Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 11:43
Static task
static1
Behavioral task
behavioral1
Sample
7d9b6189d0c08e7db2a76ba2f06b48ed.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7d9b6189d0c08e7db2a76ba2f06b48ed.exe
Resource
win10v20201028
General
-
Target
7d9b6189d0c08e7db2a76ba2f06b48ed.exe
-
Size
11.1MB
-
MD5
f07df9299a787c554608c0f0ca62f71c
-
SHA1
de3026deabaa110c8ba796bea99213323cf1a041
-
SHA256
cc1dc40bedf0589bfe144beeee1b65c6f9ec1522169d4d5b3af2c297918bb469
-
SHA512
b4acf94f9de4bbd9c5c06ac1c96ca117d3d74427089eadbbd876e932bcd1159ddb066bb6ef2504c8fb539d2fb92b55ef29b3246232a1e29daf08a1ee2ed42024
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
7d9b6189d0c08e7db2a76ba2f06b48ed.tmpwmfdist.exeSVideoBurner.exepid process 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp 1776 wmfdist.exe 1560 SVideoBurner.exe -
Loads dropped DLL 7 IoCs
Processes:
7d9b6189d0c08e7db2a76ba2f06b48ed.exe7d9b6189d0c08e7db2a76ba2f06b48ed.tmpSVideoBurner.exepid process 1912 7d9b6189d0c08e7db2a76ba2f06b48ed.exe 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp 1560 SVideoBurner.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 11 IoCs
Processes:
7d9b6189d0c08e7db2a76ba2f06b48ed.tmpdescription ioc process File created C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-3BS03.tmp 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp File created C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-J2BHK.tmp 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp File created C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-G83MI.tmp 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp File opened for modification C:\Program Files (x86)\S-Mobile Uploader\BurnerService\unins000.dat 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp File opened for modification C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp File created C:\Program Files (x86)\S-Mobile Uploader\BurnerService\unins000.dat 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp File created C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-MSLSC.tmp 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp File created C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-8NGTC.tmp 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp File created C:\Program Files (x86)\S-Mobile Uploader\BurnerService\is-6TQ8K.tmp 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp File opened for modification C:\Program Files (x86)\S-Mobile Uploader\BurnerService\sqlite3.dll 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp File opened for modification C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
7d9b6189d0c08e7db2a76ba2f06b48ed.tmpSVideoBurner.exepid process 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp 1560 SVideoBurner.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7d9b6189d0c08e7db2a76ba2f06b48ed.tmppid process 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
7d9b6189d0c08e7db2a76ba2f06b48ed.exe7d9b6189d0c08e7db2a76ba2f06b48ed.tmpdescription pid process target process PID 1912 wrote to memory of 1504 1912 7d9b6189d0c08e7db2a76ba2f06b48ed.exe 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp PID 1912 wrote to memory of 1504 1912 7d9b6189d0c08e7db2a76ba2f06b48ed.exe 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp PID 1912 wrote to memory of 1504 1912 7d9b6189d0c08e7db2a76ba2f06b48ed.exe 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp PID 1912 wrote to memory of 1504 1912 7d9b6189d0c08e7db2a76ba2f06b48ed.exe 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp PID 1912 wrote to memory of 1504 1912 7d9b6189d0c08e7db2a76ba2f06b48ed.exe 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp PID 1912 wrote to memory of 1504 1912 7d9b6189d0c08e7db2a76ba2f06b48ed.exe 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp PID 1912 wrote to memory of 1504 1912 7d9b6189d0c08e7db2a76ba2f06b48ed.exe 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp PID 1504 wrote to memory of 1776 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp wmfdist.exe PID 1504 wrote to memory of 1776 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp wmfdist.exe PID 1504 wrote to memory of 1776 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp wmfdist.exe PID 1504 wrote to memory of 1776 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp wmfdist.exe PID 1504 wrote to memory of 1776 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp wmfdist.exe PID 1504 wrote to memory of 1776 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp wmfdist.exe PID 1504 wrote to memory of 1776 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp wmfdist.exe PID 1504 wrote to memory of 1560 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp SVideoBurner.exe PID 1504 wrote to memory of 1560 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp SVideoBurner.exe PID 1504 wrote to memory of 1560 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp SVideoBurner.exe PID 1504 wrote to memory of 1560 1504 7d9b6189d0c08e7db2a76ba2f06b48ed.tmp SVideoBurner.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d9b6189d0c08e7db2a76ba2f06b48ed.exe"C:\Users\Admin\AppData\Local\Temp\7d9b6189d0c08e7db2a76ba2f06b48ed.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-J11OL.tmp\7d9b6189d0c08e7db2a76ba2f06b48ed.tmp"C:\Users\Admin\AppData\Local\Temp\is-J11OL.tmp\7d9b6189d0c08e7db2a76ba2f06b48ed.tmp" /SL5="$30156,10873714,790016,C:\Users\Admin\AppData\Local\Temp\7d9b6189d0c08e7db2a76ba2f06b48ed.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe"C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exe" /Q:A /R:N3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe"C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exe" 7d9b6189d0c08e7db2a76ba2f06b48ed.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exeMD5
1581bd96e4e04e67e2e7e514e786e533
SHA1ba6e2c9ce161cd5a50426c0db29b7ca23174cdba
SHA256aec503198fdb76af0ddf12f645a98c8aa4c5de8c7f8271f6543baf67796277ff
SHA512d4f2a29c8ec275c4cfa40c5ebd7a80fa51c7a162c6086e02030481aab596bba3a0d45e5abe7cf88a6174f222a8d1d5bee7e6695881af23dc3671ef2c1b25db72
-
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exeMD5
f59090e9a8070d7fbbdcc8895d2169a3
SHA1370e62290cac6a6c7aa13442741caf6671437a54
SHA256a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023
SHA51245b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a
-
C:\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exeMD5
f59090e9a8070d7fbbdcc8895d2169a3
SHA1370e62290cac6a6c7aa13442741caf6671437a54
SHA256a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023
SHA51245b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a
-
C:\Users\Admin\AppData\Local\Temp\is-J11OL.tmp\7d9b6189d0c08e7db2a76ba2f06b48ed.tmpMD5
bd5ba940935c395768d98cc2911a321c
SHA10ba748ce837d78527d920a5dac66c7600f97af71
SHA2569acfdb224158ea8f006c5e7a249ee97e27da848ad45e11d425947183fa86131b
SHA51217c96dda1f64beda671357831ff6d4f5354b66fb484943c0929ecec9f752de404a973f1e598dbc2739567f808283bd8189552ff597fc45d7df71c28e18e10c9b
-
C:\Users\Admin\AppData\Local\Temp\is-J11OL.tmp\7d9b6189d0c08e7db2a76ba2f06b48ed.tmpMD5
bd5ba940935c395768d98cc2911a321c
SHA10ba748ce837d78527d920a5dac66c7600f97af71
SHA2569acfdb224158ea8f006c5e7a249ee97e27da848ad45e11d425947183fa86131b
SHA51217c96dda1f64beda671357831ff6d4f5354b66fb484943c0929ecec9f752de404a973f1e598dbc2739567f808283bd8189552ff597fc45d7df71c28e18e10c9b
-
\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exeMD5
1581bd96e4e04e67e2e7e514e786e533
SHA1ba6e2c9ce161cd5a50426c0db29b7ca23174cdba
SHA256aec503198fdb76af0ddf12f645a98c8aa4c5de8c7f8271f6543baf67796277ff
SHA512d4f2a29c8ec275c4cfa40c5ebd7a80fa51c7a162c6086e02030481aab596bba3a0d45e5abe7cf88a6174f222a8d1d5bee7e6695881af23dc3671ef2c1b25db72
-
\Program Files (x86)\S-Mobile Uploader\BurnerService\SVideoBurner.exeMD5
1581bd96e4e04e67e2e7e514e786e533
SHA1ba6e2c9ce161cd5a50426c0db29b7ca23174cdba
SHA256aec503198fdb76af0ddf12f645a98c8aa4c5de8c7f8271f6543baf67796277ff
SHA512d4f2a29c8ec275c4cfa40c5ebd7a80fa51c7a162c6086e02030481aab596bba3a0d45e5abe7cf88a6174f222a8d1d5bee7e6695881af23dc3671ef2c1b25db72
-
\Program Files (x86)\S-Mobile Uploader\BurnerService\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
\Program Files (x86)\S-Mobile Uploader\BurnerService\wmfdist.exeMD5
f59090e9a8070d7fbbdcc8895d2169a3
SHA1370e62290cac6a6c7aa13442741caf6671437a54
SHA256a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023
SHA51245b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a
-
\Users\Admin\AppData\Local\Temp\is-J11OL.tmp\7d9b6189d0c08e7db2a76ba2f06b48ed.tmpMD5
bd5ba940935c395768d98cc2911a321c
SHA10ba748ce837d78527d920a5dac66c7600f97af71
SHA2569acfdb224158ea8f006c5e7a249ee97e27da848ad45e11d425947183fa86131b
SHA51217c96dda1f64beda671357831ff6d4f5354b66fb484943c0929ecec9f752de404a973f1e598dbc2739567f808283bd8189552ff597fc45d7df71c28e18e10c9b
-
\Users\Admin\AppData\Local\Temp\is-UO798.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-UO798.tmp\_isetup\_isdecmp.dllMD5
77d6d961f71a8c558513bed6fd0ad6f1
SHA1122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a
SHA2565da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0
SHA512b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a
-
memory/1504-1-0x0000000000000000-mapping.dmp
-
memory/1560-12-0x0000000000000000-mapping.dmp
-
memory/1560-17-0x0000000005070000-0x0000000005081000-memory.dmpFilesize
68KB
-
memory/1560-16-0x0000000004C60000-0x0000000004C71000-memory.dmpFilesize
68KB
-
memory/1776-8-0x0000000000000000-mapping.dmp