Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 12:16

General

  • Target

    Mocq Epic.exe

  • Size

    306KB

  • MD5

    fa26fae9f733a63cfcdf6fcc3127bb84

  • SHA1

    273e9e1928f10e1bbba028bd52ca21304a96f613

  • SHA256

    0ffdb148ab9c816bf4a643a727e02640878e2c98d4ff2b059e1bb7c3a9dcb48a

  • SHA512

    148d035f0eb05e5f5417ca92a0d7d136e3ad84f58971547757b058fcc7f948a77a6b6666818e5ab093106341688719e19385a5e0749798b8970df8af1be12f32

  • SSDEEP

    6144:mKuAN92+b1/2C5WxGojEydZ9CjuRDi2AyDf8QjT/LPK8/p+upNnVW4XyS3A8:juANX1eCPojEy79CjEDi2AyDf8QjDLPZ

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe
    "C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C reg delete HKCR /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\system32\reg.exe
        reg delete HKCR /f
        3⤵
          PID:2044
      • C:\Windows\system32\cmd.exe
        "cmd.exe" /C reg delete HKU /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\system32\reg.exe
          reg delete HKU /f
          3⤵
            PID:2756
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /C reg delete HKCC /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\system32\reg.exe
            reg delete HKCC /f
            3⤵
              PID:2936
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2124 -s 1340
            2⤵
              PID:2876

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Persistence

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Defense Evasion

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2124-0-0x000007FEF5203000-0x000007FEF5204000-memory.dmp
            Filesize

            4KB

          • memory/2124-1-0x0000000001180000-0x00000000011D4000-memory.dmp
            Filesize

            336KB

          • memory/2124-2-0x00000000001C0000-0x00000000001D4000-memory.dmp
            Filesize

            80KB

          • memory/2124-3-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-4-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-5-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-6-0x000007FEF5203000-0x000007FEF5204000-memory.dmp
            Filesize

            4KB

          • memory/2124-7-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-8-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-9-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-10-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-11-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-12-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-13-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-14-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-15-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-16-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-17-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB

          • memory/2124-18-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
            Filesize

            9.9MB