bf4927e55c13d1cf1edf574220abbcbca4a2a24beba54cffab22d36a1f738da1

General

Target

76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
Size

1.3MB
MD5

d0a8fa8d74bc403f7e4976d91ccbbdf3
SHA1

6353c559f5947a57920734969e74a9aac1a23f2a
SHA256

bf4927e55c13d1cf1edf574220abbcbca4a2a24beba54cffab22d36a1f738da1
SHA512

fe5415c3eec7e2e6bb40c9939107da8d9a26534714ca1b20a5b4dae2eae91bf705f99272113ab29764b28c4ea59c42ec0e56d35ae42b570c6b9f241277d27b10

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Loads dropped DLL 5 IoCs

Processes:

76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe

pid	process
3416	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
3416	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
3416	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
3416	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
3416	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe

description pid process

Token: SeDebugPrivilege 3416 76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe

description	pid	process
Token: SeDebugPrivilege	3416	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe

description	pid	process	target process
PID 984 wrote to memory of 3416	984	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
PID 984 wrote to memory of 3416	984	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
PID 984 wrote to memory of 3416	984	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe	76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe

C:\Users\Admin\AppData\Local\Temp\76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
"C:\Users\Admin\AppData\Local\Temp\76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe
"C:\Users\Admin\AppData\Local\Temp\76ec5cd7d1bf5dc2ca97cc5b017ad3ee.exe" -burn.unelevated BurnPipe.{CFCFCA97-1E1B-4709-BAAC-80CCC7ED9EA9} {F6776191-1632-48F2-96B8-4B265D5BB78B} 984
2⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\{9a6d46bb-e8c8-4cfe-aef1-17f2da94285b}\.ba1\BootstrapperCore.dll
MD5
84959b8eeeb3d5343004baf4fb823aab

SHA1
3fad40cfa1ad0d9d757498feec32589ba6eab857

SHA256
500c1d374cff855cf85dc54b795384d73b9067e000c6cf91f503179de738b0c8

SHA512
ae83b0bed5f573cd44660dcec73895731388891ff4d2b4c97ac52c5849126c3a30c2b70251b2a62e539d8e3c5bfdbf141fb14025054987133e6f7ccfa052e8b3

Download Submit
\Users\Admin\AppData\Local\Temp\{9a6d46bb-e8c8-4cfe-aef1-17f2da94285b}\.ba1\BootstrapperCore.dll
MD5
84959b8eeeb3d5343004baf4fb823aab

SHA1
3fad40cfa1ad0d9d757498feec32589ba6eab857

SHA256
500c1d374cff855cf85dc54b795384d73b9067e000c6cf91f503179de738b0c8

SHA512
ae83b0bed5f573cd44660dcec73895731388891ff4d2b4c97ac52c5849126c3a30c2b70251b2a62e539d8e3c5bfdbf141fb14025054987133e6f7ccfa052e8b3

Download Submit
\Users\Admin\AppData\Local\Temp\{9a6d46bb-e8c8-4cfe-aef1-17f2da94285b}\.ba1\SetupBootstrapper.dll
MD5
b713c59266dc34e0195c34c1ab25fdf4

SHA1
adae766aaaf8545eab26b555fdcdb39968756ea7

SHA256
231165726bd490fc28efd3677e799c3aca7b722b633b10829a7bfebec63054b7

SHA512
2a02ee6d925b6c0fda2ae6ad25bd29495d8905e2a663464da52d0d70763355d18443590fae2c949b6163bd26438e907a6b364f973d5b4f378f8dcac8c573824e

Download Submit
\Users\Admin\AppData\Local\Temp\{9a6d46bb-e8c8-4cfe-aef1-17f2da94285b}\.ba1\SetupBootstrapper.dll
MD5
b713c59266dc34e0195c34c1ab25fdf4

SHA1
adae766aaaf8545eab26b555fdcdb39968756ea7

SHA256
231165726bd490fc28efd3677e799c3aca7b722b633b10829a7bfebec63054b7

SHA512
2a02ee6d925b6c0fda2ae6ad25bd29495d8905e2a663464da52d0d70763355d18443590fae2c949b6163bd26438e907a6b364f973d5b4f378f8dcac8c573824e

Download Submit
\Users\Admin\AppData\Local\Temp\{9a6d46bb-e8c8-4cfe-aef1-17f2da94285b}\.ba1\mbahost.dll
MD5
ea670db933aaa80f8a45da04ae1c835d

SHA1
827fd0f928c3f3ee82593bf6b68e2ea94faa7809

SHA256
d8301bc68b017f3f23cbbf6b31daf170dea4d5fa4bef6f92cacb900b95e2a1a7

SHA512
2b97c629e5150d42bccd233d6078174de99caad49bc304aafcb2eed2b2f84b830ca3d4345aff416e0a0739e212594086d19b1a20fdc25d35a6a1e65a82000379

Download Submit
memory/3416-9-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/3416-0-0x0000000000000000-mapping.dmp

Download
memory/3416-5-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/3416-2-0x00000000723B0000-0x0000000072A9E000-memory.dmp

Filesize
6.9MB

Download
memory/3416-10-0x00000000068E0000-0x00000000068E1000-memory.dmp

Filesize
4KB

Download
memory/3416-11-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/3416-12-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/3416-13-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/3416-14-0x0000000008F10000-0x0000000008F11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads