876	3388	Muse_Hub.exe	EXE_NETCORECHECK.EXE
PID 3388 wrote to memory of 1876	3388	Muse_Hub.exe	EXE_NETCORECHECK.EXE

C:\Users\Admin\AppData\Local\Temp\Muse_Hub.exe
"C:\Users\Admin\AppData\Local\Temp\Muse_Hub.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\Muse Installer Temp\EXE_NETCORECHECK.EXE
  -N Microsoft.WindowsDesktop.App -v 6.0.9
  2⤵
  - Executes dropped EXE
  PID:1876

C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe
"C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3128

C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.Service.exe
"C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.Service.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe
"C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3308

C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe
"C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MuseHub\Settings.json

Filesize
443B

MD5
88e76f41904d534a36dc1bdbafe1301a

SHA1
18359fab25536206e6ed0a42417c49a36134c217

SHA256
fe968eb1b766e03bc92ea5a6e4705ebdc8823a21a62e7f892f589bf1de423d7b

SHA512
994d365d1e07645798f8bd3ce83585a974452631e983186fac7f58b50c11c77c9663efd4e41954dfd91814bc590fee77f33a8ac6eb972c13ad37beb202b4ffd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\AppCenter\57a2704a-d76b-4149-8f23-23ebc2757d18\Logs.db

Filesize
12KB

MD5
ca09f11de22ecd1b508535da7466dbd2

SHA1
fab7fb3a17fa696843fa44f594195e7bb09a346a

SHA256
6c321617a7fc340713ee2e009b057cda380533c3a8b438681c9fd2bb6012dfc5

SHA512
6b22266b488f9d354062f949c9d144f2d087d6295ae4548d7d85fb14c344efa9a967c9bc96133c64f5ce15c20200ee885417532ca0589b62c785064924b659d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\AppCenter\57a2704a-d76b-4149-8f23-23ebc2757d18\Logs.db

Filesize
12KB

MD5
a124b1b5f8b098beb4fcbf4241e853b4

SHA1
4bd7a91d24bcb9cfa9593571cb7f574019a32cf2

SHA256
c0c63ca4521a0d8acee2737bfce20c9e4c4817147feacc1dbd9e12e99ad15dcd

SHA512
8933c50524de9626cde84107dd90e3f261d3b0186d4498aabfffb41278e423ccb4927028364d70976a120998d35f3376320a8eeb66622ce1194e9ef3928fa424

Download Submit
C:\Users\Admin\AppData\Local\Muse\Muse_Url_y1g3x15nuysbi5vd1kytm3liz5eysqbp\AppCenter.config

Filesize
199B

MD5
e63864a2127b94de62082af0e7251cda

SHA1
525937e994de048a741827ce30008a2a5765fd24

SHA256
02fb45879624e3f0ca12ca5a0f4cd244c008a65f7b7601e887e54656d7647940

SHA512
9b1bfe6e2165da2f5123dcbea3f5fcf124bf70067bb47524c48ff6cdccdac72351baf18a877275a84e8e226c3a44f587b7d4b2761e517b38eb2f52e32907f594

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalCache\Requests\home_apps_1.0.2.800_prod.json

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalCache\Requests\home_hero_apps_1.0.2.800_prod.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalState\Logs\current.txt

Filesize
4KB

MD5
14b9040a11e4114e8ff4370fcbcb6a3c

SHA1
3e190c8ca6979d885bdfcf32276e5a386e0cd601

SHA256
a429952629af2f8b7168b7f44f75222b7076308be0c347e50a5b157bd20772c3

SHA512
1f74938775ae78839b16f6837039618c1413b9a88efa2f3e8c51a6407369652ba9bbd69f4f215fe81af38d910695952e88e8dbb0378994873938ad8c0bad8b6a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalState\Logs\current.txt

Filesize
8KB

MD5
9d3a1ae9955fbb28ab865720d524e88f

SHA1
d4c7698fe2320d66c2afd64851d9284c12bf8016

SHA256
2fd60cdf8dfd709400e85ffb5781353f0df0c6d03358795b719686f537ae05d5

SHA512
e63f0740340e536f406f7d7e744cbf99ffc7021e4a97d9c2a66484158f6e7643c27c93b40ca85851999947bd062130692e958d458ab1efaf1d8048a1362691ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalState\Settings.json

Filesize
45B

MD5
562b412a2e8f3eb12aeccc624ea7f5e6

SHA1
1783851eef9cfa6b3156c4b1fd678910448a75c4

SHA256
30368e7b285063a5ff0f84525b4bdf2b059f04e9ce003e6f1ef239dba4ffdb89

SHA512
4fe70f932fdefeaffcdc5a406a33f73307eff279f71ab155575ac6f9bdbdda837ceda1dca70ac8fc1b0244617dc2adc197c6fa822dc7beda320cd02a6b669eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Muse Installer Temp\EXE_NETCORECHECK.EXE

Filesize
142KB

MD5
3dd50757e38eed3ac598debec6936915

SHA1
ac54862b4de18850d111fe7e08a075f0e812cc89

SHA256
8d8f90ca3adc53d7862e82c72522674d4fee14d2b08566d378e46371d5db7f2a

SHA512
ff84fddf871f660b2b25e7f3b93ab01140d787a1fb167454cadad4e0eec25fd0789afee6bec3dea09de34343de7d3c4030e1282acddcda02e9f40784eb8aea88

Download Submit
memory/928-70-0x00007FF849B30000-0x00007FF84A02E000-memory.dmp

Filesize
5.0MB

Download
memory/928-44-0x00007FF849B30000-0x00007FF84A02E000-memory.dmp

Filesize
5.0MB

Download
memory/3128-64-0x000002A6C93D0000-0x000002A6C94E0000-memory.dmp

Filesize
1.1MB

Download
memory/3128-65-0x00007FF849B30000-0x00007FF84A02E000-memory.dmp

Filesize
5.0MB

Download
memory/3128-36-0x00007FF849B30000-0x00007FF84A02E000-memory.dmp

Filesize
5.0MB

Download
memory/3308-83-0x00007FF849B30000-0x00007FF84A02E000-memory.dmp

Filesize
5.0MB

Download
memory/3308-71-0x00007FF849B30000-0x00007FF84A02E000-memory.dmp

Filesize
5.0MB

Download
memory/4988-88-0x00007FF849B30000-0x00007FF84A02E000-memory.dmp

Filesize
5.0MB

Download
memory/4988-98-0x00007FF849B30000-0x00007FF84A02E000-memory.dmp

Filesize
5.0MB

Download