Analysis Overview
SHA256
0ffdb148ab9c816bf4a643a727e02640878e2c98d4ff2b059e1bb7c3a9dcb48a
Threat Level: Likely malicious
The file Mocq Epic.exe was found to be: Likely malicious.
Malicious Activity Summary
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Writes to the Master Boot Record (MBR)
Drops file in Windows directory
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 12:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 12:16
Reported
2024-06-15 12:19
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe | N/A |
Disables Task Manager via registry modification
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe
"C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C reg delete HKCR /f
C:\Windows\system32\reg.exe
reg delete HKCR /f
C:\Windows\system32\cmd.exe
"cmd.exe" /C reg delete HKU /f
C:\Windows\system32\reg.exe
reg delete HKU /f
C:\Windows\system32\cmd.exe
"cmd.exe" /C reg delete HKCC /f
C:\Windows\system32\reg.exe
reg delete HKCC /f
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2124 -s 1340
Network
Files
memory/2124-0-0x000007FEF5203000-0x000007FEF5204000-memory.dmp
memory/2124-1-0x0000000001180000-0x00000000011D4000-memory.dmp
memory/2124-2-0x00000000001C0000-0x00000000001D4000-memory.dmp
memory/2124-3-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-4-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-5-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-6-0x000007FEF5203000-0x000007FEF5204000-memory.dmp
memory/2124-7-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-8-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-9-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-10-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-11-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-12-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-13-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-14-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-15-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-16-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-17-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
memory/2124-18-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 12:16
Reported
2024-06-15 12:20
Platform
win10v2004-20240508-en
Max time kernel
236s
Max time network
240s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\2229298842\2409923810.pri | C:\Windows\system32\LogonUI.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "95" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe
"C:\Users\Admin\AppData\Local\Temp\Mocq Epic.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x390
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3903055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2236-0-0x00007FFCFA0A3000-0x00007FFCFA0A5000-memory.dmp
memory/2236-1-0x0000000000710000-0x0000000000764000-memory.dmp
memory/2236-2-0x0000000000F10000-0x0000000000F24000-memory.dmp
memory/2236-3-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
memory/2236-4-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
memory/2236-5-0x00007FFCFA0A3000-0x00007FFCFA0A5000-memory.dmp
memory/2236-6-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
memory/2236-7-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
memory/1768-8-0x0000021ADDDC0000-0x0000021ADDDC1000-memory.dmp
memory/1768-10-0x0000021ADDDC0000-0x0000021ADDDC1000-memory.dmp
memory/1768-9-0x0000021ADDDC0000-0x0000021ADDDC1000-memory.dmp
memory/1768-16-0x0000021ADDDC0000-0x0000021ADDDC1000-memory.dmp
memory/1768-20-0x0000021ADDDC0000-0x0000021ADDDC1000-memory.dmp
memory/1768-19-0x0000021ADDDC0000-0x0000021ADDDC1000-memory.dmp
memory/1768-18-0x0000021ADDDC0000-0x0000021ADDDC1000-memory.dmp
memory/1768-17-0x0000021ADDDC0000-0x0000021ADDDC1000-memory.dmp
memory/1768-15-0x0000021ADDDC0000-0x0000021ADDDC1000-memory.dmp
memory/1768-14-0x0000021ADDDC0000-0x0000021ADDDC1000-memory.dmp
memory/2236-21-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp