0f9765f58fc4389dcd7541172a4454c0f646dbec174e828a64abc9aa19de4990

General

Target

Muse_Hub.exe
Size

38.2MB
MD5

113b0b7cfcaf7b11d541d6860534ce2c
SHA1

443a0f24974652fd2d081b952061a5e0f386e71a
SHA256

0f9765f58fc4389dcd7541172a4454c0f646dbec174e828a64abc9aa19de4990
SHA512

78f09c46d202d73194f7c648effd03c250a20dc280e07bddb9380128c6077ce86d78da1ce22be1fcc14024a09aa35bd23f9288f1a650d66233b21ddaaa93c9e4
SSDEEP

786432:mt+ooIxXSZFxfPfRLtX630iml6R/YwsNnoPv7pAMVUZ4HG04Rgrk:mt+ooIJsxn1tq30iu6R/vsNnCVUZ4Hl4

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 4 IoCs

Processes:

Muse.Service.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Muse.Service\Muse.Service_Url_zmbqaeottvmi12bkaynsf5cuhyatvbia\o341x51u.tmp	Muse.Service.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Muse.Service\Muse.Service_Url_zmbqaeottvmi12bkaynsf5cuhyatvbia\o341x51u.newcfg	Muse.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\AppCenter\6b67fdb6-7533-4e62-9480-fd20097d825b\Logs.db	Muse.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\AppCenter\6b67fdb6-7533-4e62-9480-fd20097d825b\Logs.db-journal	Muse.Service.exe

Executes dropped EXE 1 IoCs

Processes:

EXE_NETCORECHECK.EXE

pid process

3492 EXE_NETCORECHECK.EXE

pid	process
3492	EXE_NETCORECHECK.EXE

Modifies data under HKEY_USERS 5 IoCs

Processes:

Muse.Service.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	Muse.Service.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Muse.Service.exe

pid process

3392 Muse.Service.exe
3392 Muse.Service.exe
3392 Muse.Service.exe
3392 Muse.Service.exe
3392 Muse.Service.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Muse.Service.exe

description pid process

Token: SeDebugPrivilege 3392 Muse.Service.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Muse.exeMuse.exe

pid process

4108 Muse.exe
4108 Muse.exe
4108 Muse.exe
892 Muse.exe
892 Muse.exe
892 Muse.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Muse.exeMuse.exe

pid process

4108 Muse.exe
4108 Muse.exe
892 Muse.exe
892 Muse.exe

pid	process
3392	Muse.Service.exe
3392	Muse.Service.exe
3392	Muse.Service.exe
3392	Muse.Service.exe
3392	Muse.Service.exe

description	pid	process
Token: SeDebugPrivilege	3392	Muse.Service.exe

pid	process
4108	Muse.exe
4108	Muse.exe
4108	Muse.exe
892	Muse.exe
892	Muse.exe
892	Muse.exe

pid	process
4108	Muse.exe
4108	Muse.exe
892	Muse.exe
892	Muse.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Muse_Hub.exe

description	pid	process	target process
PID 224 wrote to memory of 3492	224	Muse_Hub.exe	EXE_NETCORECHECK.EXE
PID 224 wrote to memory of 3492	224	Muse_Hub.exe	EXE_NETCORECHECK.EXE

C:\Users\Admin\AppData\Local\Temp\Muse_Hub.exe
"C:\Users\Admin\AppData\Local\Temp\Muse_Hub.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\Muse Installer Temp\EXE_NETCORECHECK.EXE
  -N Microsoft.WindowsDesktop.App -v 6.0.9
  2⤵
  - Executes dropped EXE
  PID:3492

C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe
"C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4108

C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.Service.exe
"C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.Service.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe
"C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MuseHub\Settings.json

Filesize
443B

MD5
88e76f41904d534a36dc1bdbafe1301a

SHA1
18359fab25536206e6ed0a42417c49a36134c217

SHA256
fe968eb1b766e03bc92ea5a6e4705ebdc8823a21a62e7f892f589bf1de423d7b

SHA512
994d365d1e07645798f8bd3ce83585a974452631e983186fac7f58b50c11c77c9663efd4e41954dfd91814bc590fee77f33a8ac6eb972c13ad37beb202b4ffd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\AppCenter\32b48c7e-1c7d-4c93-bfa2-3cce52269210\Logs.db

Filesize
12KB

MD5
39cec3c01cb46c22f1ae62c08ff4c540

SHA1
0347041b862fa66b47d5ba7d468183f2313adade

SHA256
4d45bf332538a9543eafa6122b6ec08cf552e6cc5800750649cfe120c27b7ecb

SHA512
64b94abaea0ab517c955763a7c665448d4567de58947154be7605f160d61612adcf57f088212388060741a6e22640ffd8031225053c4b9ccb241e0e3c03f7159

Download Submit
C:\Users\Admin\AppData\Local\Muse\Muse_Url_y1g3x15nuysbi5vd1kytm3liz5eysqbp\AppCenter.config

Filesize
199B

MD5
a5fdbda5894295a9de5acbf6286ac904

SHA1
72af54a91b3e839a58ecbce48c46479822b619b6

SHA256
5dbbf2ce2b0fcf2b98ddd7f1040662df2dac0c63af1042a52651e93f951f7ef4

SHA512
dd832d085d07472dbfd5361638f1e69cb20d20039faa84bd0731ef19bee9182cfc22738ac9cc5a9543bf122d782a8ef769790fe507124c35dbbf51ae11474a4b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalCache\Requests\home_apps_1.0.2.800_prod.json

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalCache\Requests\home_hero_apps_1.0.2.800_prod.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalState\Logs\current.txt

Filesize
4KB

MD5
acb79312bea6e0253020393ac41a7310

SHA1
24f2dccc282eeb4b76201a52a0bfd2ca84be9f53

SHA256
182a27d059126993266387a2c2be10b5d36789ee2f49f896e93eb4a7e9e94878

SHA512
fa8cee26c3fdf7c3200a8f7fd9caaff2d2135a956cfa9ac67b3457fb3efcd72b5c3f4dd7d067a77e191587e800f06d0e65e104f189e25062d64d17e9d939c483

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalState\Settings.json

Filesize
45B

MD5
562b412a2e8f3eb12aeccc624ea7f5e6

SHA1
1783851eef9cfa6b3156c4b1fd678910448a75c4

SHA256
30368e7b285063a5ff0f84525b4bdf2b059f04e9ce003e6f1ef239dba4ffdb89

SHA512
4fe70f932fdefeaffcdc5a406a33f73307eff279f71ab155575ac6f9bdbdda837ceda1dca70ac8fc1b0244617dc2adc197c6fa822dc7beda320cd02a6b669eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Muse Installer Temp\EXE_NETCORECHECK.EXE

Filesize
142KB

MD5
3dd50757e38eed3ac598debec6936915

SHA1
ac54862b4de18850d111fe7e08a075f0e812cc89

SHA256
8d8f90ca3adc53d7862e82c72522674d4fee14d2b08566d378e46371d5db7f2a

SHA512
ff84fddf871f660b2b25e7f3b93ab01140d787a1fb167454cadad4e0eec25fd0789afee6bec3dea09de34343de7d3c4030e1282acddcda02e9f40784eb8aea88

Download Submit
memory/892-78-0x00007FFE64200000-0x00007FFE646FE000-memory.dmp

Filesize
5.0MB

Download
memory/892-90-0x00007FFE64200000-0x00007FFE646FE000-memory.dmp

Filesize
5.0MB

Download
memory/3392-77-0x00007FFE64200000-0x00007FFE646FE000-memory.dmp

Filesize
5.0MB

Download
memory/3392-49-0x00007FFE64200000-0x00007FFE646FE000-memory.dmp

Filesize
5.0MB

Download
memory/4108-72-0x00007FFE64200000-0x00007FFE646FE000-memory.dmp

Filesize
5.0MB

Download
memory/4108-41-0x00007FFE64200000-0x00007FFE646FE000-memory.dmp

Filesize
5.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads