0f9765f58fc4389dcd7541172a4454c0f646dbec174e828a64abc9aa19de4990

General

Target

Muse_Hub.exe
Size

38.2MB
MD5

113b0b7cfcaf7b11d541d6860534ce2c
SHA1

443a0f24974652fd2d081b952061a5e0f386e71a
SHA256

0f9765f58fc4389dcd7541172a4454c0f646dbec174e828a64abc9aa19de4990
SHA512

78f09c46d202d73194f7c648effd03c250a20dc280e07bddb9380128c6077ce86d78da1ce22be1fcc14024a09aa35bd23f9288f1a650d66233b21ddaaa93c9e4
SSDEEP

786432:mt+ooIxXSZFxfPfRLtX630iml6R/YwsNnoPv7pAMVUZ4HG04Rgrk:mt+ooIJsxn1tq30iu6R/vsNnCVUZ4Hl4

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Muse.Service\Muse.Service_Url_zmbqaeottvmi12bkaynsf5cuhyatvbia\ra2iyzd1.tmp	Muse.Service.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Muse.Service\Muse.Service_Url_zmbqaeottvmi12bkaynsf5cuhyatvbia\ra2iyzd1.newcfg	Muse.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\AppCenter\5f79de6d-d66c-4ae8-82e4-0161b26cc05b\Logs.db	Muse.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\AppCenter\5f79de6d-d66c-4ae8-82e4-0161b26cc05b\Logs.db-journal	Muse.Service.exe

Executes dropped EXE 1 IoCs

pid	Process
3568	EXE_NETCORECHECK.EXE

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Muse.Service.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Muse.Service.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
832	Muse.Service.exe
832	Muse.Service.exe
832	Muse.Service.exe
832	Muse.Service.exe
832	Muse.Service.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	832	Muse.Service.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4440	Muse.exe
4440	Muse.exe
4440	Muse.exe
4160	Muse.exe
4160	Muse.exe
4160	Muse.exe
2200	Muse.exe
2200	Muse.exe
2200	Muse.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4440	Muse.exe
4440	Muse.exe
4160	Muse.exe
4160	Muse.exe
2200	Muse.exe
2200	Muse.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 3568	1556	Muse_Hub.exe	84
PID 1556 wrote to memory of 3568	1556	Muse_Hub.exe	84

C:\Users\Admin\AppData\Local\Temp\Muse_Hub.exe
"C:\Users\Admin\AppData\Local\Temp\Muse_Hub.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\Muse Installer Temp\EXE_NETCORECHECK.EXE
  -N Microsoft.WindowsDesktop.App -v 6.0.9
  2⤵
  - Executes dropped EXE
  PID:3568

C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe
"C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4440

C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.Service.exe
"C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.Service.exe"
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe
"C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4160

C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe
"C:\Program Files\WindowsApps\Muse.MuseHub_1.0.2.800_x64__rb9pth70m6nz6\Muse.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MuseHub\Settings.json

Filesize
443B

MD5
88e76f41904d534a36dc1bdbafe1301a

SHA1
18359fab25536206e6ed0a42417c49a36134c217

SHA256
fe968eb1b766e03bc92ea5a6e4705ebdc8823a21a62e7f892f589bf1de423d7b

SHA512
994d365d1e07645798f8bd3ce83585a974452631e983186fac7f58b50c11c77c9663efd4e41954dfd91814bc590fee77f33a8ac6eb972c13ad37beb202b4ffd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\AppCenter\434786df-97ba-426e-abc4-a0a69c9e6ed2\Logs.db

Filesize
12KB

MD5
0b871bf61b0c0a9219c12ef50a54c044

SHA1
56e16d320652decd1d7ba8cd8c0746aa8ca1e90c

SHA256
eada03e0b69d44521e90fe691dcdffc7a1805089365fa0ec43fff7bb79350f53

SHA512
8e76c7ca621d225f4d1b7a9cc75de125392b92ce3ce835bad020e97bf9d455c71554dc5baf98eba052c5d0a8e1fdeaab990a34fefc3f3a85610bd61626e0289c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\AppCenter\434786df-97ba-426e-abc4-a0a69c9e6ed2\Logs.db

Filesize
12KB

MD5
78f704035407720310c3a47a6514117a

SHA1
135feb2da2b2e179714e78241e1c445958e98c55

SHA256
3fa0b781d912aafb920c712f4646ffe09404d58c660ca51b81af88aee18b9798

SHA512
1b19ef254995a28afd19de01b32b8d088113046da73a064f2c89e293aa278fffc9386d40dfbd0acbe81bd2e1fb4b1177dc902bafcdd8d76106f6c1bc28dd51cb

Download Submit
C:\Users\Admin\AppData\Local\Muse\Muse_Url_y1g3x15nuysbi5vd1kytm3liz5eysqbp\AppCenter.config

Filesize
199B

MD5
b59502e43b98fd076a05aad109dfad50

SHA1
5c565ebb667d4277f9470b8972c9d8893f7e224e

SHA256
6c55adfef92c04fb94f40484cb6923941c753259b0550e58f532bb73b56b1948

SHA512
ecadb4d12ccc3cde53089c368a3675c406c339dfa83654883d7adeb49ff6a84811b32b4cf842769529e6f9a18f54a34455f892f18d266a022615f51298ba8f26

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalState\Logs\current.txt

Filesize
4KB

MD5
2643ddf4c403e5b7f14e2c8484d37f87

SHA1
d44bd19f7553cd9014bcc67b1b31685581c4736c

SHA256
ef9e6e6b93afef076513170437633b6b0d894d895b9388f093263ff8f5ad2719

SHA512
d63991fdb82dc3450e15a9ff8ff4ddf3df2c92bac4711ca685f7f29a44a1867fddb9574c27679f78c86edebba0627887b36e9eb1196f2458ecd23e0937781875

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalState\Logs\current.txt

Filesize
8KB

MD5
cfd0f9c58bbf5e8bbda17d4a8b2f2c6f

SHA1
5af0773157e1070c900ac677d01b57f79fc0c604

SHA256
89e2f3d6a87c5c3674507919237c27ed64f478a6c70b4157656877527ea5e2ef

SHA512
bea2f7542ce4a00cb9cf6452d3d7c81814293130133931a5fdd963d46357d8d5c177670f8d662f98f2249c968220d4ab2e09a3043101a175fc1a203d607264bc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Muse.MuseHub_rb9pth70m6nz6\LocalState\Settings.json

Filesize
45B

MD5
562b412a2e8f3eb12aeccc624ea7f5e6

SHA1
1783851eef9cfa6b3156c4b1fd678910448a75c4

SHA256
30368e7b285063a5ff0f84525b4bdf2b059f04e9ce003e6f1ef239dba4ffdb89

SHA512
4fe70f932fdefeaffcdc5a406a33f73307eff279f71ab155575ac6f9bdbdda837ceda1dca70ac8fc1b0244617dc2adc197c6fa822dc7beda320cd02a6b669eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Muse Installer Temp\EXE_NETCORECHECK.EXE

Filesize
142KB

MD5
3dd50757e38eed3ac598debec6936915

SHA1
ac54862b4de18850d111fe7e08a075f0e812cc89

SHA256
8d8f90ca3adc53d7862e82c72522674d4fee14d2b08566d378e46371d5db7f2a

SHA512
ff84fddf871f660b2b25e7f3b93ab01140d787a1fb167454cadad4e0eec25fd0789afee6bec3dea09de34343de7d3c4030e1282acddcda02e9f40784eb8aea88

Download Submit
memory/4160-79-0x0000020EB3A70000-0x0000020EB3B80000-memory.dmp

Filesize
1.1MB

Download
memory/4440-62-0x0000020AF0690000-0x0000020AF07B0000-memory.dmp

Filesize
1.1MB

Download
memory/4440-63-0x0000020AF12A0000-0x0000020AF13B0000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing