Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 12:16
Static task
static1
Behavioral task
behavioral1
Sample
Mocq Epic.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Mocq Epic.exe
Resource
win10v2004-20240508-en
General
-
Target
Mocq Epic.exe
-
Size
306KB
-
MD5
fa26fae9f733a63cfcdf6fcc3127bb84
-
SHA1
273e9e1928f10e1bbba028bd52ca21304a96f613
-
SHA256
0ffdb148ab9c816bf4a643a727e02640878e2c98d4ff2b059e1bb7c3a9dcb48a
-
SHA512
148d035f0eb05e5f5417ca92a0d7d136e3ad84f58971547757b058fcc7f948a77a6b6666818e5ab093106341688719e19385a5e0749798b8970df8af1be12f32
-
SSDEEP
6144:mKuAN92+b1/2C5WxGojEydZ9CjuRDi2AyDf8QjT/LPK8/p+upNnVW4XyS3A8:juANX1eCPojEy79CjEDi2AyDf8QjDLPZ
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
Mocq Epic.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Mocq Epic.exe -
Disables Task Manager via registry modification
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Mocq Epic.exedescription ioc process File opened for modification \??\PhysicalDrive0 Mocq Epic.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
Mocq Epic.exepid process 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Mocq Epic.exedescription pid process Token: SeDebugPrivilege 2124 Mocq Epic.exe Token: SeDebugPrivilege 2124 Mocq Epic.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Mocq Epic.exepid process 2124 Mocq Epic.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Mocq Epic.exepid process 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe 2124 Mocq Epic.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Mocq Epic.execmd.execmd.execmd.exedescription pid process target process PID 2124 wrote to memory of 2148 2124 Mocq Epic.exe cmd.exe PID 2124 wrote to memory of 2148 2124 Mocq Epic.exe cmd.exe PID 2124 wrote to memory of 2148 2124 Mocq Epic.exe cmd.exe PID 2148 wrote to memory of 2044 2148 cmd.exe reg.exe PID 2148 wrote to memory of 2044 2148 cmd.exe reg.exe PID 2148 wrote to memory of 2044 2148 cmd.exe reg.exe PID 2124 wrote to memory of 2676 2124 Mocq Epic.exe cmd.exe PID 2124 wrote to memory of 2676 2124 Mocq Epic.exe cmd.exe PID 2124 wrote to memory of 2676 2124 Mocq Epic.exe cmd.exe PID 2676 wrote to memory of 2756 2676 cmd.exe reg.exe PID 2676 wrote to memory of 2756 2676 cmd.exe reg.exe PID 2676 wrote to memory of 2756 2676 cmd.exe reg.exe PID 2124 wrote to memory of 2760 2124 Mocq Epic.exe cmd.exe PID 2124 wrote to memory of 2760 2124 Mocq Epic.exe cmd.exe PID 2124 wrote to memory of 2760 2124 Mocq Epic.exe cmd.exe PID 2760 wrote to memory of 2936 2760 cmd.exe reg.exe PID 2760 wrote to memory of 2936 2760 cmd.exe reg.exe PID 2760 wrote to memory of 2936 2760 cmd.exe reg.exe PID 2124 wrote to memory of 2876 2124 Mocq Epic.exe WerFault.exe PID 2124 wrote to memory of 2876 2124 Mocq Epic.exe WerFault.exe PID 2124 wrote to memory of 2876 2124 Mocq Epic.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe"C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe"1⤵
- Disables RegEdit via registry modification
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd.exe" /C reg delete HKCR /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete HKCR /f3⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /C reg delete HKU /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete HKU /f3⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /C reg delete HKCC /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete HKCC /f3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2124 -s 13402⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2124-0-0x000007FEF5203000-0x000007FEF5204000-memory.dmpFilesize
4KB
-
memory/2124-1-0x0000000001180000-0x00000000011D4000-memory.dmpFilesize
336KB
-
memory/2124-2-0x00000000001C0000-0x00000000001D4000-memory.dmpFilesize
80KB
-
memory/2124-3-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-4-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-5-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-6-0x000007FEF5203000-0x000007FEF5204000-memory.dmpFilesize
4KB
-
memory/2124-7-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-8-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-9-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-10-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-11-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-12-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-13-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-14-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-15-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-16-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-17-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB
-
memory/2124-18-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmpFilesize
9.9MB