2b5765f7f2d21214f7c3298039d6cad82b378810c0bc1d20e0408ceed77abada

Analysis

max time kernel
16s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
Size

13.4MB
MD5

2b72aac216f71d9221375378a59be9ee
SHA1

1cdfe36b3b4945a58d45ad39bc48a0faa94e8104
SHA256

2b5765f7f2d21214f7c3298039d6cad82b378810c0bc1d20e0408ceed77abada
SHA512

12e589688671b2a1b8e3526e33d0fa1134b596483e1b33a1fc60aa0e0d68ce393b8076dcbffae48641b54147e832fc89d77d085c1f36b8df8c8e159a1946e2f8

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe

pid process

4176 97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe

Loads dropped DLL 17 IoCs

Processes:

97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe

pid	process
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 2 IoCs

Processes:

resource	yara_rule
C:\Windows\Temp\{67989141-292C-4142-9330-5F3B4D8263EE}\.cr\97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe	js
C:\Windows\Temp\{67989141-292C-4142-9330-5F3B4D8263EE}\.cr\97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe	js

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe

description pid process

Token: SeDebugPrivilege 4176 97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe

description	pid	process
Token: SeDebugPrivilege	4176	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe

description	pid	process	target process
PID 4696 wrote to memory of 4176	4696	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
PID 4696 wrote to memory of 4176	4696	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
PID 4696 wrote to memory of 4176	4696	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe	97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe

C:\Users\Admin\AppData\Local\Temp\97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
"C:\Users\Admin\AppData\Local\Temp\97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\Temp\{67989141-292C-4142-9330-5F3B4D8263EE}\.cr\97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
"C:\Windows\Temp\{67989141-292C-4142-9330-5F3B4D8263EE}\.cr\97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe" -burn.filehandle.attached=528 -burn.filehandle.self=536
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4176

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{67989141-292C-4142-9330-5F3B4D8263EE}\.cr\97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
MD5
8481cf5cf119188148125116f5b203ab

SHA1
66210a71730884dd73b4588eabc9db74b6c5b69c

SHA256
ac44bc552d45f6779b8e980c1743d34766330a0c67bab7e560dcfb307c60e340

SHA512
6dc5751fb43a7fe4f51027ce56a2636311b3c6f0e0a618dc6d0c65088782af3840a1703cc8d6428508e90eb34d5fc67df8c684cc5d6faed83d16ba89d96135fb

Download Submit
C:\Windows\Temp\{67989141-292C-4142-9330-5F3B4D8263EE}\.cr\97eb4386d0cafbc5fb0f2ec3d5d2ac7c.exe
MD5
8481cf5cf119188148125116f5b203ab

SHA1
66210a71730884dd73b4588eabc9db74b6c5b69c

SHA256
ac44bc552d45f6779b8e980c1743d34766330a0c67bab7e560dcfb307c60e340

SHA512
6dc5751fb43a7fe4f51027ce56a2636311b3c6f0e0a618dc6d0c65088782af3840a1703cc8d6428508e90eb34d5fc67df8c684cc5d6faed83d16ba89d96135fb

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\BootstrapperCore.dll
MD5
5f5f0d1ed824e34af5e4a387c27d592e

SHA1
f4e59769c584478fae77e52f904a6737d7466481

SHA256
988443d2739b50ee5c50d8ee950ec32da52a80cacca0fcf36fa398011c6985bc

SHA512
5fce0f407f0776c35c6afe367f9db8e109e157bea844f0661a6d2b120099148adbb2a5e22dbcce09bcf5ffba14b2e2345443d1f7b240e9c1c7668d16c25904bf

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\BootstrapperCore.dll
MD5
5f5f0d1ed824e34af5e4a387c27d592e

SHA1
f4e59769c584478fae77e52f904a6737d7466481

SHA256
988443d2739b50ee5c50d8ee950ec32da52a80cacca0fcf36fa398011c6985bc

SHA512
5fce0f407f0776c35c6afe367f9db8e109e157bea844f0661a6d2b120099148adbb2a5e22dbcce09bcf5ffba14b2e2345443d1f7b240e9c1c7668d16c25904bf

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.CommonConstants.dll
MD5
b857c342495a1ae168607311125fccb3

SHA1
c1fe4f9476520d1b6b1f57b5ad290e2f02fad1ad

SHA256
b8d4e2e3db897a133224a05fee94c44fc0ccfbcdf15986d8a3a31db8c989e33f

SHA512
f1f28a7324942aa4871b9f163e7ef6ed4d8bd1ea2aad10b17526b22ab22be637c2e85ec9630d990087bb1542be1a0ba7b6ed0342869bfdc1650d001a89712e9c

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.CommonConstants.dll
MD5
b857c342495a1ae168607311125fccb3

SHA1
c1fe4f9476520d1b6b1f57b5ad290e2f02fad1ad

SHA256
b8d4e2e3db897a133224a05fee94c44fc0ccfbcdf15986d8a3a31db8c989e33f

SHA512
f1f28a7324942aa4871b9f163e7ef6ed4d8bd1ea2aad10b17526b22ab22be637c2e85ec9630d990087bb1542be1a0ba7b6ed0342869bfdc1650d001a89712e9c

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.InstallerUI.dll
MD5
2216a616a10b4f8297c7494887f7bb13

SHA1
aec061646828ac25344aa7acaa84a94a8f26e705

SHA256
655514f34b57fce69d03186e79ebc1e741d5f08d6df5584ecf1d2e0411d98aa3

SHA512
6608d8f9367f4c8d24bcc53c8417dea446d07ed42b722ea4b0c00c59e321a489aa03b0cb7836528430ab05567d329f56527d1fb00314acca067e2a2588bbfc7c

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.InstallerUI.dll
MD5
2216a616a10b4f8297c7494887f7bb13

SHA1
aec061646828ac25344aa7acaa84a94a8f26e705

SHA256
655514f34b57fce69d03186e79ebc1e741d5f08d6df5584ecf1d2e0411d98aa3

SHA512
6608d8f9367f4c8d24bcc53c8417dea446d07ed42b722ea4b0c00c59e321a489aa03b0cb7836528430ab05567d329f56527d1fb00314acca067e2a2588bbfc7c

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.Shared.Application.dll
MD5
5970eb00962d22e393097c0c3ac72053

SHA1
cc29abea793208e11842c06f3b78f2d46a3b0537

SHA256
24e763bcf1fbb43d6f4ee44105078655899ef9b00f5eec7d2256e67af7805dc8

SHA512
04789003ae2b4e28e20a809f398e7a766d025e044549e1d5151505435f474de41159d3afe926e15d22dc4f541b1308348d67c794e7f1a204582b8d2c5c4e9d0e

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.Shared.Application.dll
MD5
5970eb00962d22e393097c0c3ac72053

SHA1
cc29abea793208e11842c06f3b78f2d46a3b0537

SHA256
24e763bcf1fbb43d6f4ee44105078655899ef9b00f5eec7d2256e67af7805dc8

SHA512
04789003ae2b4e28e20a809f398e7a766d025e044549e1d5151505435f474de41159d3afe926e15d22dc4f541b1308348d67c794e7f1a204582b8d2c5c4e9d0e

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.Shared.Data.dll
MD5
fdcb73951f578cc77a4873776522ce33

SHA1
a98ea793463300f4911b9a28446c6b92402b57d9

SHA256
6b59f6c5b97e6638dd752cd6746a06bd56b201358c62d828efdb8d9b32fc4b38

SHA512
30b5bbcf4565282fb34847294ddbdaf478acd324892937686cd975ee166524c08f2a712c7b34f15e75fb8edeb215bec49433b11519664fb0fd275a491c0439c6

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.Shared.Data.dll
MD5
fdcb73951f578cc77a4873776522ce33

SHA1
a98ea793463300f4911b9a28446c6b92402b57d9

SHA256
6b59f6c5b97e6638dd752cd6746a06bd56b201358c62d828efdb8d9b32fc4b38

SHA512
30b5bbcf4565282fb34847294ddbdaf478acd324892937686cd975ee166524c08f2a712c7b34f15e75fb8edeb215bec49433b11519664fb0fd275a491c0439c6

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.Shared.RemoteTelemetry.dll
MD5
362becb35e393aa16f69bfb328620d64

SHA1
341ffa7e8aaca4a6f28c7704730a345b2f712958

SHA256
123b901e264136ac810e90b5b3db396e9b2bb48f6463ad6b61661af50a59ac50

SHA512
c26486a2f524386b10b7eda46c86a8db98bc22fb2be30e2bf56bd4b7c6a61866233a019b8f02e07626376b40c9e59037f010791af3a13e3498c984b2dac200f2

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.Shared.RemoteTelemetry.dll
MD5
362becb35e393aa16f69bfb328620d64

SHA1
341ffa7e8aaca4a6f28c7704730a345b2f712958

SHA256
123b901e264136ac810e90b5b3db396e9b2bb48f6463ad6b61661af50a59ac50

SHA512
c26486a2f524386b10b7eda46c86a8db98bc22fb2be30e2bf56bd4b7c6a61866233a019b8f02e07626376b40c9e59037f010791af3a13e3498c984b2dac200f2

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.Shared.Telemetry.dll
MD5
5bc5a8b92a1626071cc7c86d8d9c2c2d

SHA1
99cee06d98c0d0cd75ad431eca9bc5c5539d6799

SHA256
0c58db8bd878bec83a37e23b3c20b3c3d27da1a435040590e9868d6608d87beb

SHA512
eefc58ebf71b46a34289f16ec5deba2c8ec4ab18b844d65f01f55bf39311361395b657b10d32a434b710f609e2347ca575ceec0022a276ffb94336e2481185a3

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.Shared.Telemetry.dll
MD5
5bc5a8b92a1626071cc7c86d8d9c2c2d

SHA1
99cee06d98c0d0cd75ad431eca9bc5c5539d6799

SHA256
0c58db8bd878bec83a37e23b3c20b3c3d27da1a435040590e9868d6608d87beb

SHA512
eefc58ebf71b46a34289f16ec5deba2c8ec4ab18b844d65f01f55bf39311361395b657b10d32a434b710f609e2347ca575ceec0022a276ffb94336e2481185a3

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.SharedUIUtility.dll
MD5
eae08ed1ad53ab48366de6d60b447dcc

SHA1
be928a8b909a0cdc1e5d21547780e5ffba316413

SHA256
615ab9555da729bbabbea09abdb0a1ad854e43ca703014004119f6c3df4dcad3

SHA512
1ff08ec635da959fb8eb3eb1bb628abaf1116e5a2208b4b79b0975585083ff8d8c54f4a94fe9d9c416953df733a7b5aacaaa8c91186cb7212d57dda52ec44a44

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\Microsoft.Flow.RPA.SharedUIUtility.dll
MD5
eae08ed1ad53ab48366de6d60b447dcc

SHA1
be928a8b909a0cdc1e5d21547780e5ffba316413

SHA256
615ab9555da729bbabbea09abdb0a1ad854e43ca703014004119f6c3df4dcad3

SHA512
1ff08ec635da959fb8eb3eb1bb628abaf1116e5a2208b4b79b0975585083ff8d8c54f4a94fe9d9c416953df733a7b5aacaaa8c91186cb7212d57dda52ec44a44

Download Submit
\Windows\Temp\{900F098B-9CF0-442C-9D2B-E3A6C3369C16}\.ba\mbahost.dll
MD5
d7c697ceb6f40ce91dabfcbe8df08e22

SHA1
49cd0213a1655dcdb493668083ab2d7f55135381

SHA256
b925d9d3e1e2c49bf05a1b0713e2750ee6e0c43c7adc9d3c3a1b9fb8c557c3df

SHA512
22ca87979ca68f10b5fda64c27913d0f2a12c359b04e4a6caa3645303fbd47cd598c805fd9a43c8f3e0934e9d2db85f7a4e1eff26cb33d233efc05ee2613cfc1

Download Submit
memory/4176-7-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/4176-20-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/4176-23-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/4176-17-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/4176-14-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/4176-11-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/4176-26-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/4176-27-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/4176-0-0x0000000000000000-mapping.dmp

Download
memory/4176-30-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/4176-4-0x0000000073490000-0x0000000073B7E000-memory.dmp

Filesize
6.9MB

Download
memory/4176-31-0x0000000009C50000-0x0000000009C51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads